[RFE] Throttle API requests #20955

Fryguy · 2021-01-13T19:33:00Z

This enhancement request has a number of dimensions.

We should throttle successful logins for the same user when repeated too many times within a certain short amount of time. In doing so we can encourage the usage of logging in to get a token and then using that token in follow-up calls. This will mitigate excessive logging and audit events.
We should throttle API requests in general (except maybe requests with a UI token?) to discourage unoptimized queries and N+1 errors. This would be akin to GitHub placing a limit of 5000 requests per hour. I suggest we do something similar, though I don't know what that number should be. Regardless, it should be configurable.

Note that we already throttle unsuccessful logins via a delayed lockout.

jrafanie · 2021-08-25T19:13:14Z

@NickLaMuro is this resolved by #21271 ? Can this or should this go back to morphy?

Fryguy · 2021-09-01T19:08:55Z

Done!

NickLaMuro · 2021-09-01T19:09:09Z

Yes, this was resolved by #21271 as we discussed offline. Sorry for not coming back here and responding previously 😞

Fryguy added the enhancement label Jan 13, 2021

Fryguy added this to To do in Roadmap Jan 13, 2021

gtanzillo added the help wanted label Jan 14, 2021

chessbyte moved this from To do to In progress in Roadmap Aug 25, 2021

chessbyte added this to the Morphy milestone Aug 25, 2021

Fryguy moved this from In progress to Morphy in Roadmap Sep 1, 2021

Fryguy closed this as completed Sep 1, 2021

Fryguy removed the help wanted label Sep 1, 2021

Fryguy assigned NickLaMuro Sep 1, 2021

Provide feedback