New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable rate limiting on -dev #8540
Enable rate limiting on -dev #8540
Comments
We tried to do that but the new API doesn't have the same bypasses yet so it's a bit annoying. Instead, we want to add a bypass mechanism directly in the throttle classes so that it applies to everything automatically. |
I gave the new |
I've verified the new permission to successfully bypass the following throttles:
Without the permission, throttling still applies as before. |
I tested the abuse reports throttles on -stage a month ago when I was writing a test case. I remembered something and checked it again with -dev: I can send with Postman using the APIs 20 mixed requests (to report a user or an addon , authenticated with Session ID or anonymous ) then I hit the 429, Too Many requests. Then if I try it using a browser (same PC) I can send 20 more reports for addons/users. Should I receive a 429 per IP address after the first 20 attempts ? |
Yeah it should be 20 reports per IP per day regardless of how they were posted. If you are sure this is using the same IP (no proxy/VPN/etc) then please file an issue. |
@diox Just for the record, I've tried the following method to test the API throttling for abuse reports (no proxy/VPN on):
There is something I've noticed though: Hope this helps and if @ioanarusiczki arrives to different results we can compare our findings. |
Both throttles should last 24 hours. However, something to keep in mind when testing on dev: cache will be reset at each deploy! So depending on what was happening on dev when you were testing that may have had an impact. |
I was testing on stage |
I repeated my testing on AMO stage. I sent using Postman 20 consecutive requests for an addon using a Session id -> after 20 requests with https://addons.allizom.org/api/v5/abuse/report/addon/ I hit the throttle: Then authenticated with the same user I tried to send a user abuse report from FF -> I cannot because I get the "Request was throttled, Expected available in 83657 seconds." I'm wondering if I'm doing something wrong when I set up the abuse reports for -stage env. ? Yet, if I check the admin the addon reports were sent from the browser. |
When sending an abuse report from FF, that shouldn't use the authentication AFAIK. So if you get throttled at this point, this must be because of the IP - meaning everything is working as expected.
What do you mean by that exactly ? After waiting ? |
Maybe the gif would help, I'm into the same browser and I hit the 429 with Postman , then I tried from an AMO page. |
What's the value for |
@diox https://services.addons.allizom.org/api/v4/abuse/report/addon/ I also checked with Browser Toolbox , after I tried again, I see the api responding |
Ok. Would be interesting to test entirely with postman with services.addons.mozilla.org - trying various things until we can get simpler steps to reproduce that don't involve using the browser. |
@diox Ok, I'll try with https://services.addons.allizom.org/api/v4/abuse/report/addon/ |
Describe the problem and steps to reproduce it:
Currently add-ons submission and API throttling is enabled only on stage. When an issue that affects this functionality is closed, we usually have to wait until the code lands in stage to be able to verify it. By enabling rate limiting on -dev, we can have such issues tested earlier.
As far as I'm aware, we currently have the following throttles:
Ratings:BypassThrottling
to a user - see Allow users with Ratings:BypassThrottling permission to bypass ratings API throttling addons-server#17673I've already raised this issue to @diox on slack and, if everyone else agrees, we can re-enable throttling on -dev.
The text was updated successfully, but these errors were encountered: