rate limits for unauthenticated

mcucchi9 · mcucchi9 · commit 80ad11729968 · 2025-12-10T18:35:04.000+01:00
diff --git a/cads_processing_api_service/config.py b/cads_processing_api_service/config.py
@@ -116,7 +116,7 @@ class RateLimitsRouteParamConfig(pydantic.BaseModel):
     model_config = pydantic.ConfigDict(extra="allow")
 
 
-class RateLimitsConfig(pydantic.BaseModel):
+class RateLimitsUserConfig(pydantic.BaseModel):
     default: RateLimitsRouteConfig = pydantic.Field(
         default=RateLimitsRouteConfig(), validate_default=True
     )
@@ -151,6 +151,14 @@ class RateLimitsConfig(pydantic.BaseModel):
     )
 
 
+class RateLimitsConfig(RateLimitsUserConfig):
+    """Rate limits configuration for the service."""
+
+    unauthenticated: RateLimitsUserConfig = pydantic.Field(
+        default=RateLimitsUserConfig(), validate_default=True
+    )
+
+
 def load_rate_limits(rate_limits_file: str | None) -> RateLimitsConfig:
     rate_limits = RateLimitsConfig()
     if rate_limits_file is not None:
diff --git a/cads_processing_api_service/limits.py b/cads_processing_api_service/limits.py
@@ -70,6 +70,26 @@ def get_rate_limits_defaulted(
     return rate_limits
 
 
+def get_rate_limits_for_user(
+    rate_limits_config: config.RateLimitsConfig,
+    user_uid: str,
+    route: str,
+    method: str,
+    request_origin: str,
+    route_param: str | None = None,
+) -> list[str]:
+    rate_limits = []
+    if user_uid == "unauthenticated":
+        rate_limits = get_rate_limits_defaulted(
+            rate_limits_config.unauthenticated, route, method, request_origin, route_param
+        )
+    if not rate_limits:
+        rate_limits = get_rate_limits_defaulted(
+            rate_limits_config, route, method, request_origin, route_param
+        )
+    return rate_limits
+
+
 def check_rate_limits_for_user(
     user_uid: str, rate_limits: list[limits.RateLimitItem]
 ) -> None:
@@ -104,8 +124,8 @@ def check_rate_limits(
     """Check if the rate limits are exceeded."""
     request_origin = auth_info.request_origin
     user_uid = auth_info.user_uid
-    rate_limits = get_rate_limits_defaulted(
-        rate_limits_config, route, method, request_origin, route_param
+    rate_limits = get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin, route_param
     )
     rate_limits_parsed = [limits.parse(rate_limit) for rate_limit in rate_limits]
     check_rate_limits_for_user(user_uid, rate_limits_parsed)
diff --git a/tests/test_30_limits.py b/tests/test_30_limits.py
@@ -190,6 +190,96 @@ def test_get_rate_limits_undefined() -> None:
     assert rate_limits == exp_rate_limits
 
 
+def test_get_rate_limits_for_user_unauthenticated() -> None:
+    rate_limits = {
+        "default": {
+            "get": {"api": ["5/second"]},
+            "post": {"api": ["10/second"]},
+        },
+        "/jobs/{job_id}": {"delete": {"api": ["1/second"]}},
+        "unauthenticated": {
+            "default": {"post": {"api": ["2/second"]}},
+            "/jobs/{job_id}": {"get": {"api": ["3/second"]}}
+        },
+    }
+    rate_limits_config = config.RateLimitsConfig.model_validate(rate_limits)
+
+    route = "jobs_jobsid"
+    method = "get"
+    request_origin = "api"
+    user_uid = "unauthenticated"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["3/second"]
+    assert rate_limits == exp_rate_limits
+
+    route = "jobs_jobsid"
+    method = "post"
+    request_origin = "api"
+    user_uid = "unauthenticated"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["2/second"]
+    assert rate_limits == exp_rate_limits
+
+    route = "jobs_jobsid"
+    method = "delete"
+    request_origin = "api"
+    user_uid = "unauthenticated"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["1/second"]
+    assert rate_limits == exp_rate_limits
+
+
+def test_get_rate_limits_for_user_authenticated() -> None:
+    rate_limits = {
+        "default": {
+            "get": {"api": ["5/second"]},
+            "post": {"api": ["10/second"]},
+        },
+        "/jobs/{job_id}": {"delete": {"api": ["1/second"]}},
+        "unauthenticated": {
+            "default": {"post": {"api": ["2/second"]}},
+            "/jobs/{job_id}": {"get": {"api": ["3/second"]}}
+        },
+    }
+    rate_limits_config = config.RateLimitsConfig.model_validate(rate_limits)
+
+    route = "jobs_jobsid"
+    method = "get"
+    request_origin = "api"
+    user_uid = "user_uid"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["5/second"]
+    assert rate_limits == exp_rate_limits
+
+    route = "jobs_jobsid"
+    method = "post"
+    request_origin = "api"
+    user_uid = "user_uid"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["10/second"]
+    assert rate_limits == exp_rate_limits
+
+    route = "jobs_jobsid"
+    method = "delete"
+    request_origin = "api"
+    user_uid = "user_uid"
+    rate_limits = cads_processing_api_service.limits.get_rate_limits_for_user(
+        rate_limits_config, user_uid, route, method, request_origin
+    )
+    exp_rate_limits = ["1/second"]
+    assert rate_limits == exp_rate_limits
+
+
 def test_check_rate_limits_for_user() -> None:
     rate_limit_ids = ["1/second"]
     rate_limits = [limits.parse(rate_limit_id) for rate_limit_id in rate_limit_ids]
