Page MenuHomeSoftware Heritage
Create Task
Maniphest T1927

Web app: rate limiting based on per-client API tokens
Closed, MigratedEdits Locked
Actions

Description

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only.

At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by github's use of the header):

$ curl -v -H "Authorization: token SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/

the Web APP will check if SWH_API_TOKEN is in the static, private list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses.

With Django rest framework this can be easily implemented with a custom throttle.

Revisions and Commits

rDWAPPS Web applications
D3849rDWAPPS3250335c25c5 auth/backends: Use offline refresh token for Web API authentication
D3309rDWAPPS644fcc014b1f api/throttling: Lift rate limit when user has special permission

Related Objects
Search...

Event Timeline

zack triaged this task as Normal priority.Jul 21 2019, 4:10 PM
zack created this task.
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)
zack updated the task description. (Show Details)
anlambert added a parent task: T1982: Add user authentication and permissions to swh-web.Sep 3 2019, 1:44 PM
zack mentioned this in T2116: web API: whitelist swh-team machines.Dec 2 2019, 9:41 AM
anlambert added a parent task: T2219: Authentication / authorization.Jan 23 2020, 4:29 PM
zack raised the priority of this task from Normal to High.Feb 28 2020, 11:42 PM
anlambert mentioned this in D2747: Add DRF bearer token authentication using OpenID Connect.Mar 2 2020, 6:54 PM
anlambert mentioned this in D2858: api/throttling: Lift rate limit for staff users.Mar 19 2020, 6:35 PM
anlambert mentioned this in rDWAPPS82282422beea: api/throttling: Lift rate limit for staff users.Mar 20 2020, 3:19 PM
anlambert mentioned this in D2869: client: Add OpenID Connect bearer token authentication.Mar 23 2020, 6:15 PM
anlambert mentioned this in rDWCLI492be567e272: client: Add OpenID Connect bearer token authentication.Mar 24 2020, 12:08 PM
anlambert mentioned this in D2896: Keycloak: add realm and client definition in puppet manifest.Mar 26 2020, 9:28 PM
anlambert mentioned this in D2975: webapp: Add keycloak configuration for production and staging.Apr 7 2020, 6:41 PM
anlambert mentioned this in rSPSITE49ed9869b1b6: webapp: Add keycloak configuration for production and staging.Apr 8 2020, 12:34 PM
anlambert added a revision: D3309: api/throttling: Lift rate limit when user has special permission.Jun 17 2020, 5:42 PM
anlambert added a commit: rDWAPPS644fcc014b1f: api/throttling: Lift rate limit when user has special permission.Jun 18 2020, 2:14 PM
anlambert added a revision: D3849: auth/backends: Use offline refresh token for Web API authentication.Aug 27 2020, 11:54 AM
anlambert added a commit: rDWAPPS3250335c25c5: auth/backends: Use offline refresh token for Web API authentication.Aug 27 2020, 6:51 PM
anlambert closed subtask T2569: Add Web UI to generate and revoke bearer tokens as Resolved.Sep 22 2020, 12:21 PM
anlambert closed this task as Resolved.Nov 17 2020, 2:56 PM
anlambert claimed this task.
anlambert added a subscriber: anlambert.

This is now implemented, deployed and documented so closing this as resolved.

gitlab-migration changed the task status from Resolved to Migrated.Jan 8 2023, 4:28 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

gitlab-migration changed the status of subtask T2569: Add Web UI to generate and revoke bearer tokens from Resolved to Migrated.Jan 8 2023, 4:31 PM
About · Developer information · Legal