feat(login): add throttling option for the /api/v1/tokens endpoint (#8647)

josema-xyz · web-flow · commit 406e473b5cd2 · 2025-09-05T14:37:31.000+05:45
diff --git a/api/.env.example b/api/.env.example
@@ -19,6 +19,8 @@ DJANGO_REFRESH_TOKEN_LIFETIME=1440
 DJANGO_CACHE_MAX_AGE=3600
 DJANGO_STALE_WHILE_REVALIDATE=60
 DJANGO_SECRETS_ENCRYPTION_KEY=""
+# Throttle, two options: Empty means no throttle; or if desired use one in DRF format: https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
+DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
 # Decide whether to allow Django manage database table partitions
 DJANGO_MANAGE_DB_PARTITIONS=[True|False]
 DJANGO_CELERY_DEADLOCK_ATTEMPTS=5
diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to the **Prowler API** are documented in this file.
 ### Added
 - Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
 - `GET /overviews/findings_severity` now supports `filter[status]` and `filter[status__in]` to aggregate by specific statuses (`FAIL`, `PASS`)[(#8186)](https://github.com/prowler-cloud/prowler/pull/8186)
+- Throttling options for `/api/v1/tokens` using the `DJANGO_THROTTLE_TOKEN_OBTAIN` environment variable [(#8647)](https://github.com/prowler-cloud/prowler/pull/8647)
 
 ---
 
diff --git a/api/src/backend/api/v1/views.py b/api/src/backend/api/v1/views.py
@@ -215,6 +215,8 @@ def _resolve_path_parameters(self, _path_variables):
     description="Obtain a token by providing valid credentials and an optional tenant ID.",
 )
 class CustomTokenObtainView(GenericAPIView):
+    throttle_scope = "token-obtain"
+
     resource_name = "tokens"
     serializer_class = TokenSerializer
     http_method_names = ["post"]
diff --git a/api/src/backend/config/django/base.py b/api/src/backend/config/django/base.py
@@ -108,6 +108,12 @@
     ),
     "TEST_REQUEST_DEFAULT_FORMAT": "vnd.api+json",
     "JSON_API_UNIFORM_EXCEPTIONS": True,
+    "DEFAULT_THROTTLE_CLASSES": [
+        "rest_framework.throttling.ScopedRateThrottle",
+    ],
+    "DEFAULT_THROTTLE_RATES": {
+        "token-obtain": env("DJANGO_THROTTLE_TOKEN_OBTAIN", default=None),
+    },
 }
 
 SPECTACULAR_SETTINGS = {

Original file line number	Diff line number	Diff line change
`@@ -215,6 +215,8 @@ def _resolve_path_parameters(self, _path_variables):`
`215`	`215`	`description="Obtain a token by providing valid credentials and an optional tenant ID.",`
`216`	`216`	`)`
`217`	`217`	`class CustomTokenObtainView(GenericAPIView):`
	`218`	`+ throttle_scope = "token-obtain"`
	`219`	`+`
`218`	`220`	`resource_name = "tokens"`
`219`	`221`	`serializer_class = TokenSerializer`
`220`	`222`	`http_method_names = ["post"]`