Added rate limit bypass for app_api requests #44154
Conversation
|
/backport to stable28 |
nickvergessen
left a comment
nickvergessen
left a comment
There was a problem hiding this comment.
It's not okay to generally disable ratelimit like this.
Can you maybe point out which endpoint is a problem?
bigcat88
left a comment
bigcat88
left a comment
There was a problem hiding this comment.
Please, make squash commit with force push with correct message for "Block unconventional commits" check.
Added logic in this PR for me looks good, requests from ExApps should always bypass any rate limits.
Why is that? We have several API endpoints which have a rate limit also for logged in users. |
Hi, we need to utilize: As a example we want to utilize some AI features for summarizing a long chatlog. We need to split the chatlog into multiple chunks (lets say 10 chunks) and for each we need to do a request to the |
We need this for the Summurize bot (which was supposed to be released a week(?) ago..) calling text-processing endpoints to schedule a summarization task. |
|
Then let's either bump or remove the user limit from that endpoint for now. |
|
Or additionally we add a AppAPIRateLimit attribute additionally which is checked in case the session flag is there and we fall back to the UserRateLimit if it's not set. |
value of rate limit will depend on size of the Nextcloud instance, we can not know the value. removing rate limit form that endpoint completely will allow to easy ddos cloud without even an account, as that endpoint allows anonymous access already..
Good proposal |
Well AppAPI is not anonymous, right? So it should be using the UserRateLimit, and you could simply adjust that to 100 per second. |
Summarise bot is anonymous, it is not triggered by user, it is triggered by background job once a day, so we can't not know what "userId" to use in OCS requests. |
|
My proposal: we have such a concept in ExApp as a “system application” - it is indicated by a separate flag. We can make sure that this flag is added to the session and add a check for this flag, and remove the rate limit only for such system applications. Will this be ok? Ordinary ExApps really don’t need a separate RateLimit, as they always have a UserId. This is draft for adding that session variable: https://github.com/cloud-py-api/app_api/pull/248/files |
|
I guess so, but we are running out of time (behind API and feature freeze) |
skjnldsv
added
bug
2. developing
As @bigcat88 mentioned, we are now checking in the session for |
From my humble point of view, this is not a new feature, but rather a bug fix that we missed when implementing AppAPI authentication. |
My point was less to block merging, but more to point out that this should be speeded up, so we also run the final result of crucial points before the release |
andrey18106
force-pushed
the
enh/appapi-rate-limit-bypass
branch
2 times, most recently
from
08d6340 to
9e3888f
Compare
Signed-off-by: Florian Klinger <[email protected]> Signed-off-by: Andrey Borysenko <[email protected]>
andrey18106
force-pushed
the
enh/appapi-rate-limit-bypass
branch
from
9e3888f to
f3a4abd
Compare
|
cypress errors look unrelated |
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
/backport to stable28 |
Summary
When doing a request via app_api the rate limiting prevents more than 5 requests per 2 minutes, with checking if the app_api session exsists we bypass the rate limiting for app_api requests.
Checklist