florimondmanca/djangorestframework-api-key

Question on possible throttling use cases

Closed this issue · 2 comments

paula-em-lafon commented

Hi, I hope you are well

I checked your package and the documentation and I'm confused as to how to use this package for throttling. A nice little guide would be helpful.

Thank you and regards

florimondmanca commented

Hello @paula-em-lafon 👋

First off, don't want to sound butt-hurt but I'd like as much as possible for this project to be a community-supported effort (I started this because a previous API Key package was abandoned due to the sole maintainer having left the field), so I hope you understand the effect that receiving an issue starting with "You should do XYZ" can have. :-)

Instead, let's consider this a community effort. Could you rephrase where this suggestion comes from? Were you confused by something in the docs that you thought would have explained things in deeper detail, but it didn't? What could we do to make it better?

I don't think I personally got my hands dirty playing with drf-api-key + throttling myself; at the time I just had this rough idea that once one has got an API key-based permission system in place, we could also use that info to throttle API calls based on the usage of those API keys (rather than say a user account).

So if we'd like a clearer explanation of how throttling could work in conjunction with this package, maybe a valuable next step would be to experiment with that, and then upgrade the docs with anything we find worth adding? That's something anyone interested in that could dive into a bit. Publishing a blog post or any other material we could link to from the docs works, too. :)

paula-em-lafon commented

After reading some of the source code for the Django Rest Framework Throttling here I came to the conclusion that perhaps it could be implemented in a similar manner to the class UserRateThrottle. Some questions remain to be answered but this is a very interesting project that I think I might like to contribute to (esp. on the token authentication throttling side of things). Django rest framework's throttle system seems at the same time very powerful and kinda poorly documented.

I think that perhaps by overriding the SimpleRateThrottle's 'get_cache_key' method can be the way to do the throttling itself. Maybe with something like:

def get_cache_key(self, request, view):
    scope = 'apikey'
        if APIkey.is_valid(request.META['HTTP_AUTHORIZATION'].split()[1]):
        ident = request.META['HTTP_AUTHORIZATION'].split()[2]
        else:
            ident = self.get_ident(request)

        return self.cache_format % {
            'scope': self.scope,
            'ident': ident
        }