Page MenuHomeSoftware Heritage

Web app: rate limiting based on per-client API tokens
Open, NormalPublic

Description

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only.

At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by github's use of the header):

$ curl -v -H "Authorization: token SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/

the Web APP will check if SWH_API_TOKEN is in the static, private list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses.

With Django rest framework this can be easily implemented with a custom throttle.

Event Timeline

zack created this task.Jul 21 2019, 4:10 PM
zack triaged this task as Normal priority.
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)