feat: configure limiter in main app and add rate limiting to authentication endpoints

IkeSalmonson · IkeSalmonson · commit 2c15b0361cae · 2025-09-09T18:03:57.000-03:00
diff --git a/app/main.py b/app/main.py
@@ -2,6 +2,8 @@
 from contextlib import asynccontextmanager
 
 from fastapi import FastAPI
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.util import get_remote_address
 
 from app.routers.router import setup_router as setup_router_v2
 from app.services.database.database import AsyncSessionLocal, init_db
@@ -20,13 +22,19 @@ async def lifespan(app: FastAPI):
         pass
 
 
+limiter = Limiter(key_func=get_remote_address)
+
+
 app = FastAPI(
     lifespan=lifespan,
     title="pynews-server",
     description="PyNews Server",
 )
 
 
+app.state.limiter = limiter
+app.add_exception_handler(429, _rate_limit_exceeded_handler)
+
 app.include_router(setup_router_v2(), prefix="/api")
 
 logger.info("PyNews Server Starter")
diff --git a/app/routers/authentication.py b/app/routers/authentication.py
@@ -4,6 +4,8 @@
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from jwt.exceptions import InvalidTokenError
+from slowapi import Limiter
+from slowapi.util import get_remote_address
 from sqlmodel.ext.asyncio.session import AsyncSession
 
 from app.schemas import Community, Token, TokenPayload
@@ -12,6 +14,7 @@
 from app.services.database.orm.community import get_community_by_username
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/authentication/token")
+limiter = Limiter(key_func=get_remote_address)
 
 
 def setup():
@@ -88,6 +91,7 @@ async def create_community(request: Request):
     # Teste
 
     @router.post("/token", response_model=Token)
+    @limiter.limit("60/minute")
     async def login_for_access_token(
         request: Request, form_data: OAuth2PasswordRequestForm = Depends()
     ):
@@ -109,6 +113,7 @@ async def login_for_access_token(
         }
 
     @router.get("/me", response_model=Community)
+    @limiter.limit("60/minute")
     async def read_community_me(
         current_community: Annotated[
             DBCommunity, Depends(get_current_active_community)
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,6 +20,7 @@ pre-commit = "^4.2.0"
 python-multipart = "^0.0.20"
 pyjwt = "^2.10.1"
 bcrypt = "^4.3.0"
+slowapi = "^0.1.9"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^8.3.2"
