Apply rate limit to high-resource endpoints

backend/__init__.py

@@ -2,13 +2,15 @@
 import os
 from logging.handlers import RotatingFileHandler
 
-from flask import Flask, redirect
+from flask import Flask, redirect, make_response, jsonify
 from flask_cors import CORS
 from flask_migrate import Migrate
 from flask_oauthlib.client import OAuth
 from flask_restful import Api
 from flask_sqlalchemy import SQLAlchemy
 from flask_mail import Mail
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 
 from backend.config import EnvironmentConfig
 
@@ -35,6 +37,7 @@ def format_url(endpoint):
 migrate = Migrate()
 mail = Mail()
 oauth = OAuth()
+limiter = Limiter(key_func=get_remote_address)
 
 osm = oauth.remote_app("osm", app_key="OSM_OAUTH_SETTINGS")
 
@@ -64,6 +67,7 @@ def create_app(env="backend.config.EnvironmentConfig"):
     db.init_app(app)
     migrate.init_app(app, db)
     mail.init_app(app)
+    limiter.init_app(app)
 
     app.logger.debug("Add root redirect route")
 

backend/api/campaigns/resources.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.campaign_dto import CampaignDTO, NewCampaignDTO
 from backend.services.campaign_service import CampaignService
 from backend.services.organisation_service import OrganisationService
@@ -212,6 +213,11 @@ def delete(self, campaign_id):
 
 
 class CampaignsAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def get(self):
         """
         Get all active campaigns

backend/api/projects/actions.py

@@ -3,6 +3,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.message_dto import MessageDTO
 from backend.models.dtos.grid_dto import GridDTO
 from backend.services.project_service import ProjectService, NotFound
@@ -78,6 +79,11 @@ def post(self, project_id):
 
 
 class ProjectsActionsMessageContributorsAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -355,6 +361,11 @@ def post(self, project_id):
 
 
 class ProjectActionsIntersectingTilesAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @tm.pm_only()
     @token_auth.login_required
     def post(self):

backend/api/projects/resources.py

@@ -4,6 +4,8 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 from distutils.util import strtobool
+
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.project_dto import (
     DraftProjectDTO,
     ProjectDTO,
@@ -32,6 +34,11 @@
 
 
 class ProjectsRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required(optional=True)
     def get(self, project_id):
         """

backend/api/projects/statistics.py

@@ -1,4 +1,6 @@
 from flask_restful import Resource, current_app
+
+from backend import limiter, EnvironmentConfig
 from backend.services.stats_service import NotFound, StatsService
 from backend.services.project_service import ProjectService
 
@@ -28,6 +30,11 @@ def get(self):
 
 
 class ProjectsStatisticsAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self, project_id):
         """
         Get Project Stats

backend/api/system/authentication.py

@@ -1,7 +1,7 @@
 from flask import session, current_app, redirect, request
 from flask_restful import Resource
 
-from backend import osm
+from backend import osm, limiter, EnvironmentConfig
 from backend.services.users.authentication_service import (
     AuthenticationService,
     AuthServiceError,
@@ -17,6 +17,11 @@ def get_oauth_token():
 
 
 class SystemAuthenticationLoginAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self):
         """
         Redirects user to OSM to authenticate
@@ -44,6 +49,11 @@ def get(self):
 
 
 class SystemAuthenticationCallbackAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self):
         """
         Handles the OSM OAuth callback

backend/api/system/general.py

@@ -2,6 +2,7 @@
 from flask_restful import Resource, request, current_app
 from flask_swagger import swagger
 
+from backend import limiter, EnvironmentConfig
 from backend.services.settings_service import SettingsService
 from backend.services.messaging.smtp_service import SMTPService
 
@@ -184,6 +185,11 @@ def get(self):
 
 
 class SystemContactAdminRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def post(self):
         """
         Send an email to the system admin

backend/api/system/image_upload.py

@@ -3,10 +3,16 @@
 
 from flask_restful import Resource, request, current_app
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.authentication_service import token_auth
 
 
 class SystemImageUploadRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self):
         """

backend/api/tasks/actions.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.grid_dto import SplitTaskDTO
 from backend.models.postgis.utils import NotFound, InvalidGeoJson
 from backend.services.grid.split_service import SplitService, SplitServiceError
@@ -196,6 +197,11 @@ def post(self, project_id, task_id):
 
 
 class TasksActionsMappingUnlockAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id, task_id):
         """
@@ -519,6 +525,11 @@ def post(self, project_id):
 
 
 class TasksActionsValidationUnlockAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -599,6 +610,11 @@ def post(self, project_id):
 
 
 class TasksActionsMapAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -656,6 +672,11 @@ def post(self, project_id):
 
 
 class TasksActionsValidateAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -713,6 +734,11 @@ def post(self, project_id):
 
 
 class TasksActionsInvalidateAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -770,6 +796,11 @@ def post(self, project_id):
 
 
 class TasksActionsResetBadImageryAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -829,6 +860,11 @@ def post(self, project_id):
 
 
 class TasksActionsResetAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """

backend/api/teams/actions.py

@@ -2,6 +2,7 @@
 from schematics.exceptions import DataError
 import threading
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.message_dto import MessageDTO
 from backend.services.team_service import TeamService, NotFound, TeamJoinNotAllowed
 from backend.services.users.authentication_service import token_auth, tm
@@ -252,6 +253,11 @@ def post(self, team_id):
 
 
 class TeamsActionsMessageMembersAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, team_id):
         """

backend/api/users/actions.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.user_dto import UserDTO, UserRegisterEmailDTO
 from backend.services.messaging.message_service import MessageService
 from backend.services.users.authentication_service import token_auth, tm
@@ -314,6 +315,11 @@ def patch(self):
 
 
 class UsersActionsRegisterEmailAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def post(self):
         """
         Registers users without OpenStreetMap account

backend/api/users/statistics.py

@@ -2,6 +2,7 @@
 from datetime import date, timedelta
 from flask_restful import Resource, request, current_app
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.user_service import UserService, NotFound
 from backend.services.stats_service import StatsService
 from backend.services.interests_service import InterestService
@@ -98,6 +99,11 @@ def get(self, user_id):
 
 
 class UsersStatisticsAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     @token_auth.login_required
     def get(self):
         """

backend/api/users/tasks.py

@@ -1,11 +1,17 @@
 from flask_restful import Resource, current_app, request
 from dateutil.parser import parse as date_parse
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.authentication_service import token_auth
 from backend.services.users.user_service import UserService, NotFound
 
 
 class UsersTasksAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     @token_auth.login_required
     def get(self, user_id):
         """

backend/config.py

@@ -105,6 +105,11 @@ class EnvironmentConfig:
     # If disabled project update emails will not be sent.
     SEND_PROJECT_EMAIL_UPDATES = int(os.getenv("TM_SEND_PROJECT_EMAIL_UPDATES", True))
 
+    # Threshold for rate limiting api calls
+    DEFAULT_RATE_LIMIT_THRESHOLD = os.getenv(
+        "TM_API_RATE_LIMIT_THRESHOLD", "100 per hour"
+    )
+
     # Languages offered by the Tasking Manager
     # Please note that there must be exactly the same number of Codes as languages.
     SUPPORTED_LANGUAGES = {

requirements.txt

@@ -22,6 +22,7 @@ Flask-RESTful==0.3.8
 Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.4
 flask-swagger==0.2.14
+Flask-Limiter==1.5
 gevent==20.9.0
 GeoAlchemy2==0.8.4
 geojson==1.3.4