Need Rate Limiting on Basis of Request Body for a POST API

[shivamneeraj2311]

We have a FASTAPI Post Route, where we want to rate limit based on a parameter passed in the request body. How to achieve this behaviour in a slowapi decorator? So that key_func reads the request body.

[sumitbrahme]

I am also facing the same issue.

[laurentS]

I think #13 might help.

As a side note, I converted the issue into a discussion. The issue tracker is meant for bug reporting, etc... rather than Q&A like this.

[thentgesMindee]

I think for it to work correctly, the lib would need to be reworked a bit, from a decorator to a dependency.
The main issue here, if I reckon well, is that you parse the body using fastAPI's default dependencies, meaning you don't have access to it in your decorator (since decorators are executed before the actual dependencies, by design).

In one of our project we have a very ugly but working method to kind of use slowapi as a dependency without rewriting the whole lib. I could maybe share it somewhere (for some reason, I though I already did in a previous issue but couldn't find it) for reference, if you confirm that I understood the issue correctly

[shivamneeraj2311]

Yes @thentgesMindee we are trying to access the POST Request Body, in the decorator. If you can search for it, can you please put the reference of the workaround solution here?

[thentgesMindee]

Hey sorry about that, I answered in your other comment here: #179 (reply in thread)

[shivamneeraj2311]

Yes @thentgesMindee we are trying to access the POST Request Body, in the decorator. If you can search for it, can you please put the reference of the workaround solution here?

[thentgesMindee]

sure, sorry for the time I took! Here is a quick example, with comments:

async def limit_dependency(request: Request):
    # slowapi package is only designed to work as a decorator @limiter.limit
    # but fastapi intended to use Dependency Injection system, 
    # that means that we do not have access to that data on decorator execution step.
    # This function is kinda weird, but it allows us to use slowapi as is and integrate it
    # into our app dependencies workflow
    limiter: Limiter = request.app.state.limiter

    # we use this decorator as a trick, so that the limiter key use the endpoint func path
    # instead of our dummy func here.
    # Using @wraps would cause error since it would change the signature. Since slowapi only
    # relies on func.__module__ and func.__name__ to generate the keys, we can just override those.
    # without this, the key func would always be the same: "<path_to_this_file>.get_limit.dummy"
    @_set_name_from_func(request.scope.get("endpoint"))
    async def dummy(request: Request):
        pass

    key_func = ...
    limit_value = ... 
    
    # we need that trick since we apply decorator several times to the function with same name
    limiter._route_limits.pop(f"{dummy.__module__}.{dummy.__name__}", None)
    check_request_limit = limiter.limit(
        key_func=key_func,
        limit_value=limit_value,
    )(dummy)
    
    return await check_request_limit(request)
    
    
def _set_name_from_func(func):
    def decorator(f):
        f.__name__ = func.__name__
        f.__module__ = func.__module__
        return f

    return decorator

NOTE: this may work only if you use the key_style="endpoint" parameter when instantiating your limiter class here, since we use @_set_name_from_func(request.scope.get("endpoint")).

on the lines I left limit_value = ... and key_func = ..., since you're now in a dependency, you can inject other dependency and use them here, to retrieve your limit value (ex: the fastAPI dependency giving you access to the POST body).

Then, you can simply add your limiter by using this dependency that way:

@router.post(...)
async def my_endpoint(_=Depends(limit_dependency)):
    ...

This will raise the appropriate errors / stop the execution in case the limiter triggers, but execute the rest of the endpoint code in case limits are not reached.

Let me know if it helped you!

[thentgesMindee]

cc @laurentS maybe we could add this to the docs, at least until we have a better way to use slowAPI as a dependency ?

[shivamneeraj2311]

Hey @thentgesMindee - This helps. Thanks a lot.

[thentgesMindee]

perfect, I marked this comment as answer then, let us know if you need any more help