Implement rate limiting on routes

[james-skelton]

SlowAPI is probably the solution (rate limiting for FastAPI), but need to check whether there are any considerations we need to have (e.g., behind an Nginx or Apache reverse proxy).

[james-skelton]

I tested out using an Nginx proxy to a FastAPI server using SlowAPI. With the default settings, the IP address passed on to the FastAPI server is 127.0.0.1. Consequently, under default settings, the rate limiting applies collectively to all users (undesirable behaviour).

I'm figuring out how to modify this for an Nginx server, but we'll need to figure out how to address this for Apache2.

[james-skelton]

An alternative to having the rate limiting in the app is to set it in the Nginx config -- this is more of a "blunt instrument" than we could perhaps achieve with SlowAPI.

EDIT: Adding the following code to the server block in Nginx seemed to make the original IP address available to SlowAPI via Nginx:

proxy_set_header    X-Real-IP        $remote_addr;
proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;

[james-skelton]

Next question is to figure out the rate limits to set. At first, I think a blanket 10 requests/second is sufficient, but we may wish to have a different rate for analysis tasks further down the line. These limits should be set in the configuration file.

EDIT:

Tested out how SlowAPI limits work with one another.

• Setting rate limits using the decorator for separate routes results in limits on a per route basis. So, for example, if route A is set to have a limit of 10 reqs/s and route B has a limit of 10 reqs/s, then a user could still hit the API with 20 reqs/s.
• Setting a global limit (that applies by default to all routes via Middleware) still results on limits applying per route. For example, a global limit of 10 reqs/s and an API with two routes, A and B, could still be hit with 20 reqs/s.
• Setting a global limit and then also setting a limit for a route with a decorator results in the decorator limit overwriting the global route.
• Shared limits are implemented via the Limiter.shared_limit decorator. Separate shared limits can be given to different sets of routes by setting a scope as a parameter to the decorator. It seems that the rate AND the scope must be identical for two routes to share a limit.
• Multiple limits can be given in the rate argument, separated by a semi-colon (e.g., 5/minute;9/hour)

[james-skelton]

To-do:

• [ ] Implement a shared 10 reqs/s limit across all non-background processed routes.
• [ ] Implement a shared 1 req/s limit across all background processed routes.

[james-skelton]

Added first pass at limiting -- this can be switched on in the config file using the api.rate_limiting_enabled variable (boolean). The rate limit can be set using the api.rate_limit variable (string). This string should be a value compatible with slowapi (e.g., "5/minute").

At present, there is no implementation for rate limiting specific routes.