Investigate rate limiting at application level and/or allow listing for requests #144
Description
Eventually this application is going to need to be deployed in a public location and manage access to routes, resources etc as well as preventing over-use of compute time.
There are a few options here that come to mind, this is a non-exhaustive list off the top of my head:
- User accounts and API keys - potentially quite substantial work and might make integration with other services (e.g. SIIS) a bit difficult.
- IP (or other) allow listing - simple but might be a bit inflexible.
- Rate limiting the API (including selectively not rate limiting certain hosts?) (See: https://www.django-rest-framework.org/api-guide/throttling/)
Arguably there should be some level of rate limiting anyway to prevent accidental or deliberate misuse of the API.
This also links with the concept of resource/route/mesh ownership which we don't currently have. Perhaps user accounts and ownership should be options that can be switched on by environment variable.