From b24f7cd8702ef63d605c7633d260a796828874e7 Mon Sep 17 00:00:00 2001 From: Krystle Salazar Date: Tue, 16 Aug 2022 11:16:59 -0400 Subject: [PATCH] Add throttling classes for thumbnail endpoint (#864) --- api/catalog/api/utils/throttle.py | 9 +++++++++ api/catalog/api/views/image_views.py | 7 +++++-- api/catalog/settings.py | 6 ++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/api/catalog/api/utils/throttle.py b/api/catalog/api/utils/throttle.py index 1814b2d1d..3329bbfe1 100644 --- a/api/catalog/api/utils/throttle.py +++ b/api/catalog/api/utils/throttle.py @@ -53,6 +53,10 @@ class SustainedRateThrottle(AbstractAnonRateThrottle): scope = "anon_sustained" +class AnonThumbnailRateThrottle(AbstractAnonRateThrottle): + scope = "anon_thumbnail" + + class TenPerDay(AbstractAnonRateThrottle): rate = "10/day" @@ -90,6 +94,11 @@ def get_cache_key(self, request, view): return self.cache_format % {"scope": self.scope, "ident": ident} +class OAuth2IdThumbnailRateThrottle(AbstractOAuth2IdRateThrottle): + applies_to_rate_limit_model = "standard" + scope = "oauth2_client_credentials_thumbnail" + + class OAuth2IdSustainedRateThrottle(AbstractOAuth2IdRateThrottle): applies_to_rate_limit_model = "standard" scope = "oauth2_client_credentials_sustained" diff --git a/api/catalog/api/views/image_views.py b/api/catalog/api/views/image_views.py index 5c221a5a0..47f6f0f52 100644 --- a/api/catalog/api/views/image_views.py +++ b/api/catalog/api/views/image_views.py @@ -32,7 +32,10 @@ ) from catalog.api.serializers.media_serializers import MediaThumbnailRequestSerializer from catalog.api.utils.exceptions import get_api_exception -from catalog.api.utils.throttle import OneThousandPerMinute +from catalog.api.utils.throttle import ( + AnonThumbnailRateThrottle, + OAuth2IdThumbnailRateThrottle, +) from catalog.api.utils.watermark import watermark from catalog.api.views.media_views import MediaViewSet @@ -93,7 +96,7 @@ def oembed(self, request, *_, **__): url_path="thumb", url_name="thumb", serializer_class=MediaThumbnailRequestSerializer, - throttle_classes=[OneThousandPerMinute], + throttle_classes=[AnonThumbnailRateThrottle, OAuth2IdThumbnailRateThrottle], ) def thumbnail(self, request, *_, **__): image = self.get_object() diff --git a/api/catalog/settings.py b/api/catalog/settings.py index 71bfd52f2..fbffef2d3 100644 --- a/api/catalog/settings.py +++ b/api/catalog/settings.py @@ -129,6 +129,8 @@ THROTTLE_ANON_BURST = config("THROTTLE_ANON_BURST", default="5/hour") THROTTLE_ANON_SUSTAINED = config("THROTTLE_ANON_SUSTAINED", default="100/day") +THROTTLE_ANON_THUMBS = config("THROTTLE_ANON_THUMBS", default="150/minute") +THROTTLE_OAUTH2_THUMBS = config("THROTTLE_OAUTH2_THUMBS", default="500/minute") REST_FRAMEWORK = { "DEFAULT_AUTHENTICATION_CLASSES": ( @@ -143,6 +145,8 @@ "DEFAULT_THROTTLE_CLASSES": ( "catalog.api.utils.throttle.BurstRateThrottle", "catalog.api.utils.throttle.SustainedRateThrottle", + "catalog.api.utils.throttle.AnonThumbnailRateThrottle", + "catalog.api.utils.throttle.OAuth2IdThumbnailRateThrottle", "catalog.api.utils.throttle.OAuth2IdSustainedRateThrottle", "catalog.api.utils.throttle.OAuth2IdBurstRateThrottle", "catalog.api.utils.throttle.EnhancedOAuth2IdSustainedRateThrottle", @@ -152,6 +156,8 @@ "DEFAULT_THROTTLE_RATES": { "anon_burst": THROTTLE_ANON_BURST, "anon_sustained": THROTTLE_ANON_SUSTAINED, + "anon_thumbnail": THROTTLE_ANON_THUMBS, + "oauth2_client_credentials_thumbnail": THROTTLE_OAUTH2_THUMBS, "oauth2_client_credentials_sustained": "10000/day", "oauth2_client_credentials_burst": "100/min", "enhanced_oauth2_client_credentials_sustained": "20000/day",