vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Add API rate limiting

Open sbs2001 opened this issue 4 years ago • 6 comments

Deploying without any guards against API spam, is a bad idea. Especially since we need to do quite a work and API payload is big.

sbs2001 avatar May 22 '21 12:05 sbs2001

The restframework comes with the throttling feature. If we could decide on the default limits, I'd love to open a PR for the same.

Hritik14 avatar Jun 08 '21 21:06 Hritik14

Using the DRF AnonRateThrottle should be good enough for a start

pombredanne avatar Jul 21 '21 12:07 pombredanne

At this stage we do not have anythin beyond basic auth

We should enable the "classic" API key system for DRF API access.

For now we barely enabled "django.contrib.auth", and "rest_framework.authtoken" in the settings https://github.com/nexB/vulnerablecode/blob/479111359070cc09010bde343e210306c4b14e40/vulnerablecode/settings.py ...

But we should emulate what is done in ScanCode.io ... see https://github.com/nexB/scancode.io/pull/368 and https://github.com/nexB/scancode.io/issues/359

pombredanne avatar Aug 11 '22 15:08 pombredanne

For now, I think we will not need rate limiting once we implement auth... that's a refinement for later

pombredanne avatar Aug 11 '22 15:08 pombredanne

Added authentication here https://github.com/nexB/vulnerablecode/pull/848

TG1999 avatar Aug 17 '22 17:08 TG1999

As a first step when we make the public instance public I suggest this:

  • no auth for the UI access
  • auth for API access with an API key, that can be requested simply by email for a start.

We need to add link/content in the UI to explain how to request an API key.

pombredanne avatar Aug 18 '22 15:08 pombredanne