Skip to content

Commit 681adca

Browse files
Ashutosh619-sudoAshutosh619-sudo
andauthored
Feat: Add custom throttling class (#148)
* Feat: Fix Throttling vulnerability * Feat: Add custom throttling class --------- Co-authored-by: Ashutosh619-sudo <ashutosh.s@fyle.com>
1 parent 01705e7 commit 681adca

File tree

2 files changed

+22
-4
lines changed

2 files changed

+22
-4
lines changed

quickbooks_desktop_api/settings.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -115,12 +115,10 @@
115115
'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],
116116
'PAGE_SIZE': 100,
117117
'DEFAULT_THROTTLE_CLASSES': [
118-
'rest_framework.throttling.AnonRateThrottle',
119-
'rest_framework.throttling.UserRateThrottle',
118+
'quickbooks_desktop_api.throttles.PerUserPathThrottle',
120119
],
121120
'DEFAULT_THROTTLE_RATES': {
122-
'anon': '10/second',
123-
'user': '10/second'
121+
'per_user_path': '30/second'
124122
}
125123
}
126124

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
from rest_framework.throttling import SimpleRateThrottle
2+
3+
4+
class PerUserPathThrottle(SimpleRateThrottle):
5+
scope = 'per_user_path'
6+
7+
def allow_request(self, request, view):
8+
if not request.user or not request.user.is_authenticated:
9+
return True
10+
11+
return super().allow_request(request, view)
12+
13+
def get_cache_key(self, request, view):
14+
if not request.user or not request.user.is_authenticated:
15+
return None
16+
17+
ident = request.user.pk
18+
normalized_path = request.path.replace('/', '_').strip('_')
19+
20+
return f"throttle_{self.scope}_{normalized_path}_{ident}"

0 commit comments

Comments
 (0)