Add rate limits to groups and projects APIs
What does this MR do and why?
We have rate-limited the following endpoints to prevent abuse:
- GET /api/v4/users/:user_id/projects
- GET /api/v4/users/:user_id/contributed_projects
- GET /api/v4/users/:user_id/starred_projects
- GET /api/v4/projects
- GET /api/v4/groups/:id/projects
- GET /api/v4/projects/:id
- GET /api/v4/groups
- GET /api/v4/groups/:id
The changes here have been announced in this blog post.
But we can merge this since all the changes here are behind the rate_limit_groups_and_projects_api
feature flag.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshot
From https://gdk.test:3000/admin/application_settings/network
How to set up and validate locally
- Go to https://gdk.test:3000/admin/application_settings/network and adjust the limit of any one of the endpoints for instance
GET /groups
. - Then using curl exceed that rate limit
curl https://gdk.test:3000/api/v4/groups
. - You'll get this message after the rate limit is exceeded
{"message":{"error":"This endpoint has been requested too many times. Try again later."}}
.
Related to #421909 (closed)
Edited by Abdul Wadood