feat: Use env var for GQL rate limit instead of hard code val (#904)

Author: ajay-sentry

codecov/settings_base.py

@@ -92,13 +92,22 @@
 
 WSGI_APPLICATION = "codecov.wsgi.application"
 
-# Database
-# https://docs.djangoproject.com/en/2.1/ref/settings/#databases
+
+# GraphQL
 
 GRAPHQL_QUERY_COST_THRESHOLD = get_config(
     "setup", "graphql", "query_cost_threshold", default=10000
 )
 
+GRAPHQL_RATE_LIMIT_ENABLED = get_config(
+    "setup", "graphql", "rate_limit_enabled", default=True
+)
+
+GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=300)
+
+# Database
+# https://docs.djangoproject.com/en/2.1/ref/settings/#databases
+
 DATABASE_ROUTERS = ["codecov.db.DatabaseRouter"]
 
 # Password validation

codecov/settings_staging.py

@@ -65,6 +65,8 @@
 # 25MB in bytes
 DATA_UPLOAD_MAX_MEMORY_SIZE = 26214400
 
+GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=1000)
+
 # Same site is set to none on Staging as we want to be able to call the API
 # From Netlify preview deploy
 COOKIE_SAME_SITE = "None"

graphql_api/tests/test_views.py

@@ -203,6 +203,7 @@ async def test_query_metrics_extension_set_type_and_name_timeout(
 
     @patch("sentry_sdk.metrics.incr")
     @patch("graphql_api.views.AsyncGraphqlView._check_ratelimit")
+    @override_settings(DEBUG=False, GRAPHQL_RATE_LIMIT_RPM=1000)
     async def test_when_rate_limit_reached(
         self, mocked_check_ratelimit, mocked_sentry_incr
     ):
@@ -213,7 +214,7 @@ async def test_when_rate_limit_reached(
         assert response["status"] == 429
         assert (
             response["detail"]
-            == "It looks like you've hit the rate limit of 300 req/min. Try again later."
+            == "It looks like you've hit the rate limit of 1000 req/min. Try again later."
         )
 
         expected_calls = [
@@ -222,6 +223,17 @@ async def test_when_rate_limit_reached(
         ]
         mocked_sentry_incr.assert_has_calls(expected_calls)
 
+    @override_settings(
+        DEBUG=False, GRAPHQL_RATE_LIMIT_RPM=0, GRAPHQL_RATE_LIMIT_ENABLED=False
+    )
+    def test_rate_limit_disabled(self):
+        # rate limit is 0, so any request would cause a rate limit if the GQL rate limit was enabled
+        view = AsyncGraphqlView()
+        request = Mock()
+
+        result = view._check_ratelimit(request)
+        assert result == False
+
     def test_client_ip_from_x_forwarded_for(self):
         view = AsyncGraphqlView()
         request = Mock()

graphql_api/views.py

@@ -233,7 +233,7 @@ async def post(self, request, *args, **kwargs):
             return JsonResponse(
                 data={
                     "status": 429,
-                    "detail": "It looks like you've hit the rate limit of 300 req/min. Try again later.",
+                    "detail": f"It looks like you've hit the rate limit of {settings.GRAPHQL_RATE_LIMIT_RPM} req/min. Try again later.",
                 },
                 status=429,
             )
@@ -306,6 +306,9 @@ def _get_user(self, request):
             request.user.pk
 
     def _check_ratelimit(self, request):
+        if not settings.GRAPHQL_RATE_LIMIT_ENABLED:
+            return False
+
         redis = get_redis_connection()
 
         try:
@@ -320,7 +323,7 @@ def _check_ratelimit(self, request):
             user_ip = self.get_client_ip(request)
             key = f"rl-ip:{user_ip}"
 
-        limit = 300
+        limit = settings.GRAPHQL_RATE_LIMIT_RPM
         window = 60  # in seconds
 
         current_count = redis.get(key)