Add throttling protection

CHANGELOG.md

@@ -1,3 +1,7 @@
+## Upcoming
+
+* Protect auth login and password reset views against throttling.
+
 ## v1.1.4
 
 * Add email field to PasswordResetEmail response to OPTIONS request

README.md

@@ -132,3 +132,11 @@ with a selection from
         url('', include('user_management.api.urls.register')),
         ...
     )
+
+
+### Throttling protection
+The `/auth/` and `/auth/password_reset/` URLs are protected against throttling
+using the built-in [DRF throttle module](http://www.django-rest-framework.org/api-guide/throttling).
+
+You need to set the throttling rates in `DEFAULT_THROTTLE_RATES` setting for
+`REST_FRAMEWORK` in your `settings.py`.

user_management/api/views.py

@@ -10,6 +10,7 @@
 from rest_framework.authtoken.models import Token
 from rest_framework.authtoken.views import ObtainAuthToken
 from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.throttling import AnonRateThrottle, UserRateThrottle
 
 from . import serializers, permissions
 
@@ -19,6 +20,7 @@
 
 class GetToken(ObtainAuthToken):
     renderer_classes = (renderers.JSONRenderer, renderers.BrowsableAPIRenderer)
+    throttle_classes = [AnonRateThrottle, UserRateThrottle]
 
     def delete(self, request, *args, **kwargs):
         try:
@@ -124,6 +126,7 @@ def initial(self, request, *args, **kwargs):
 
 class PasswordReset(OneTimeUseAPIMixin, generics.UpdateAPIView):
     permission_classes = [permissions.IsNotAuthenticated]
+    throttle_classes = [AnonRateThrottle, UserRateThrottle]
     model = User
     serializer_class = serializers.PasswordResetSerializer
 

user_management/tests/run.py

@@ -39,6 +39,10 @@
         'DEFAULT_AUTHENTICATION_CLASSES': (
             'rest_framework.authentication.TokenAuthentication',
         ),
+        'DEFAULT_THROTTLE_RATES': {
+            'anon': '10/day',
+            'user': '100/day'
+        },
     },
 )