Feat: Add custom throttling class (#148)

* Feat: Fix Throttling vulnerability

* Feat: Add custom throttling class

---------

Co-authored-by: Ashutosh619-sudo <ashutosh.s@fyle.com>

Author: Ashutosh619-sudo

quickbooks_desktop_api/settings.py

@@ -115,12 +115,10 @@
     'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],
     'PAGE_SIZE': 100,
     'DEFAULT_THROTTLE_CLASSES': [
-        'rest_framework.throttling.AnonRateThrottle',
-        'rest_framework.throttling.UserRateThrottle',
+        'quickbooks_desktop_api.throttles.PerUserPathThrottle',
     ],
     'DEFAULT_THROTTLE_RATES': {
-        'anon': '10/second',
-        'user': '10/second'
+        'per_user_path': '30/second'
     }
 }
 

quickbooks_desktop_api/throttles.py

@@ -0,0 +1,20 @@
+from rest_framework.throttling import SimpleRateThrottle
+
+
+class PerUserPathThrottle(SimpleRateThrottle):
+    scope = 'per_user_path'
+
+    def allow_request(self, request, view):
+        if not request.user or not request.user.is_authenticated:
+            return True
+
+        return super().allow_request(request, view)
+
+    def get_cache_key(self, request, view):
+        if not request.user or not request.user.is_authenticated:
+            return None
+
+        ident = request.user.pk
+        normalized_path = request.path.replace('/', '_').strip('_')
+
+        return f"throttle_{self.scope}_{normalized_path}_{ident}"