Funkwhale, API, rate-limiting 

So, looks like we're going to have configurable API rate-limiting in the 0.20 release. (the MR is huge but half of it is documentation and tests).

Even if it's not perfected and relies on IP address for anonymous requests (which can be bypassed if you send requests from a pool of different IPs), I have to say, it is a relief to know pod owners will benefit from this additional protection.

It will make it harder for an individual to abuse (willingly or by mistake) a #Funkwhale server ressources, e.g by generating spam accounts or reports, brute force credentials or simply exhaust server resources by sending lots of requests.

Attached video shows what happens in the UI when you reach the limit.

Funkwhale, API, rate-limiting 

I took me almost 4 days to implement, mainly because I wanted configurable and flexible limits: some endpoints and actions are more sensitive than others.

For instance, you probably want a relatively low limit for the login endpoint or signup endpoint, but a higher value for retrieving artists and tracks.

On top of that, you also want different limits for anonymous clients and authenticated users.

And then, you want pod admins to be able to configure (or disable entirely) this rate-limiting, according to their workload and user behaviour.

Show thread

Funkwhale, API, rate-limiting 

Finally, you want third-party API clients to understand what's going on:

- how many requests they can send
- what are the configured limits on the pod
- if they are limited, when will they be able to retry

Documenting, structuring and exposing this in a (hopefully) meaningful way was almost half of the work

Show thread

Funkwhale, API, rate-limiting 

Yeeeaaah \脭/

Sign in to participate in the conversation

Instance mise en place le 2019-07-17 脿 fin de rendre un service accessible 脿 ceux d茅sirant utiliser Mastodon sans maintien du serivce.