Implement rate limiter on all endpoints to prevent misuse

fossasia / open-event-server

The Open Event Organizer Server to Manage Events https://test-api.eventyay.com

https://api.eventyay.com

GNU General Public License v3.0

2.97k stars 1.89k forks source link

Implement rate limiter on all endpoints to prevent misuse #6037

Open shreyanshdwivedi opened 5 years ago

shreyanshdwivedi commented 5 years ago

Is your feature request related to a problem? Please describe.

Currently, there is no limiting factor on endpoints. Anyone can make a script and misuse it.

Describe the solution you'd like

https://flask-limiter.readthedocs.io/en/stable/

Additional context

https://github.com/fossasia/open-event-server/issues/6033 https://github.com/fossasia/open-event-server/issues/6033#issuecomment-501289551

iamareebjamal commented 5 years ago

Please implement rate limiting with user ID as key and fallback to IP for only unauthenticated users. I used to think this naive way of rate limiting is very easy until users of my college started to get limited despite being working from different computers. Because computers behind universities and companies sit behind a proxy which does Network Address Translation and maps internal IPs to a set of external IPs and blocking an IP would mean blocking the entire university and office. You would have implemented a denial of service for those users

shreyanshdwivedi commented 5 years ago

I agree with your concern. I'm currently reading the docs and will keep it in mind

iamareebjamal commented 5 years ago

Also, this'll work for app.route

Also see what can be done for jsonapi controllers