Include packages for redis and Flask_Limiter to limit rates for API endpoints

Author: leekahung

backend/pyproject.toml

@@ -5,7 +5,9 @@ requires-python = ">=3.12"
 dependencies = [
   "flask",
   "Flask-Mail",
+  "Flask_Limiter",
   "xhtml2pdf",
+  "redis",
   "valkey",
   "gunicorn",
   "openai==1.89",

backend/tenantfirstaid/app.py

@@ -1,6 +1,8 @@
 from pathlib import Path
 from flask import Flask, jsonify, session
 from flask_mail import Mail
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 import os
 import secrets
 
@@ -19,6 +21,25 @@
 app = Flask(__name__)
 mail = Mail(app)
 
+
+def build_valkey_uri():
+    host = os.getenv("DB_HOST", "127.0.0.1")
+    port = os.getenv("DB_PORT", 6379)
+    password = os.getenv("DB_PASSWORD")
+    ssl = False if os.getenv("DB_USE_SSL") == "false" else True
+    scheme = "rediss" if ssl else "redis"
+
+    if password:
+        return f"{scheme}://:{password}@{host}:{port}"
+    return f"{scheme}://{host}:{port}"
+
+
+limiter = Limiter(
+    get_remote_address,
+    app=app,
+    storage_uri=build_valkey_uri(),
+)
+
 # Configure Flask sessions
 app.secret_key = os.getenv("FLASK_SECRET_KEY", secrets.token_hex(32))
 app.config["SESSION_COOKIE_HTTPONLY"] = True
@@ -66,10 +87,16 @@ def clear_session():
     "/api/citation", endpoint="citation", view_func=get_citation, methods=["GET"]
 )
 
+
+@limiter.limit("3 per minute")
+def feedback_route():
+    return send_feedback(mail)
+
+
 app.add_url_rule(
     "/api/feedback",
     endpoint="feedback",
-    view_func=lambda: send_feedback(mail),
+    view_func=feedback_route,
     methods=["POST"],
 )