• Stars
    star
    291
  • Rank 142,563 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A ASGI Middleware to rate limit

ASGI RateLimit

Limit user access frequency. Base on ASGI.

100% coverage. High performance. Support regular matching. Customizable.

Install

# Only install
pip install asgi-ratelimit

# Use redis
pip install asgi-ratelimit[redis]

# Use jwt
pip install asgi-ratelimit[jwt]

# Install all
pip install asgi-ratelimit[full]

Usage

The following example will limit users under the "default" group to access /towns at most once per second and /forests at most once per minute. And the users in the "admin" group have no restrictions.

from typing import Tuple

from ratelimit import RateLimitMiddleware, Rule

# Simple rate-limiter in memory:
from ratelimit.backends.simple import MemoryBackend

rate_limit = RateLimitMiddleware(
    ASGI_APP,
    AUTH_FUNCTION,
    MemoryBackend(),
    {
        r"^/towns": [Rule(second=1, group="default"), Rule(group="admin")],
        r"^/forests": [Rule(minute=1, group="default"), Rule(group="admin")],
    },
)

# with Redis:
from redis.asyncio import StrictRedis
from ratelimit.backends.redis import RedisBackend

rate_limit = RateLimitMiddleware(
    ASGI_APP,
    AUTH_FUNCTION,
    RedisBackend(StrictRedis()),
    {
        r"^/towns": [Rule(second=1, group="default"), Rule(group="admin")],
        r"^/forests": [Rule(minute=1, group="default"), Rule(group="admin")],
    },
)

⚠️ The pattern's order is important, rules are set on the first match: Be careful here !

Next, provide a custom authenticate function, or use one of the existing auth methods.

from ratelimit.auths import EmptyInformation


async def AUTH_FUNCTION(scope: Scope) -> Tuple[str, str]:
    """
    Resolve the user's unique identifier and the user's group from ASGI SCOPE.

    If there is no user information, it should raise `EmptyInformation`.
    If there is no group information, it should return "default".
    """
    # FIXME
    # You must write the logic of this function yourself,
    # or use the function in the following document directly.
    return USER_UNIQUE_ID, GROUP_NAME


rate_limit = RateLimitMiddleware(ASGI_APP, AUTH_FUNCTION, ...)

The Rule type takes a time unit (e.g. "second"), a "group", and a "method" as a param. If the "group" param is not specified then the "authenticate" method needs to return the "default group". The "method" param corresponds to the http method, if it is not specified, the rule will be applied to all http requests.

Example:

    ...
    config={
        r"^/towns": [Rule(second=1, method="get"), Rule(second=10, group="admin")],
    }
    ...


async def AUTH_FUNCTION(scope: Scope) -> Tuple[str, str]:
    ...
    # no group information about this user
    if user not in admins_group:
        return user_unique_id, 'default'

    return user_unique_id, user_group

Customizable rules

It is possible to mix the rules to obtain higher level of control.

The below example will allow up to 10 requests per second and no more than 200 requests per minute, for everyone, for the same API endpoint.

    ...
    config={
        r"^/towns": [Rule(minute=200, second=10)],
    }
    ...

Example for a "admin" group with higher limits.

    ...
    config={
        r"^/towns": [
            Rule(day=400, minute=200, second=10),
            Rule(minute=500, second=25, group="admin"),
        ],
    }
    ...

Sometimes you may want to specify that some APIs share the same flow control pool. In other words, flow control is performed on the entire set of APIs instead of a single specific API. Only the zone parameter needs to be used. Note: You can give different rules the same zone value, and all rules with the same zone value share the same flow control pool.

    ...
    config={
        r"/user/\d+": [
            Rule(minute=200, zone="user-api"),
            Rule(second=100, zone="user-api", group="admin"),
        ],
    }
    ...

Block time

When the user's request frequency triggers the upper limit, all requests in the following period of time will be returned with a 429 status code.

Example: Rule(second=5, block_time=60), this rule will limit the user to a maximum of 5 visits per second. Once this limit is exceeded, all requests within the next 60 seconds will return 429.

HTTP Method

If you want a rate limit a specifc HTTP method on an endpoint, the Rule object has a method param. If no method is specified, the default value is "*" for all HTTP methods.

r"^/towns": [
    Rule(group="admin", method="get", second=10),
    Rule(group="admin", method="post", second=2)
]

Custom block handler

Just specify on_blocked and you can customize the asgi application that is called when blocked.

def yourself_429(retry_after: int):
    async def inside_yourself_429(scope: Scope, receive: Receive, send: Send) -> None:
        await send({"type": "http.response.start", "status": 429})
        await send(
            {
                "type": "http.response.body",
                "body": b"custom 429 page",
                "more_body": False,
            }
        )

    return inside_yourself_429

RateLimitMiddleware(..., on_blocked=yourself_429)

Built-in auth functions

Client IP

from ratelimit.auths.ip import client_ip

Obtain user IP through scope["client"] or X-Real-IP.

Note: this auth method will not work if your IP address (such as 127.0.0.1 etc) is not allocated for public networks.

Starlette Session

from ratelimit.auths.session import from_session

Get user and group from scope["session"].

If key group not in session, will return default. If key user not in session, will raise a EmptyInformation.

Json Web Token

from ratelimit.auths.jwt import create_jwt_auth

jwt_auth = create_jwt_auth("KEY", "HS256")

Get user and group from JWT that in Authorization header.

Custom auth error handler

Normally exceptions raised in the authentication function result in an Internal Server Error, but you can pass a function to handle the errors and send the appropriate response back to the user. For example, if you're using FastAPI or Starlette:

from fastapi.responses import JSONResponse
from ratelimit.types import ASGIApp

async def handle_auth_error(exc: Exception) -> ASGIApp:
    return JSONResponse({"message": "Unauthorized access."}, status_code=401)

RateLimitMiddleware(..., on_auth_error=handle_auth_error)

For advanced usage you can handle the response completely by yourself:

from fastapi.responses import JSONResponse
from ratelimit.types import ASGIApp, Scope, Receive, Send

async def handle_auth_error(exc: Exception) -> ASGIApp:
    async def response(scope: Scope, receive: Receive, send: Send):
        # do something here e.g.
        # await send({"type": "http.response.start", "status": 429})
    return response

More Repositories

1

kui

An easy-to-use web framework. Supports both WSGI and ASGI modes. Gevent or asyncio, this is the question.
Python
279
star
2

rpc.py

A fast and powerful RPC framework based on ASGI/WSGI.
Python
189
star
3

a2wsgi

Convert WSGI app to ASGI app or ASGI app to WSGI app.
Python
183
star
4

cool

Make Python code cooler. Less is more.
Python
138
star
5

baize

Powerful and exquisite WSGI/ASGI framework/toolkit.
Python
75
star
6

websocks

A proxy server base on websocket
Python
72
star
7

poetry2setup

Convert python-poetry(pyproject.toml) to setup.py.
Python
57
star
8

r2-webdav

Use Cloudflare Workers to provide a WebDav interface for Cloudflare R2.
TypeScript
56
star
9

mingshe

A better Python. It is also a template for you to create a superset of Python.
Python
51
star
10

sync-gitee-mirror

使用 GitHub actions 同步 GitHub 仓库到 Gitee 仓库
16
star
11

china-region-data

中国行政区域数据
Python
14
star
12

pdm-shell

Use `pdm shell` set PATH and PYTHONPATH in the current shell
Python
13
star
13

pep249

Provide minimum implementation check and connection pool of PEP249.
Python
12
star
14

mywxmp

我的微信公众号 ”aber的个人号“
Python
12
star
15

zibai

A modern high-performance pure-Python WSGI server.
Python
11
star
16

setup.py

Poetry-based pypi package template
Python
9
star
17

vless-ws

A cloudflare worker that implements the vless server
TypeScript
8
star
18

runweb

Run web server with one command.
Python
7
star
19

pdm-version

Make `pdm version` like `poetry version`
Python
7
star
20

telegram-bot

Python
7
star
21

coolsql

Makes it easier to write raw SQL in Python.
Python
6
star
22

Ahnu

安徽师范大学相关程序
Python
6
star
23

clash-to-v2rayN

转换 Clash 订阅格式到 v2rayN 订阅格式
TypeScript
6
star
24

rgo-error

Like Rust's `Result` type, but for Go.
Go
5
star
25

localtasks

Google Cloud Tasks Queue substitute in local
Python
5
star
26

asgi-benchmark

Performance comparison between ASGI frameworks
Python
4
star
27

aligi

为阿里无服务函数提供API网关的协议解析
Python
4
star
28

tools-in-web

TypeScript
3
star
29

asynchronous

Efficiently convert synchronous code to asynchronous.
Python
3
star
30

BingImageCreator

High quality image generation by Microsoft. Reverse engineered API.
Python
3
star
31

empty-pypi

empty pypi package
2
star
32

http2tcp

Convert HTTP request to encrypted TCP channel
Go
2
star
33

httpbenchmark

A programmable HTTP stress testing tool. Written in Golang.
Go
2
star
34

mkdocs-version

Simple and easy-to-use mkdocs version plugin based on git tags
Python
2
star
35

qq-group-bot

基于 QQ BOT 平台 API 的群聊机器人
Python
2
star
36

compose.yaml

1
star
37

issue

Filter logs by name. Allow Unix shell style wildcards.
Python
1
star
38

rust-h11

A pure-Rust, bring-your-own-I/O implementation of HTTP/1.1
Rust
1
star
39

abersheeran

1
star
40

blog-comments

Comments for my blog
1
star
41

typeddict

Use `TypedDict` replace pydantic definitions.
Python
1
star
42

kjango

Use kui with django orm/admin/or other anything.
1
star