Add custom handling for frontend requests in API rate limiting
Problem to solve
API requests coming from the GitLab frontend are treated the same as other API requests, and so will have the same rate limiting applied.
This is problematic because we want the ability to apply stricter API rate limits without impacting normal app usage, especially for the new rate limit for unauthenticated API requests.
Proposal
We could reuse the CSRF token for this, which is already generated for every request and made available to the frontend.
In the backend we could verify the token and treat a request as "privileged", and either disable rate-limiting or apply custom thresholds/behaviour.
Involved components
lib/gitlab/throttle.rb
lib/gitlab/rack_attack.rb
lib/gitlab/rack_attack/request.rb