1. Rate Limiting
Let's learn about rate limiting.
2. Introducing rate limiting
Think of rate limiting like a traffic light - it helps control the flow of requests to prevent overload.
It controls the frequency of API requests to prevent abuse and ensure fair usage.
It raises HTTP 429 ("Too Many Requests") when the limit is exceeded.
3. How rate limiting works
Let's look at how we secure our API using two essential layers of protection.
When a client sends a request to our API, it goes through two security checkpoints:
4. Authenticating incoming credentials
First, the API key authentication. If we provide a valid API key, we can proceed. If not, we'll receive a 403 Unauthorized error.
5. Rate limiting check
Second, assuming our API key is valid, we the check rate limit. We are allowed only a certain number of requests per minute. If we are within our limit, our request is processed. If we have exceeded it, we'll get a 429 - Too many requests.
We track requests per API key and reset the counter after a specified time window.
6. Setting up our API
We are building on top of the sentiment analysis API that we built in the last video.
We have made the necessary imports for key based authentication and loaded the model using the pre-trained Sentiment Analysis model from our pre-defined Sentiment Analyzer class.
7. The rate limiter logic
We define a RateLimiter class that helps us enforce API usage limits, with a default of 10 requests per minute. We can change the limit based on expected usage. It uses a defaultdict to track request timestamps for each API key, ensuring fairness and protecting our system from abuse.
The is_rate_limited method checks if an API key has exceeded its limit by comparing the current time with requests made in the last minute.
8. Deleting old requests
Before we check the rate, we remove any timestamps older than one minute using the datetime and timedelta libraries, ensuring we only count recent activity. In the list comprehension, we filter the request timestamps for the specific API key to only keep requests from the last minute.
9. Check request count
Now we can check the number of recent requests made by an API key. If the count exceeds the allowed limit, it returns True with a remaining limit of 0; otherwise, it adds the current request and returns False.
10. Add rate limit check
The next step is to add the rate limiter instance to the endpoint.
We update the test_api_key function that we created to authenticate keys. It will now serve two purposes:
First, it verifies that the API key is valid.
Second, it checks if the user has exceeded their rate limit using the rate_limiter's is_rate_limited method by passing the API key.
If the rate limit check fails, it raises 429 status_code as an HTTP exception indicating the rate limit is exceeded.
11. Apply rate limit to endpoint
To apply rate limit to any endpoint, we can add it as a dependency within the argument corresponding to the api_key using the Depends function.
The function test_api_key will automatically check the key for authentication and number of requests remaining in a minute.
The rest of the endpoint remains unchanged.
If we try to send more than 10 requests to this endpoint within a minute using the curl command with the same API key, we will hit the rate limit error.
12. Let's practice!
And now, let's test our understanding by working on some exercises.