Change Details

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only. At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by [[ https://developer.github.com/v3/auth/#authenticating-for-saml-sso | github use of the header ]]): ``` $ curl -v -H "Authorization: token :SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/ ``` the Web APP will check if `SWH_API_TOKEN` is in the static, //private// list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses. With Django rest framework this can be implemented as [[ https://www.django-rest-framework.org/api-guide/throttling/#custom-throttles | custom throttle ]].

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only. At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by [[ https://developer.github.com/v3/auth/#authenticating-for-saml-sso | github's use of the header ]]): ``` $ curl -v -H "Authorization: token :SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/ ``` the Web APP will check if `SWH_API_TOKEN` is in the static, //private// list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses. With Django rest framework this can be implemented as [[ https://www.django-rest-framework.org/api-guide/throttling/#custom-throttles | custom throttle ]].

For us developers, and more generally for ease of management/evolution, it would be nice to have a way to lift/tune rate limiting for the Web API based on API tokens, rather than on PI addresses only. At first we don't need a full-fledged key revocation mechanism. We can make do with simply a list of API tokens than we can generate, assign to clients, and look for them in incoming HTTP requests in a header like (inspired by [[ https://developer.github.com/v3/auth/#authenticating-for-saml-sso | github's use of the header ]]): ``` $ curl -v -H "Authorization: token :SWH_API_TOKEN" https://archive.softwareheritage.org/api/1/stat/counters/ ``` the Web APP will check if `SWH_API_TOKEN` is in the static, //private// list of allowed tokens and, if so, bypass throttling. That list will be maintained similarly to how we currently maintain the list of whitelisted IP addresses. With Django rest framework this can be implemented as [[ https://www.django-rest-framework.org/api-guide/throttling/#custom-throttles | custom throttle ]].