Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Rate limiting
0:00 Rate limiting is a very important feature
0:02 that every Rest service should support.
0:05 In Eve, you can set the number of requests
0:08 and the time window for each individual user for every single http method.
0:13 If the request limit is hit within the time window,
0:17 the API will respond with a specific error status
0:20 and that will continue to happen until the timer resets.
0:24 Users are identified by their authentication header
0:28 or if it is missing by their IP.
0:31 Rate limits are important because they greatly reduce
0:35 the risk of your service being slowed down
0:38 by either a bug, client or a denial of service attack.
0:43 Let's see how it works.
0:45 Rate limiting needs a redis server running somewhere
0:49 I have one running here on local host
0:51 and the next thing you need, of course, is a Python client for redis
0:56 which isn't installed by default with Eve.
0:59 So the first thing we need to do is pip install redis
1:03 within our virtual environment. Done.
1:07 And now that we have that,
1:09 we can go and from redis import the redis class..
1:15 Next, what we need to do is pass an instance of our redis class to our Eve instance.
1:22 Since I didn't set the host for the redis instance,
1:28 it will connect to local lost, which is fine in my case.
1:32 Next, since now Eve knows how to connect to redis,
1:36 we can go to our settings file, let me save here first,
1:42 we can go to our settings file and configure
1:44 how Eve should behave with regard to rate limiting,
1:49 So with this command, I'm setting a rate limit on the get method
1:52 the limit is going to be one request every 60 seconds.
1:58 So you pass a tuple
2:00 where the first element in the tuple is the number of requests
2:06 and the second is the number of seconds for every time window.
2:10 If I wanted to set a limit for the post request, for example,
2:15 I should do something like this.
2:17 So we have the option of setting
2:20 a different rate limiting depending on the method
2:23 and also remember that the rate limit window is
2:28 for every single user for every single method.
2:31 Whereas a user is identified by the client IP
2:36 or the authentication header if authentication is used.
2:40 Let's save these settings and launch our API.
2:48 Let's go to Postman and try a get request on a specific person endpoint.
2:55 We get the person, if we go and check their headers
3:00 or the response sent by the server
3:03 we see that there are three new headers we didn't see before,
3:07 so the first one rate limit = 1
3:10 which means I performed one request within the time window,
3:15 remaining zero, which, of course, means that
3:17 I don't have any requests allowed within the time window
3:22 and this is when the window will reset.
3:25 If I try a second request, I get a too many requests error, 429.
3:31 This is going to happen until the minute window resets, and if we look at the body,
3:38 we also get a rate limit exceeded message,
3:42 that's a point the window will reset.
3:50 And now the time window has reset and I can perform a get request again.
3:55 Now, if I go back to my headers, of course, I get a new time window
4:00 and if I try a second request within the new time window,
4:04 I am again, blocked.