add middleware and exempt decorator

[Rested]

just a sketch - addresses #1
idea is that it doesn't change the existing usage

  app = Starlette(debug=True)
  app.state.limiter = limiter
  app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

but builds on it with

app.add_middleware(SlowAPIMiddleware)

this means it wouldn't be a breaking change

[laurentS]

@Rested this is great! Thanks for putting it together! I like that you made it a non-breaking change.
I've made a minor comment, and I think it will need a bit more testing (which I think we can add later) but otherwise I'm happy to merge this.

[laurentS]

Since this is testing an exempt route, the original IP should be able to GET this as well without being throttled. How would you feel about changing this IP to 127.0.0.10 instead?

[Rested]

Hey sorry I kind of forgot about this PR! I had a look at my code today and I seemed to be having bit of trouble getting a test to pass that I added for default and decorator limit merging 272ae50. It looks like I was referencing test_multiple_decorators but I'm not sure whether the behaviour should be different in this case? If you could have a brief look at it that would be great @laurentS

[laurentS]

Hey sorry I kind of forgot about this PR! I had a look at my code today and I seemed to be having bit of trouble getting a test to pass that I added for default and decorator limit merging 272ae50. It looks like I was referencing test_multiple_decorators but I'm not sure whether the behaviour should be different in this case? If you could have a brief look at it that would be great @laurentS

@Rested Thanks for coming back to this! Looking at your test, I think the reason it doesn't behave as you expect is in @limiter.limit("100 per minute", key_func=lambda: "lest") where you're basically assigning every request to the same limit key lest. So further down when you change the X_FORWARDED_FOR header, it makes no difference, slowapi considers all these requests as having the key lest. (I'm guessing you meant "test"?). The test_multiple_decorators is a bit cheeky in that sense, because it uses 2 different key_func functions, so there's effectively a 50/min limit per IP, plus a 100/min limit shared by all users/requests.

About your question on default limits, flask-limiter (whose code slowapi is heavily based on) added an override_defaults option to the @limiter.limit() decorator after I forked the code. Maybe we should replicate that, as it seems like a good design option. Let me know if you feel like porting that option, otherwise I'll take care of it.

[Rested]

i couldn't figure out how to make mypy happy here

[laurentS]

I don't know either. I was hoping that breaking the if statement above might help mypy see that your last line is fine, but no. Let's keep it like it is, I think it's ok!

[Rested]

does less than the original https://github.com/alisaifee/flask-limiter/blob/55df08f14143a7e918fc033067a494248ab6b0c5/flask_limiter/extension.py#L592 but i think it's sufficient for currently supported functionality.

[laurentS]

I can find a mistake in the logic either (It doesn't mean there isn't one 😉 ). I think it would be worth spending some time commenting this bit of code, as I find it pretty obscure, with all these xxxx_limits variables. And we should add some more tests, but I'm happy to merge this at this point, as the middleware is pretty cool functionality.
Is that ok with you?

[Rested]

sounds good to me :)

[Rested]

i think one useful thing to do might be to implement some more of the flask-limiter tests with @pytest.mark.xfail so it's more obvious how much of the api is implemented and how far from feature parity we are

[Rested]

I'll have a go at that when I find some time!

[Rested]

added #17 off the back of this