add rate limit

Author: Sublian

myproject/settings.py

@@ -1,6 +1,7 @@
 import os
 from pathlib import Path
 from datetime import timedelta
+import sys
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -128,6 +129,15 @@
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'rest_framework_simplejwt.authentication.JWTAuthentication',
     ),
+     "DEFAULT_THROTTLE_CLASSES": [
+        "rest_framework.throttling.AnonRateThrottle",
+        "rest_framework.throttling.UserRateThrottle",
+    ],
+
+    "DEFAULT_THROTTLE_RATES": {
+        "anon": "20/min",   # 🔒 usuarios no autenticados
+        "user": "100/min",  # 🔒 usuarios autenticados
+    },
 }
 
 SIMPLE_JWT = {
@@ -169,3 +179,9 @@
     },
 }
 
+REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"].update({
+    "login": "5/min",  # 🔥 solo 5 intentos por minuto por IP
+})
+
+if "pytest" in sys.argv[0]:
+    REST_FRAMEWORK["DEFAULT_THROTTLE_CLASSES"] = []

myproject/urls.py

@@ -5,11 +5,13 @@
     TokenObtainPairView,
     TokenRefreshView,
 )
+from users.views import CustomTokenObtainPairView
 
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('api/', include('users.urls')),
-    path('api/login/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
+    # path('api/login/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
+     path("api/login/", CustomTokenObtainPairView.as_view(), name="token_obtain_pair"),
     path('api/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
     path('api/', include('products.urls')),
 ]

tests/conftest.py

@@ -1,11 +1,19 @@
 import pytest
 from rest_framework.test import APIClient
 from django.contrib.auth import get_user_model
+from django.core.cache import cache
 from factories import AdminFactory, StaffFactory, UserFactory
 
 User = get_user_model()
 
+@pytest.fixture(autouse=True)
+def clear_throttle_cache():
+    cache.clear()
 
+@pytest.fixture(autouse=True)
+def disable_throttling(settings):
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_CLASSES"] = []
+    
 @pytest.fixture
 def api_client():
     return APIClient()
@@ -37,6 +45,8 @@ def _get_token(user):
             },
             format="json"
         )
-        return response.data["access"]
 
+        assert response.status_code == 200, f"Login failed: {response.status_code} - {response.data}"
+
+        return response.data["access"]
     return _get_token

users/throttles.py

@@ -0,0 +1,13 @@
+from rest_framework.throttling import SimpleRateThrottle
+
+
+class LoginRateThrottle(SimpleRateThrottle):
+    scope = "login"
+
+    def get_cache_key(self, request, view):
+        # limitamos por IP
+        ident = self.get_ident(request)
+        return self.cache_format % {
+            "scope": self.scope,
+            "ident": ident
+        }

users/views.py

@@ -11,6 +11,15 @@
     LoginSerializer,
     ChangePasswordSerializer
 )
+from rest_framework_simplejwt.views import TokenObtainPairView
+from .throttles import LoginRateThrottle
+import sys
+
+class CustomTokenObtainPairView(TokenObtainPairView):
+    if "pytest" in sys.argv[0]:
+        throttle_classes = []
+    else:
+        throttle_classes = [LoginRateThrottle]
 
 class UserViewSet(viewsets.ModelViewSet):
     """