Added rate limiter for fastAPI template.

arsh-anwr · arsh-anwr · commit 33ab70111e95 · 2025-11-17T01:01:40.000+05:30
diff --git a/.env b/.env
@@ -43,3 +43,10 @@ SENTRY_DSN=
 # Configure these with your own Docker registry images
 DOCKER_IMAGE_BACKEND=backend
 DOCKER_IMAGE_FRONTEND=frontend
+
+# Redis config
+REDIS_URL=redis://redis:6379/0
+
+# Rate Limiting config
+RATE_LIMITER_STRATEGY=sliding_window
+RATE_LIMIT_FAIL_OPEN=false
diff --git a/backend/app/alembic/rate_limiting_algorithms/sliding_window.lua b/backend/app/alembic/rate_limiting_algorithms/sliding_window.lua
@@ -0,0 +1,34 @@
+-- KEYS[1] = key
+-- ARGV[1] = now_ms
+-- ARGV[2] = window_ms
+-- ARGV[3] = limit
+-- ARGV[4] = member
+
+local key = KEYS[1]
+local now = tonumber(ARGV[1])
+local window = tonumber(ARGV[2])
+local limit = tonumber(ARGV[3])
+local member = ARGV[4]
+
+local min_score = now - window
+
+-- remove old entries
+redis.call('ZREMRANGEBYSCORE', key, 0, min_score)
+
+-- add current
+redis.call('ZADD', key, now, member)
+
+-- count
+local cnt = redis.call('ZCARD', key)
+
+-- expire same as window
+redis.call('PEXPIRE', key, window)
+
+-- fetch oldest
+local earliest = redis.call('ZRANGE', key, 0, 0, 'WITHSCORES')
+local oldest_ts = 0
+if earliest ~= false and earliest ~= nil and #earliest >= 2 then
+  oldest_ts = earliest[2]
+end
+
+return {cnt, oldest_ts}
diff --git a/backend/app/api/routes/users.py b/backend/app/api/routes/users.py
@@ -11,6 +11,8 @@
     get_current_active_superuser,
 )
 from app.core.config import settings
+from app.core.rate_limiter.key_strategy.key_strategy_enum import KeyStrategyName
+from app.core.rate_limiter.rate_limiter import RateLimiter
 from app.core.security import get_password_hash, verify_password
 from app.models import (
     Item,
@@ -31,7 +33,8 @@
 
 @router.get(
     "/",
-    dependencies=[Depends(get_current_active_superuser)],
+    dependencies=[Depends(RateLimiter(limit=10, window_seconds=60, key_policy=KeyStrategyName.IP)),
+    Depends(get_current_active_superuser)],
     response_model=UsersPublic,
 )
 def read_users(session: SessionDep, skip: int = 0, limit: int = 100) -> Any:
diff --git a/backend/app/core/config.py b/backend/app/core/config.py
@@ -41,13 +41,32 @@ class Settings(BaseSettings):
         list[AnyUrl] | str, BeforeValidator(parse_cors)
     ] = []
 
+    # Correct Redis default inside Docker Compose
+    REDIS_URL: str = ""
+    RATE_LIMITER_STRATEGY: Literal[
+        "none", "sliding_window"
+    ] = "none"
+    RATE_LIMIT_FAIL_OPEN: bool = True
+
     @computed_field  # type: ignore[prop-decorator]
     @property
     def all_cors_origins(self) -> list[str]:
         return [str(origin).rstrip("/") for origin in self.BACKEND_CORS_ORIGINS] + [
             self.FRONTEND_HOST
         ]
 
+    @computed_field  # type: ignore[prop-decorator]
+    @property
+    def rate_limit_enabled(self) -> bool:
+        """
+        Returns True if rate limiting should be enabled based on strategy.
+        Mirrors the style of all_cors_origins.
+        """
+        strategy = (self.RATE_LIMITER_STRATEGY or "").strip().lower()
+        redis_url = (self.REDIS_URL or "").strip()
+
+        return strategy not in ("", "none") and bool(redis_url)
+
     PROJECT_NAME: str
     SENTRY_DSN: HttpUrl | None = None
     POSTGRES_SERVER: str
diff --git a/backend/app/core/rate_limiter/__init__.py b/backend/app/core/rate_limiter/__init__.py
diff --git a/backend/app/core/rate_limiter/key_strategy/__init__.py b/backend/app/core/rate_limiter/key_strategy/__init__.py
diff --git a/backend/app/core/rate_limiter/key_strategy/header_key_strategy.py b/backend/app/core/rate_limiter/key_strategy/header_key_strategy.py
@@ -0,0 +1,11 @@
+from starlette.requests import Request
+from app.core.rate_limiter.key_strategy.key_strategy import KeyStrategy
+
+
+class HeaderKeyStrategy(KeyStrategy):
+    def __init__(self, header_name: str = "X-Client-ID"):
+        self.header_name = header_name
+
+    def get_key(self, request: Request, route_path: str) -> str:
+        value = request.headers.get(self.header_name, "unknown")
+        return f"header:{self.header_name}:{value}:{route_path}"
diff --git a/backend/app/core/rate_limiter/key_strategy/ip_key_strategy.py b/backend/app/core/rate_limiter/key_strategy/ip_key_strategy.py
@@ -0,0 +1,9 @@
+from app.core.rate_limiter.key_strategy.key_strategy import KeyStrategy
+from starlette.requests import Request
+
+class IPKeyStrategy(KeyStrategy):
+    """Generate rate limit key based on client IP address."""
+
+    def get_key(self, request: Request, route_path: str) -> str:
+        client_ip = request.client.host if request.client else "unknown"
+        return f"ip:{client_ip}:{route_path}"
diff --git a/backend/app/core/rate_limiter/key_strategy/key_strategy.py b/backend/app/core/rate_limiter/key_strategy/key_strategy.py
@@ -0,0 +1,10 @@
+from abc import ABC, abstractmethod
+from starlette.requests import Request
+
+class KeyStrategy(ABC):
+    """Base interface for rate-limit key generation."""
+
+    @abstractmethod
+    def get_key(self, request: Request, route_path: str) -> str:
+        """Return unique identifier string (e.g., 'ip:127.0.0.1')"""
+        raise NotImplementedError
diff --git a/backend/app/core/rate_limiter/key_strategy/key_strategy_enum.py b/backend/app/core/rate_limiter/key_strategy/key_strategy_enum.py
@@ -0,0 +1,5 @@
+from enum import Enum
+
+class KeyStrategyName(str, Enum):
+    IP = "ip"
+    HEADER = "header"
diff --git a/backend/app/core/rate_limiter/key_strategy/key_strategy_registry.py b/backend/app/core/rate_limiter/key_strategy/key_strategy_registry.py
@@ -0,0 +1,14 @@
+from app.core.rate_limiter.key_strategy.header_key_strategy import HeaderKeyStrategy
+from app.core.rate_limiter.key_strategy.ip_key_strategy import IPKeyStrategy
+from app.core.rate_limiter.key_strategy.key_strategy import KeyStrategy
+from app.core.rate_limiter.key_strategy.key_strategy_enum import KeyStrategyName
+
+
+def get_key_strategy(name: KeyStrategyName, header_name: str | None = None) -> KeyStrategy:
+    if name == KeyStrategyName.IP:
+        return IPKeyStrategy()
+
+    if name == KeyStrategyName.HEADER:
+        return HeaderKeyStrategy(header_name=header_name or "X-Client-ID")
+
+    raise ValueError(f"Unsupported key strategy: {name}")
diff --git a/backend/app/core/rate_limiter/rate_limiter.py b/backend/app/core/rate_limiter/rate_limiter.py
@@ -0,0 +1,43 @@
+import logging
+from fastapi import Request, HTTPException
+from app.core.rate_limiter.key_strategy import key_strategy_registry
+from app.core.rate_limiter.key_strategy.key_strategy_enum import KeyStrategyName
+
+logger = logging.getLogger(__name__)
+
+class RateLimiter:
+    def __init__(self, limit: int, window_seconds: int, key_policy: KeyStrategyName = KeyStrategyName.IP):
+        self.limit = limit
+        self.window_seconds = window_seconds
+        self.key_policy = key_policy
+
+    async def __call__(self, request: Request):
+        rate_limiter = getattr(request.app.state, "rate_limiter", None)
+
+        if rate_limiter is None:
+            return
+
+        # Create Key
+        key_strategy = key_strategy_registry.get_key_strategy(self.key_policy)
+        key = key_strategy.get_key(request, request.scope.get('path'))
+
+        allowed = True
+        retry_after = None
+        try:
+            allowed, retry_after = await rate_limiter.allow_request(
+                        key, self.limit, self.window_seconds
+                )
+        except Exception:
+                logger.exception("Error invoking rate limiter")
+                if rate_limiter.get_fail_open():
+                    raise HTTPException(
+                        status_code=503,
+                        detail={"detail": "Rate limiter unavailable"},
+                    )
+
+        if not allowed:
+            raise HTTPException(
+                status_code=429,
+                detail=f"Too Many Requests. Retry after {retry_after}s",
+                headers={"Retry-After": str(retry_after)}
+            )
diff --git a/backend/app/core/rate_limiter/rate_limiting_algorithm/__init__.py b/backend/app/core/rate_limiter/rate_limiting_algorithm/__init__.py
diff --git a/backend/app/core/rate_limiter/rate_limiting_algorithm/base.py b/backend/app/core/rate_limiter/rate_limiting_algorithm/base.py
@@ -0,0 +1,15 @@
+from __future__ import annotations
+from abc import ABC, abstractmethod
+from typing import Tuple, Optional
+
+class BaseRateLimiter(ABC):
+    """Interface for pluggable rate limiter strategies."""
+
+    @abstractmethod
+    async def allow_request(self, key: str, limit: int, window_seconds: int, member_id: Optional[str] = None) -> Tuple[bool, Optional[int]]:
+        """
+        Return (allowed: bool, retry_after_seconds: Optional[int]).
+        If allowed True -> retry_after_seconds is None.
+        If allowed False -> retry_after_seconds is seconds until next allowed request.
+        """
+        raise NotImplementedError
diff --git a/backend/app/core/rate_limiter/rate_limiting_algorithm/registry.py b/backend/app/core/rate_limiter/rate_limiting_algorithm/registry.py
@@ -0,0 +1,22 @@
+from typing import Optional
+from app.core.rate_limiter.rate_limiting_algorithm.base import BaseRateLimiter
+from app.core.rate_limiter.rate_limiting_algorithm.sliding_window import SlidingWindowRateLimiter
+import redis.asyncio as redis
+
+def get_rate_limiter(strategy: Optional[str], redis_url: Optional[str], fail_open: Optional[str]) -> Optional[BaseRateLimiter]:
+    """
+    Factory: returns an instance of BaseRateLimiter or None (if disabled).
+    """
+    if not strategy or strategy.lower() in ("none", "null", ""):
+        return None
+
+    if not redis_url:
+        return None
+
+    rc = redis.from_url(redis_url, encoding="utf-8", decode_responses=True)
+    st = strategy.lower()
+    if st == "sliding_window" or st == "sliding-window":
+        return SlidingWindowRateLimiter(rc, fail_open or False)
+
+    # extendable for other strategies
+    raise ValueError(f"Unknown rate limiter strategy: {strategy}")
diff --git a/backend/app/core/rate_limiter/rate_limiting_algorithm/sliding_window.py b/backend/app/core/rate_limiter/rate_limiting_algorithm/sliding_window.py
@@ -0,0 +1,66 @@
+import time
+import logging
+from pathlib import Path
+from typing import Optional, Tuple
+
+import redis.asyncio as redis
+
+from app.core.rate_limiter.rate_limiting_algorithm.base import BaseRateLimiter
+
+logger = logging.getLogger(__name__)
+
+SCRIPT_PATH = Path(__file__).parent /".."/".."/".."/"alembic"/ "rate_limiting_algorithms" / "sliding_window.lua"
+
+
+class SlidingWindowRateLimiter(BaseRateLimiter):
+    def __init__(self, redis_client: redis.Redis, fail_open: bool):
+        self.redis = redis_client
+        self.lua_script = None
+        self.fail_open = fail_open
+
+    async def load_script(self):
+        if self.lua_script is None:
+            script_text = SCRIPT_PATH.read_text()
+            # LOAD script into redis → returns SHA
+            self.lua_script = await self.redis.script_load(script_text)
+        return self.lua_script
+
+    async def allow_request(
+        self,
+        key: str,
+        limit: int,
+        window_seconds: int,
+        member_id: Optional[str] = None
+    ) -> Tuple[bool, Optional[int]]:
+
+        now_ms = int(time.time() * 1000)
+        window_ms = window_seconds * 1000
+        member = member_id or f"{now_ms}"
+
+        try:
+            sha = await self.load_script()
+            res = await self.redis.evalsha(
+                sha,
+                1,
+                key,
+                now_ms,
+                window_ms,
+                limit,
+                member
+            )
+        except Exception:
+            logger.exception("Redis error; failing open")
+            return True, None
+
+        cnt, oldest_ts = int(res[0]), int(res[1] or 0)
+
+        if cnt <= limit:
+            return True, None
+
+        retry_after_ms = (oldest_ts + window_ms) - now_ms
+        retry_after_s = max(0, retry_after_ms // 1000)
+
+        return False, retry_after_s
+
+    def get_fail_open(self):
+        return self.fail_open
diff --git a/backend/app/main.py b/backend/app/main.py
@@ -6,6 +6,8 @@
 from app.api.main import api_router
 from app.core.config import settings
 
+from app.core.rate_limiter.rate_limiting_algorithm.registry import get_rate_limiter
+
 
 def custom_generate_unique_id(route: APIRoute) -> str:
     return f"{route.tags[0]}-{route.name}"
@@ -30,4 +32,9 @@ def custom_generate_unique_id(route: APIRoute) -> str:
         allow_headers=["*"],
     )
 
+# Set rate Limiting
+if settings.rate_limit_enabled:
+    rate_limiter = get_rate_limiter(settings.RATE_LIMITER_STRATEGY, settings.REDIS_URL, settings.RATE_LIMIT_FAIL_OPEN)
+    app.state.rate_limiter = rate_limiter
+
 app.include_router(api_router, prefix=settings.API_V1_STR)
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -21,6 +21,8 @@ dependencies = [
     "pydantic-settings<3.0.0,>=2.2.1",
     "sentry-sdk[fastapi]<2.0.0,>=1.40.6",
     "pyjwt<3.0.0,>=2.8.0",
+
+    "redis>=4.6.0",
 ]
 
 [tool.uv]
@@ -31,6 +33,8 @@ dev-dependencies = [
     "pre-commit<4.0.0,>=3.6.2",
     "types-passlib<2.0.0.0,>=1.7.7.20240106",
     "coverage<8.0.0,>=7.4.3",
+
+    "pytest-asyncio",
 ]
 
 [build-system]
diff --git a/backend/tests/rate_limiter/test_dependency_rate_limit.py b/backend/tests/rate_limiter/test_dependency_rate_limit.py
@@ -0,0 +1,47 @@
+import pytest
+from fastapi import FastAPI, Depends
+from fastapi.testclient import TestClient
+from unittest.mock import AsyncMock
+
+from app.core.rate_limiter.rate_limiter import RateLimiter
+
+
+@pytest.fixture
+def mock_limiter():
+    limiter = AsyncMock()
+    limiter.allow_request = AsyncMock(return_value=(True, 0))
+    return limiter
+
+
+def test_dependency_allows_request(mock_limiter):
+    app = FastAPI()
+
+    @app.get("/test", dependencies=[Depends(RateLimiter(limit=2, window_seconds=5))])
+    async def endpoint():
+        return {"ok": True}
+
+    app.state.rate_limiter = mock_limiter
+
+    client = TestClient(app)
+    resp = client.get("/test")
+
+    assert resp.status_code == 200
+    mock_limiter.allow_request.assert_awaited()
+
+
+def test_dependency_blocks_request(mock_limiter):
+    mock_limiter.allow_request.return_value = (False, 10)
+
+    app = FastAPI()
+
+    @app.get("/test", dependencies=[Depends(RateLimiter(limit=2, window_seconds=5))])
+    async def endpoint():
+        return {"ok": True}
+
+    app.state.rate_limiter = mock_limiter
+
+    client = TestClient(app)
+    resp = client.get("/test")
+
+    assert resp.status_code == 429
+    assert "10s" in resp.json()["detail"]
diff --git a/backend/tests/rate_limiter/test_ip_strategy.py b/backend/tests/rate_limiter/test_ip_strategy.py
diff --git a/backend/tests/rate_limiter/test_sliding_window_logic.py b/backend/tests/rate_limiter/test_sliding_window_logic.py
diff --git a/docker-compose.yml b/docker-compose.yml
