Make Users API rate limits configurable
Related to #458978 (closed)
What does this MR do and why?
-
It makes the users' API rate-limits configurable on Gitlab Self-Managed, based on the:
- user if authenticated
- IP address if unauthenticated
-
It allows customers to change/disable the new default rate limits in Gitlab 17.10, before its enabled by default in 18.0
Endpoint | Requests per minute Limit |
---|---|
GET /users/:id/followers | 100 |
GET /users/:id/following | 100 |
GET /users/:user_id/status | 240 |
GET /users/:user_id/keys | 120 |
GET /users/:id/keys/:key_id | 120 |
GET /users/:id/gpg_keys | 120 |
GET /users/:id/gpg_keys/:key_id | 120 |
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
After |
---|
![]() |
How to set up and validate locally
- Checkout this MR's branch
- Follow these steps to configure the Users API rate limits
- Turn on the feature flag to apply the configured rate_limits. Run these commands in your terminal:
gdk rails console
Feature.enable(:rate_limiting_user_endpoints)
- Test the rate-limits.
Example: Change
GET /users/:id/status
limit to 3. Run the following curl request and verify that it returns a429
response code after 3 requests.
curl --request GET "https://gdk.test:3443/api/v4/users/2/status"
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Hakeem Abdul-Razak