feat: Add rate limiter

[bolkedebruin]

Description

This allows regulation of the number of times a user can request a particular API or view given a time-frame. It protects against brute-forcing entry and denial of service.

Both Airflow and Superset have a long standing issue of not being able to rate limit access to APIs and views allowing for brute forcing access.

apache/superset#10560
https://lists.apache.org/thread/hdpyr3y5cq0djcogn1ql7gj7vq09xo0j
apache/superset#10620

This change allows users to decorate their APIs and Views with @limit.

Note I have turned to default to be ON for authentication for AuthDB and AuthLDAP (Oauth/oidc have their own protection mechanisms) as FAB should be secure out of the box I assume.

cc @potiuk

ADDITIONAL INFORMATION

• Has associated issue:
• Is CRUD MVC related.
• Is Auth, RBAC security related.
• Changes the security db schema.
• Introduces new feature
• Removes existing feature

[codecov]

Codecov Report

Merging #1976 (ea19c87) into master (57e9d10) will increase coverage by 0.16%.
The diff coverage is 98.57%.

❗ Current head ea19c87 differs from pull request most recent head 7723ff1. Consider uploading reports for the commit 7723ff1 to get more accurate results

@@            Coverage Diff             @@
##           master    #1976      +/-   ##
==========================================
+ Coverage   78.10%   78.27%   +0.16%     
==========================================
  Files          71       72       +1     
  Lines        8611     8667      +56     
==========================================
+ Hits         6726     6784      +58     
+ Misses       1885     1883       -2     

Flag	Coverage Δ
python	78.27% <98.57%> (+0.16%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
flask_appbuilder/security/views.py	62.63% <50.00%> (ø)
flask_appbuilder/api/__init__.py	96.34% <100.00%> (+0.03%)	⬆️
flask_appbuilder/base.py	84.85% <100.00%> (+0.27%)	⬆️
flask_appbuilder/baseviews.py	89.90% <100.00%> (+0.25%)	⬆️
flask_appbuilder/security/decorators.py	94.68% <100.00%> (+0.77%)	⬆️
flask_appbuilder/security/manager.py	75.64% <100.00%> (+0.56%)	⬆️
flask_appbuilder/utils/limit.py	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[dpgaspar]

This is great! left some non blocking comments. Can you please revisit?

[bolkedebruin]

@dpgaspar ptl, i have addressed your comments and fixed the linting (can I suggest using a newer flake8, the one used here is really really old).

[bolkedebruin]

Hi @dpgaspar PR is finished. Would be great if it was included in 4.2.1 :-)

[dpgaspar]

sorry, it won't, but I'll make a 4.3.0 next week just for this, no worries

[bolkedebruin]

awesome, that'll work :-)

[dpgaspar]

This seems a bit agressive, what do you think about keeping the same rate but increasing the number of attempts needed. Example: "10 per 25 second"?

[bolkedebruin]

I don't think it's aggressive. A human being will have trouble meeting this if they have to retype the password and otherwise a short pause won't hurt. An automated system configured wrongly will remain wrong.

So if you realize "omg ive typed in the password/username twice" you probably start thinking a bit longer and cross the 5s barrier (try it!) and if you do make it a slight pause won't hurt IMHO.

An alternative is to redirect to a captcha when reaching the limit but I'll leave that to someone else.

Anyways I'm not married to this limit but I do not think it's too aggressive.

[dpgaspar]

I was able to reach it pretty easily and manually

[bolkedebruin]

Easily as in normal human behavior or as in trying to trigger it? Triple entry isn't common.

But if you think it's better we can switch.

[dpgaspar]

Trying to trigger it, but If you agree, I think it would be more conservative and still safe against brute force and DoS