Rate Limiting on 404 Pages

[zoltan-fedor]

I am trying to setup rate limiting of error pages.
I have seen that this has been asked before, see #109, but that suggestion made there doesn't seem to work.

I "wrote a custom handler and decorated it" with the rate limiter - but rate limiting is not triggered on error handlers, but being silently ignored:

This doesn't work:

@api.app_errorhandler(404)
@limiter.limit('1/hour')
def page_not_found(e):
    return make_response(jsonify(error=f"Page doesn't exist: {e.description}"), 404)

While this does (to prove that rate limiting is on in the given blueprint):

@api.route('/test/', methods=['GET'])
@limiter.limit('1/hour')
def test():
    return 'test'

Any ideas?

[WaizungTaam]

From extension.py#L419,

        if (not request.endpoint
            or not self.enabled
            or view_func == current_app.send_static_file
            or name in self._exempt_routes
            or request.blueprint in self._blueprint_exempt
            or any(fn() for fn in self._request_filters)
            or g.get("_rate_limiting_complete")
        ):
            return

The limit is skipped if any of these conditions is True.

For a errorhandler, request.endpoint is None, which means not request.endpoint is always True. The limit on a errorhandler will never work.

[alisaifee]

Unfortunately I don't see any way to accomplish this as a feature since a 404 handler is not an actual "route".

You could perhaps get away with creating a fallback route which acts as a 404 handler in the following manner:

from flask import Flask, abort
from flask_limiter import Limiter

app = Flask(__name__)
limiter = Limiter(app)

@app.route("/<path:path>")
@limiter.limit("1/second", )
def missing_handler(path):
    abort(404, "Not found %s" % path)

@app.route("/")
def root():
    return "root"

@app.route("/other")
def other():
    return "other"