{Token, User}-dependent rate limit control

[brunolnetto]

Describe the bug
This is not a bug description. In fact, I would like to know if the use case for authentication-dependent (i.e. JWT token, for example) is covered by this library. The use case is as follows:

1. We provide a token as Bearer on request.
2. The endpoint recognizes the user and saves information about user access rate;
3. In case of rate or limit violation, we raise an exception with status code 429.

[ecly]

@brunolnetto this is supported with slowapi.

You can provide a key_func to the Limiter which can take the fastapi.Request as its parameter, from which you can get the User ID from the token and use this as a key.

I.e. just using the bearer token as a key for rate limiting could be done with:

from fastapi import Request
from slowapi import Limiter

def api_key_from_request(request: Request):
    auth = request.headers.get("authorization")
    user_id = get_user_id_from_auth(auth)
    return user_id
    
limiter = Limiter(key_func=api_key_from_request)
...

[brunolnetto]

Is there some way to alternate between provided key and default key, like IP? I mean, not every route is key-protected.

[ecly]

Is there some way to alternate between provided key and default key, like IP? I mean, not every route is key-protected.

Sure, check out the default utility functions that support IP based rate limiting: https://slowapi.readthedocs.io/en/latest/api/#utility-functions

And you can override with per route/decorator key functions, depending on the need for each route.

[brunolnetto]

Sorry for furher requesting explanation, but what precisely is the difference between functions get_remote_address and get_ipaddr?

[ecly]

Sorry for furher requesting explanation, but what precisely is the difference between functions get_remote_address and get_ipaddr?

Probably better served for discussions, but you can view the implementation here.

TLDR:

• Behind a proxy/load balancer (that uses X-Forwarded-For headers) use get_remote_address.
• If clients connect directly to our server, you use get_ipaddr.

[brunolnetto]

I added a pull request to remove repeated code. May you review and merge? :-)

#211

[ecly]

I added a pull request to remove repeated code. May you review and merge? :-)

#211

I'm not a maintainer of this project, so cannot help with that. Just a user.

[laurentS]

@ecly thanks for taking the time to reply! @brunolnetto I've authorized CI on your PR, thanks for sending it in.
Indeed, this would have been better suited for a discussion than a bug :) Closing this one.

[brunolnetto]

CI is till failing because of command run poetry run mypy .