hotosm · Aadesh-Baral · Aug 14, 2022 · Aug 16, 2022 · Aug 16, 2022 · Aug 17, 2022
diff --git a/backend/__init__.py b/backend/__init__.py
@@ -9,6 +9,8 @@
 from flask_restful import Api
 from flask_sqlalchemy import SQLAlchemy
 from flask_mail import Mail
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 
 from backend.config import EnvironmentConfig
 
@@ -35,7 +37,11 @@ def format_url(endpoint):
 migrate = Migrate()
 mail = Mail()
 oauth = OAuth()
-
+limiter = Limiter(
+    storage_uri=EnvironmentConfig.REDIS_URI,
+    key_func=get_remote_address,
+    headers_enabled=True,
+)
 osm = oauth.remote_app("osm", app_key="OSM_OAUTH_SETTINGS")
 
 # Import all models so that they are registered with SQLAlchemy
@@ -64,6 +70,7 @@ def create_app(env="backend.config.EnvironmentConfig"):
     db.init_app(app)
     migrate.init_app(app, db)
     mail.init_app(app)
+    limiter.init_app(app)
 
     app.logger.debug("Add root redirect route")
 
@@ -121,9 +128,21 @@ def add_api_endpoints(app):
     """
     Define the routes the API exposes using Flask-Restful.
     """
-    app.logger.debug("Adding routes to API endpoints")
-    api = Api(app)
+    rate_limit_error = {
+        "RateLimitExceeded": {
+            "SubCode": "RateLimitExceeded",
+            "message": "You have exceeded the rate limit. Please try again later.",
+            "status": 429,
+        },
+        "ConnectionError": {
+            "SubCode": "RedisConnectionError",
+            "message": "Connection to Redis server refused.",
+            "status": 500,
+        },
+    }
+    api = Api(app, errors=rate_limit_error)
 
+    app.logger.debug("Adding routes to API endpoints")
     # Projects API import
     from backend.api.projects.resources import (
         ProjectsRestAPI,

diff --git a/backend/api/campaigns/resources.py b/backend/api/campaigns/resources.py
@@ -1,6 +1,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.campaign_dto import CampaignDTO, NewCampaignDTO
 from backend.services.campaign_service import CampaignService
 from backend.services.organisation_service import OrganisationService
@@ -212,6 +213,11 @@ def delete(self, campaign_id):
 
 
 class CampaignsAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def get(self):
         """
         Get all active campaigns

diff --git a/backend/api/projects/actions.py b/backend/api/projects/actions.py
@@ -3,6 +3,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.message_dto import MessageDTO
 from backend.models.dtos.grid_dto import GridDTO
 from backend.services.project_service import ProjectService, NotFound
@@ -78,6 +79,11 @@ def post(self, project_id):
 
 
 class ProjectsActionsMessageContributorsAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -355,6 +361,11 @@ def post(self, project_id):
 
 
 class ProjectActionsIntersectingTilesAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @tm.pm_only()
     @token_auth.login_required
     def post(self):

diff --git a/backend/api/projects/resources.py b/backend/api/projects/resources.py
@@ -4,6 +4,8 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 from distutils.util import strtobool
+
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.project_dto import (
     DraftProjectDTO,
     ProjectDTO,
@@ -32,6 +34,11 @@
 
 
 class ProjectsRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required(optional=True)
     def get(self, project_id):
         """

diff --git a/backend/api/projects/statistics.py b/backend/api/projects/statistics.py
@@ -1,4 +1,6 @@
 from flask_restful import Resource, current_app
+
+from backend import limiter, EnvironmentConfig
 from backend.services.stats_service import NotFound, StatsService
 from backend.services.project_service import ProjectService
 
@@ -28,6 +30,11 @@ def get(self):
 
 
 class ProjectsStatisticsAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self, project_id):
         """
         Get Project Stats

diff --git a/backend/api/system/authentication.py b/backend/api/system/authentication.py
@@ -1,7 +1,7 @@
 from flask import session, current_app, redirect, request
 from flask_restful import Resource
 
-from backend import osm
+from backend import osm, limiter, EnvironmentConfig
 from backend.services.users.authentication_service import (
     AuthenticationService,
     AuthServiceError,
@@ -17,6 +17,11 @@ def get_oauth_token():
 
 
 class SystemAuthenticationLoginAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self):
         """
         Redirects user to OSM to authenticate
@@ -44,6 +49,11 @@ def get(self):
 
 
 class SystemAuthenticationCallbackAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     def get(self):
         """
         Handles the OSM OAuth callback

diff --git a/backend/api/system/general.py b/backend/api/system/general.py
@@ -2,6 +2,7 @@
 from flask_restful import Resource, request, current_app
 from flask_swagger import swagger
 
+from backend import limiter, EnvironmentConfig
 from backend.services.settings_service import SettingsService
 from backend.services.messaging.smtp_service import SMTPService
 
@@ -184,6 +185,11 @@ def get(self):
 
 
 class SystemContactAdminRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def post(self):
         """
         Send an email to the system admin

diff --git a/backend/api/system/image_upload.py b/backend/api/system/image_upload.py
@@ -3,10 +3,16 @@
 
 from flask_restful import Resource, request, current_app
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.authentication_service import token_auth
 
 
 class SystemImageUploadRestAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self):
         """

diff --git a/backend/api/tasks/actions.py b/backend/api/tasks/actions.py
@@ -1,6 +1,7 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.grid_dto import SplitTaskDTO
 from backend.models.postgis.utils import NotFound, InvalidGeoJson
 from backend.services.grid.split_service import SplitService, SplitServiceError
@@ -196,6 +197,11 @@ def post(self, project_id, task_id):
 
 
 class TasksActionsMappingUnlockAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id, task_id):
         """
@@ -519,6 +525,11 @@ def post(self, project_id):
 
 
 class TasksActionsValidationUnlockAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -599,6 +610,11 @@ def post(self, project_id):
 
 
 class TasksActionsMapAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -656,6 +672,11 @@ def post(self, project_id):
 
 
 class TasksActionsValidateAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -713,6 +734,11 @@ def post(self, project_id):
 
 
 class TasksActionsInvalidateAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -770,6 +796,11 @@ def post(self, project_id):
 
 
 class TasksActionsResetBadImageryAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """
@@ -829,6 +860,11 @@ def post(self, project_id):
 
 
 class TasksActionsResetAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, project_id):
         """

diff --git a/backend/api/teams/actions.py b/backend/api/teams/actions.py
@@ -2,6 +2,7 @@
 from schematics.exceptions import DataError
 import threading
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.message_dto import MessageDTO
 from backend.services.team_service import TeamService, NotFound, TeamJoinNotAllowed
 from backend.services.users.authentication_service import token_auth, tm
@@ -252,6 +253,11 @@ def post(self, team_id):
 
 
 class TeamsActionsMessageMembersAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     @token_auth.login_required
     def post(self, team_id):
         """

diff --git a/backend/api/users/actions.py b/backend/api/users/actions.py
@@ -1,6 +1,7 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 
+from backend import limiter, EnvironmentConfig
 from backend.models.dtos.user_dto import UserDTO, UserRegisterEmailDTO
 from backend.services.messaging.message_service import MessageService
 from backend.services.users.authentication_service import token_auth, tm
@@ -314,6 +315,11 @@ def patch(self):
 
 
 class UsersActionsRegisterEmailAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["POST"])
+    ]
+
     def post(self):
         """
         Registers users without OpenStreetMap account

diff --git a/backend/api/users/statistics.py b/backend/api/users/statistics.py
@@ -2,6 +2,7 @@
 from datetime import date, timedelta
 from flask_restful import Resource, request, current_app
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.user_service import UserService, NotFound
 from backend.services.stats_service import StatsService
 from backend.services.interests_service import InterestService
@@ -98,6 +99,11 @@ def get(self, user_id):
 
 
 class UsersStatisticsAllAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     @token_auth.login_required
     def get(self):
         """

diff --git a/backend/api/users/tasks.py b/backend/api/users/tasks.py
@@ -1,11 +1,17 @@
 from flask_restful import Resource, current_app, request
 from dateutil.parser import parse as date_parse
 
+from backend import limiter, EnvironmentConfig
 from backend.services.users.authentication_service import token_auth
 from backend.services.users.user_service import UserService, NotFound
 
 
 class UsersTasksAPI(Resource):
+
+    decorators = [
+        limiter.limit(EnvironmentConfig.DEFAULT_RATE_LIMIT_THRESHOLD, methods=["GET"])
+    ]
+
     @token_auth.login_required
     def get(self, user_id):
         """