Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Rate limiting

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 Rate limiting is a very important feature that every Rest service should support. In Eve, you can set the number of requests
0:09 and the time window for each individual user for every single http method. If the request limit is hit within the time window,
0:18 the API will respond with a specific error status and that will continue to happen until the timer resets.
0:25 Users are identified by their authentication header or if it is missing by their IP. Rate limits are important because they greatly reduce
0:36 the risk of your service being slowed down by either a bug, client or a denial of service attack. Let's see how it works.
0:46 Rate limiting needs a redis server running somewhere I have one running here on local host
0:52 and the next thing you need, of course, is a Python client for redis which isn't installed by default with Eve.
1:00 So the first thing we need to do is pip install redis within our virtual environment. Done. And now that we have that,
1:10 we can go and from redis import the redis class.. Next, what we need to do is pass an instance of our redis class to our Eve instance.
1:23 Since I didn't set the host for the redis instance, it will connect to local lost, which is fine in my case.
1:33 Next, since now Eve knows how to connect to redis, we can go to our settings file, let me save here first, we can go to our settings file and configure
1:45 how Eve should behave with regard to rate limiting, So with this command, I'm setting a rate limit on the get method
1:53 the limit is going to be one request every 60 seconds. So you pass a tuple where the first element in the tuple is the number of requests
2:07 and the second is the number of seconds for every time window. If I wanted to set a limit for the post request, for example,
2:16 I should do something like this. So we have the option of setting a different rate limiting depending on the method
2:24 and also remember that the rate limit window is for every single user for every single method. Whereas a user is identified by the client IP
2:37 or the authentication header if authentication is used. Let's save these settings and launch our API.
2:49 Let's go to Postman and try a get request on a specific person endpoint. We get the person, if we go and check their headers
3:01 or the response sent by the server we see that there are three new headers we didn't see before, so the first one rate limit = 1
3:11 which means I performed one request within the time window, remaining zero, which, of course, means that
3:18 I don't have any requests allowed within the time window and this is when the window will reset.
3:26 If I try a second request, I get a too many requests error, 429. This is going to happen until the minute window resets, and if we look at the body,
3:39 we also get a rate limit exceeded message, that's a point the window will reset.
3:51 And now the time window has reset and I can perform a get request again. Now, if I go back to my headers, of course, I get a new time window
4:01 and if I try a second request within the new time window, I am again, blocked.


Talk Python's Mastodon Michael Kennedy's Mastodon