feat: Add rate limiting to identity search endpoint #6438
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -16,6 +16,7 @@ | |||||
| from rest_framework import status, viewsets | ||||||
| from rest_framework.permissions import IsAuthenticated | ||||||
| from rest_framework.response import Response | ||||||
| from rest_framework.throttling import ScopedRateThrottle | ||||||
|
|
||||||
| from app.pagination import CustomPagination | ||||||
| from core.constants import FLAGSMITH_UPDATED_AT_HEADER, SDK_ENVIRONMENT_KEY_HEADER | ||||||
|
|
@@ -41,6 +42,15 @@ | |||||
| class IdentityViewSet(viewsets.ModelViewSet): # type: ignore[type-arg] | ||||||
| serializer_class = IdentitySerializer | ||||||
| pagination_class = CustomPagination | ||||||
| throttle_scope = "identity_search" | ||||||
|
cursor[bot] marked this conversation as resolved.
|
||||||
|
|
||||||
|
1-23-smy marked this conversation as resolved.
|
||||||
| def get_throttles(self): # type: ignore[no-untyped-def] | ||||||
| """ | ||||||
| Apply identity_search throttle only to list (search) requests. | ||||||
| """ | ||||||
| if getattr(self, "action", None) == "list": | ||||||
|
There was a problem hiding this comment. The comment states "Apply identity_search throttle only to list (search) requests" but the implementation applies throttling to ALL list requests, regardless of whether they include a search query parameter. The current implementation throttles both If the intent is to only throttle search requests (when the 'q' parameter is present), the condition should check for the presence of the query parameter. Otherwise, if throttling all list requests is the intended behavior, update the comment to accurately reflect this.
Suggested change
|
||||||
| return [ScopedRateThrottle()] | ||||||
| return [] | ||||||
|
Contributor
There was a problem hiding this comment. Even though the impact is minimal, i would suggest to return the global default throttle
Author
There was a problem hiding this comment.
Contributor
There was a problem hiding this comment. thanks a lot! Just some conflicts to fix and we should be good to enable the workflows and get it over the line. Again, thanks for the contribution, we appreciate!
Author
There was a problem hiding this comment. Thanks for the review! the conflicts should now be resolved. Let me know if there's anything else you'd like me to adjust! |
||||||
|
|
||||||
| def get_queryset(self): # type: ignore[no-untyped-def] | ||||||
| if getattr(self, "swagger_fake_view", False): | ||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -305,6 +305,31 @@ def test_search_identities_still_allows_paging( | |
| assert response2.data["results"] | ||
|
|
||
|
|
||
| def test_identity_search_is_throttled( | ||
| admin_client: APIClient, | ||
| environment: Environment, | ||
| reset_cache: None, | ||
| mocker: MockerFixture, | ||
| ) -> None: | ||
| # Given - mock the throttle rate to be restrictive for testing | ||
| mocker.patch( | ||
| "rest_framework.throttling.ScopedRateThrottle.get_rate", return_value="1/minute" | ||
| ) | ||
| base_url = reverse( | ||
| "api-v1:environments:environment-identities-list", | ||
| args=[environment.api_key], | ||
| ) | ||
| url = f"{base_url}?q=test" | ||
|
|
||
| # When - make 2 requests in quick succession | ||
| response1 = admin_client.get(url) | ||
| response2 = admin_client.get(url) | ||
|
|
||
| # Then - first should succeed, second should be throttled | ||
| assert response1.status_code == status.HTTP_200_OK | ||
| assert response2.status_code == status.HTTP_429_TOO_MANY_REQUESTS | ||
|
cursor[bot] marked this conversation as resolved.
|
||
|
|
||
|
Comment on lines
+308
to
+331
There was a problem hiding this comment. The test only verifies that the list action with a search query is throttled, but it doesn't verify that other actions (create, retrieve, update, delete) are NOT throttled. Following the pattern from api/tests/integration/custom_auth/end_to_end/test_custom_auth_integration.py:563-575 (test_get_user_is_not_throttled), consider adding a test to ensure other actions on the IdentityViewSet are not affected by the throttle. |
||
|
|
||
| def test_can_delete_identity( | ||
| environment: Environment, | ||
| admin_client: APIClient, | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,10 +4,10 @@ import useDebounce from './useDebounce' | |
| export default function useDebouncedSearch(initialValue = '') { | ||
| const [searchInput, setSearchInput] = useState(initialValue) | ||
| const [search, setSearch] = useState(initialValue) | ||
| const [debounceTime, setDebounceTime] = useState(750) | ||
|
|
||
| useEffect(() => { | ||
| setDebounceTime(searchInput.length < 1 ? 0 : 750) | ||
|
There was a problem hiding this comment. Increasing the debounce time from 500ms to 750ms will affect all components using
While this may be acceptable to reduce API calls globally, consider whether a 250ms increase is appropriate for all these use cases. If the intent is to only throttle identity search, consider creating a separate hook like
Contributor
There was a problem hiding this comment. @Zaimwa9 are you able to chime in here - do you think this is something we need to be concerned about?
Contributor
There was a problem hiding this comment. @1-23-smy thanks for the changes, could you explain the rationale behind the increase of the debounce? If this does not conflict with the extra throttling we'd better stick to 500. We aligned on 500 being the right UX time |
||
| }, [searchInput]) | ||
|
|
||
| const debouncedSearch = useDebounce((value: string) => { | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR description mentions "Frontend Changes" that increase debounce from 500ms to 750ms in
frontend/common/useDebouncedSearch.ts, but this file is not included in the current changes. Based on previous review feedback, there were concerns about this change affecting all components using the hook, and it was suggested to stick to 500ms if there's no conflict with the backend throttling. Either include the frontend changes in this PR or remove the mention from the PR description.