Page MenuHomeSoftware Heritage

Web app: rate limiting based on per-client API tokens
Closed, MigratedEdits Locked

Description

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only.

At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by github's use of the header):

$ curl -v -H "Authorization: token SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/

the Web APP will check if SWH_API_TOKEN is in the static, private list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses.

With Django rest framework this can be easily implemented with a custom throttle.

Event Timeline

zack triaged this task as Normal priority.Jul 21 2019, 4:10 PM
zack created this task.
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)
zack raised the priority of this task from Normal to High.Feb 28 2020, 11:42 PM
anlambert claimed this task.
anlambert added a subscriber: anlambert.

This is now implemented, deployed and documented so closing this as resolved.