#166 — Add rate limiting for Self management API.
Repo: Twill-AI/facade State: closed | Status: done Assignee: Unassigned
Created: 2024-10-25 · Updated: 2025-09-15
Description
Caused by https://twillpayments.atlassian.net/wiki/spaces/TD/pages/153092112/Evaluation+of+Security+Aspects
We need to protect API-s which provides heavy loading on our app. At least public ones (otherwise we need to distinguish “just active user” from bad actors). API route to create tenant produces a heavy load on app, therefore calling it only once per 10 second (with big set of verified accounts, like set of Google accounts which doesn’t require click link in email) may make app irresponsible.
AC:
- POST /api/v1/self-management/tenant allows calls one per 20 seconds. Value is configured through parameters.
Implementation details
Note that we need to rate limit only one endpoint and only 1 replica for now.
This SO post is a source of all possible options. The right moment here - need to rate limit among many replicas, therefore need to have shared storage. So options from here:
- https://pypi.org/project/slowapi/ - not async, based on http://github.com/alisaifee/flask-limiter.
- https://github.com/abersheeran/asgi-ratelimit - provides
RateLimitMiddlewareconfiguration, i.e. not on per-route level (too heavy). While providesMemoryBackendinstead of “redis only” as in many other options. - https://pypi.org/project/fastapi-limiter/ - only Redis and only via Lua script (why?!). Also seems to be dead project.
- simple custom implementation - limi
Notes
Add implementation notes, blockers, and context here
Related
Add wikilinks to related people, meetings, or other tickets