@@ -20,10 +20,10 @@ Introduction
2020
2121After the last 1.6.0 Release, a REST-API developed in 2015 during a
2222Google Summer of Code (GSOC) by Chau Nguyen, supervised by Ezio
23- Melotti was integrated. The code was updated by Ralf Schlatterbeck
24- and John Rouillard to fix some shortcomings and provide the necessary
25- functions for a single page web application, e.g. etag support,
26- pagination, field embedding among others.
23+ Melotti was integrated. The code was updated by Ralf Schlatterbeck and
24+ John Rouillard to address some limitations and incorporate essential
25+ features for a single page web application, such as etag support,
26+ pagination, and field embedding, among others.
2727
2828Enabling the REST API
2929=====================
@@ -81,46 +81,48 @@ Rate Limiting API Failed Logins
8181-------------------------------
8282
8383To make brute force password guessing harder, the REST API has an
84- invalid login rate limiter. It rate limits the number of failed login
85- attempts with an invalid user or password. Valid login attempts are
86- managed by the normal API rate limiter. The rate limiter is a GCRA
87- leaky bucket variant. All APIs (REST/XMLRPC) share the same rate
88- limiter. The rate limiter for the HTML/web interface is not shared by
84+ invalid login rate limiter. This feature restricts the number of
85+ failed login attempts made with an invalid user or
86+ password. Successful login attempts are limited by the normal API rate
87+ limiter. The rate limiter is a GCRA leaky bucket variant, which is
88+ shared by all API (REST/XMLRPC) endpoints. However it is important to
89+ note that the rate limiter for the HTML/web interface is not shared by
8990the API failed login rate limiter.
9091
91- It is configured by settings in config.ini. Setting
92- ``api_failed_login_limit`` to a non-zero value enabled the limiter.
93- Setting it to 0 disables the limiter (not suggested). If a user fails
94- to log in more than ``api_failed_login_limit`` times in
92+ It is configured through the settings in config.ini. By setting the
93+ value of ``api_failed_login_limit`` to a non-zero value, the limiter
94+ is enabled. Setting it to 0 will disables the limiter (although this
95+ is not recommended). If a user fails to log in more than
96+ ``api_failed_login_limit`` times in
9597``api_failed_login_interval_in_sec`` seconds, a 429 HTTP error will be
96- returned. The error also tell the user how long they must wait to try
97- to log in again.
98-
99- When a 429 error is returned, the account is locked until enough time
100- has passed
101- (``api_failed_login_interval_in_sec/api_failed_login_limit`` seconds)
102- to make one additional login token available. Any attempt to log in
103- while it is locked will fail. This is true even if a the correct
104- password is supplied for a locked account. This means a brute force
105- attempt can't try more than one password every
106- ``api_failed_login_interval_in_sec/api_failed_login_limit`` seconds on
107- average.
108-
109- The default values allow up to 4 attempts to login before delaying the
110- user by 2.5 minutes (150 seconds). At this time there is no supported
111- method to reset the rate limiter.
98+ returned. The error message also tells the user how long to wait
99+ before trying to log in again.
100+
101+ When a 429 error is returned, the associated account will be
102+ temporarily locked until sufficient time has elapsed to generate an
103+ additional login token. This time period is determined by the values
104+ of the ``api_failed_login_interval_in_sec`` and ``api_failed_login_limit``
105+ parameters. Any login attempts made during this lockout period will be
106+ unsuccessful, even if the correct password is provided. This
107+ effectively prevents brute force attacks from attempting more than one
108+ password every
109+ ``api_failed_login_interval_in_sec/api_failed_login_limit`` seconds on average.
110+
111+ The system's default settings permit a maximum of four login attempts,
112+ after which the user will experience a delay of 2.5 minutes (150
113+ seconds). Currently, there is no established procedure for resetting
114+ the rate limiter.
112115
113116Rate Limiting the API
114117---------------------
115118
116- This is a work in progress. This version of roundup includes Rate
117- Limiting for the API (which is different from rate limiting login
118- attempts on the web interface).
119+ Roundup includes Rate Limiting for the API, which is distinct from
120+ rate limiting login attempts on the web interface.
119121
120- It is enabled by setting the ``api_calls_per_interval`` and
121- ``api_interval_in_sec`` configuration parameters in the ``[web]``
122- section of ``config.ini``. The settings are documented in the
123- config.ini file.
122+ This feature can be enabled by setting the ``api_calls_per_interval``
123+ and ``api_interval_in_sec`` configuration parameters in the ``[web]``
124+ section of the ``config.ini`` file. Details for these settings are
125+ documented in the same file.
124126
125127If ``api_calls_per_interval = 60`` and ``api_interval_in_sec = 60``
126128the user can make 60 calls in a minute. They can use them all up in the
@@ -135,16 +137,19 @@ values that permit one call per second on average: 1/1, 60/60,
1351373600/3600, but they all have a different maximum burst rates: 1/sec,
13613860/sec and 3600/sec.
137139
138- A single page app may make 20 or 30 calls to populate the page (e.g. a
139- list of open issues). Then wait a few seconds for the user to select
140- an issue. When displaying the issue, it needs another 20 or calls to
141- populate status dropdowns, pull the first 10 messages in the issue
142- etc. Controlling the burst rate as well as the average rate is a
143- tuning exercise left for the tracker admin.
144-
145- Also the rate limit is a little lossy. Under heavy load, it is
146- possible for it to miscount allowing more than burst count. Errors of
147- up to 10% have been seen on slower hardware.
140+ In practice, a single page app may require 20 or 30 API calls to
141+ populate the page with data, followed by a few seconds of waiting for
142+ the user to select an issue. When displaying the issue, another 20 or
143+ more calls may be needed to populate status dropdowns, retrieve the
144+ first 10 messages in the issue, and so on. Therefore, controlling both
145+ the burst rate and the average rate is a tuning exercise that is left
146+ to the tracker admin.
147+
148+ It is worth noting that the rate limit feature may be slightly lossy,
149+ meaning that under heavy load, it may miscount and allow more than the
150+ burst count. On slower hardware, errors of up to 10% have been
151+ observed. Using redis, PostgreSQL, or MySQL for storing ephemeral data
152+ minimizes the loss.
148153
149154Client API
150155==========
0 commit comments