zanewalker
da496746bb
- Core rate limiting with multiple algorithms (sliding window, token bucket, etc.) - SQLite and memory backends - Decorator and dependency injection patterns - Middleware support - Example usage files
240 lines
6.2 KiB
Markdown
240 lines
6.2 KiB
Markdown
# FastAPI Traffic
|
|
|
|
Production-grade rate limiting for FastAPI with multiple algorithms and storage backends.
|
|
|
|
## Features
|
|
|
|
- **Multiple Algorithms**: Token Bucket, Sliding Window, Fixed Window, Leaky Bucket, Sliding Window Counter
|
|
- **Multiple Backends**: In-memory (default), SQLite (persistent), Redis (distributed)
|
|
- **Decorator-based**: Simple `@rate_limit` decorator for endpoints
|
|
- **Middleware Support**: Global rate limiting via middleware
|
|
- **Dependency Injection**: Use as FastAPI dependency for more control
|
|
- **Strict Typing**: Full type hints, pyright/mypy compatible
|
|
- **Customizable**: Custom key extractors, exemptions, callbacks
|
|
- **Production Ready**: Connection pooling, async support, proper error handling
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
# Basic installation (memory backend only)
|
|
pip install fastapi-traffic
|
|
|
|
# With Redis support
|
|
pip install fastapi-traffic[redis]
|
|
|
|
# With all extras
|
|
pip install fastapi-traffic[all]
|
|
```
|
|
|
|
## Quick Start
|
|
|
|
### Basic Usage with Decorator
|
|
|
|
```python
|
|
from fastapi import FastAPI, Request
|
|
from fastapi_traffic import rate_limit
|
|
|
|
app = FastAPI()
|
|
|
|
@app.get("/api/resource")
|
|
@rate_limit(100, 60) # 100 requests per 60 seconds
|
|
async def get_resource(request: Request):
|
|
return {"message": "Hello, World!"}
|
|
```
|
|
|
|
### Using Different Algorithms
|
|
|
|
```python
|
|
from fastapi_traffic import rate_limit, Algorithm
|
|
|
|
# Token Bucket - allows bursts
|
|
@app.get("/api/burst")
|
|
@rate_limit(100, 60, algorithm=Algorithm.TOKEN_BUCKET, burst_size=20)
|
|
async def burst_endpoint(request: Request):
|
|
return {"message": "Burst allowed"}
|
|
|
|
# Sliding Window - precise rate limiting
|
|
@app.get("/api/precise")
|
|
@rate_limit(100, 60, algorithm=Algorithm.SLIDING_WINDOW)
|
|
async def precise_endpoint(request: Request):
|
|
return {"message": "Precise limiting"}
|
|
|
|
# Fixed Window - simple and efficient
|
|
@app.get("/api/simple")
|
|
@rate_limit(100, 60, algorithm=Algorithm.FIXED_WINDOW)
|
|
async def simple_endpoint(request: Request):
|
|
return {"message": "Fixed window"}
|
|
```
|
|
|
|
### Custom Key Extraction
|
|
|
|
```python
|
|
def api_key_extractor(request: Request) -> str:
|
|
"""Rate limit by API key instead of IP."""
|
|
return request.headers.get("X-API-Key", "anonymous")
|
|
|
|
@app.get("/api/by-key")
|
|
@rate_limit(1000, 3600, key_extractor=api_key_extractor)
|
|
async def api_key_endpoint(request: Request):
|
|
return {"message": "Rate limited by API key"}
|
|
```
|
|
|
|
### Using SQLite Backend (Persistent)
|
|
|
|
```python
|
|
from fastapi_traffic import RateLimiter, SQLiteBackend
|
|
from fastapi_traffic.core.limiter import set_limiter
|
|
|
|
# Configure persistent storage
|
|
backend = SQLiteBackend("rate_limits.db")
|
|
limiter = RateLimiter(backend)
|
|
set_limiter(limiter)
|
|
|
|
@app.on_event("startup")
|
|
async def startup():
|
|
await limiter.initialize()
|
|
|
|
@app.on_event("shutdown")
|
|
async def shutdown():
|
|
await limiter.close()
|
|
```
|
|
|
|
### Using Redis Backend (Distributed)
|
|
|
|
```python
|
|
from fastapi_traffic import RateLimiter
|
|
from fastapi_traffic.backends.redis import RedisBackend
|
|
|
|
# Create Redis backend
|
|
backend = await RedisBackend.from_url("redis://localhost:6379/0")
|
|
limiter = RateLimiter(backend)
|
|
set_limiter(limiter)
|
|
```
|
|
|
|
### Global Middleware
|
|
|
|
```python
|
|
from fastapi_traffic.middleware import RateLimitMiddleware
|
|
|
|
app.add_middleware(
|
|
RateLimitMiddleware,
|
|
limit=1000,
|
|
window_size=60,
|
|
exempt_paths={"/health", "/docs"},
|
|
exempt_ips={"127.0.0.1"},
|
|
)
|
|
```
|
|
|
|
### Dependency Injection
|
|
|
|
```python
|
|
from fastapi import Depends
|
|
from fastapi_traffic.core.decorator import RateLimitDependency
|
|
|
|
rate_dep = RateLimitDependency(limit=100, window_size=60)
|
|
|
|
@app.get("/api/with-info")
|
|
async def endpoint_with_info(
|
|
request: Request,
|
|
rate_info = Depends(rate_dep)
|
|
):
|
|
return {
|
|
"remaining": rate_info.remaining,
|
|
"reset_at": rate_info.reset_at,
|
|
}
|
|
```
|
|
|
|
### Exception Handling
|
|
|
|
```python
|
|
from fastapi_traffic import RateLimitExceeded
|
|
|
|
@app.exception_handler(RateLimitExceeded)
|
|
async def rate_limit_handler(request: Request, exc: RateLimitExceeded):
|
|
return JSONResponse(
|
|
status_code=429,
|
|
content={
|
|
"error": "rate_limit_exceeded",
|
|
"retry_after": exc.retry_after,
|
|
},
|
|
headers=exc.limit_info.to_headers() if exc.limit_info else {},
|
|
)
|
|
```
|
|
|
|
## Algorithms
|
|
|
|
| Algorithm | Description | Use Case |
|
|
|-----------|-------------|----------|
|
|
| `TOKEN_BUCKET` | Allows bursts up to bucket capacity | APIs that need burst handling |
|
|
| `SLIDING_WINDOW` | Precise request counting | High-accuracy rate limiting |
|
|
| `FIXED_WINDOW` | Simple time-based windows | Simple, low-overhead limiting |
|
|
| `LEAKY_BUCKET` | Smooths out request rate | Consistent throughput |
|
|
| `SLIDING_WINDOW_COUNTER` | Balance of precision and efficiency | General purpose (default) |
|
|
|
|
## Backends
|
|
|
|
### MemoryBackend (Default)
|
|
- In-memory storage with LRU eviction
|
|
- Best for single-process applications
|
|
- No persistence across restarts
|
|
|
|
### SQLiteBackend
|
|
- Persistent storage using SQLite
|
|
- WAL mode for better performance
|
|
- Suitable for single-node deployments
|
|
|
|
### RedisBackend
|
|
- Distributed storage using Redis
|
|
- Required for multi-node deployments
|
|
- Supports atomic operations via Lua scripts
|
|
|
|
## Configuration Options
|
|
|
|
```python
|
|
@rate_limit(
|
|
limit=100, # Max requests in window
|
|
window_size=60.0, # Window size in seconds
|
|
algorithm=Algorithm.SLIDING_WINDOW_COUNTER,
|
|
key_prefix="api", # Prefix for rate limit keys
|
|
key_extractor=func, # Custom key extraction function
|
|
burst_size=None, # Burst size (token/leaky bucket)
|
|
include_headers=True, # Add rate limit headers to response
|
|
error_message="...", # Custom error message
|
|
status_code=429, # HTTP status when limited
|
|
skip_on_error=False, # Skip limiting on backend errors
|
|
cost=1, # Cost per request
|
|
exempt_when=func, # Function to check exemption
|
|
on_blocked=func, # Callback when request is blocked
|
|
)
|
|
```
|
|
|
|
## Response Headers
|
|
|
|
When `include_headers=True`, responses include:
|
|
|
|
- `X-RateLimit-Limit`: Maximum requests allowed
|
|
- `X-RateLimit-Remaining`: Remaining requests in window
|
|
- `X-RateLimit-Reset`: Unix timestamp when limit resets
|
|
- `Retry-After`: Seconds until retry (when rate limited)
|
|
|
|
## Development
|
|
|
|
```bash
|
|
# Install dev dependencies
|
|
pip install -e ".[dev]"
|
|
|
|
# Run tests
|
|
pytest
|
|
|
|
# Type checking
|
|
pyright
|
|
|
|
# Linting
|
|
ruff check .
|
|
ruff format .
|
|
```
|
|
|
|
## License
|
|
|
|
MIT License
|