ScopedRateThrottle is a rate limiting mechanism provided by Django Rest Framework (DRF) that allows you to limit the number of API requests a user can make within a given time period. In order to prevent abuse of the API and ensure fair usage among users, it is necessary for users to use the API fairly. Therefore, users must be mindful of their usage to maintain fairness. As a result, the API will function efficiently without any issues.
ScopedRateThrottle works by creating a scope for each user based on their IP address, username, or any other attribute you choose. Within that scope, you can set a rate limit for the number of requests a user can make per second, minute, or any other time period you choose.
To use ScopedRateThrottle, you first need to add it to your DRF settings. You can make this change in your project’s settings.py file.
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_CLASSES': [
'rest_framework.throttling.ScopedRateThrottle',
],
'DEFAULT_THROTTLE_RATES': {
'user': '1000/day',
'ip': '100/hour',
}
}
In this example, we have set two throttle rates, one for ‘user’ and one for ‘ip’. The user throttle limits the number of requests to 1000 per day, while the IP throttle limits the number of requests to 100 per hour.
First, you should utilize the throttle_classes attribute to add a throttle_scope to your view or viewset. This will enable you to specify the scope to which the throttling should be applied.
class MyViewSet(viewsets.ModelViewSet):
throttle_classes = [ScopedRateThrottle]
throttle_scope = 'user'
...
In this example, we have set the throttle_scope to ‘user’, so the rate limit set for ‘user’ in the DRF settings will be applied to this viewset.
ScopedRateThrottle is a useful tool for managing API usage and preventing abuse. By setting appropriate rate limits, you can ensure that your API is used fairly and efficiently by all users.
A Simple Project on ScopedRateThrottle in Django
- Create a new Django project and app:
$ django-admin startproject rate_limiting_project
$ cd rate_limiting_project
$ python manage.py startapp api
- Add the ‘rest_framework’ and ‘api’ app to your INSTALLED_APPS setting in settings.py:
INSTALLED_APPS = [
'rest_framework',
'api',
...
]
- Create a simple view that returns a list of products:
# api/views.py
from rest_framework.views import APIView
from rest_framework.response import Response
class ProductList(APIView):
def get(self, request):
products = ['Product 1', 'Product 2', 'Product 3']
return Response(products)
- Define the ScopedRateThrottle classes in api/throttling.py:
# api/throttling.py
from rest_framework.throttling import SimpleRateThrottle, ScopedRateThrottle
class UserScopedRateThrottle(ScopedRateThrottle):
"""
Limits the rate of API requests that may be made by a given user.
"""
scope_attr = 'user'
class IpScopedRateThrottle(ScopedRateThrottle):
"""
Limits the rate of API requests that may be made from a given IP address.
"""
scope_attr = 'ip'
- Add the ScopedRateThrottle settings to your DRF settings in settings.py:
# settings.py
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_CLASSES': [
'api.throttling.UserScopedRateThrottle',
'api.throttling.IpScopedRateThrottle',
],
'DEFAULT_THROTTLE_RATES': {
'user': '5/hour',
'ip': '10/hour',
},
}
In this example, we have set the rate limit for ‘user’ to 5 requests per hour, and the rate limit for ‘ip’ to 10 requests per hour.
- Add the ProductList view to your urls.py file in the api app:
# api/urls.py
from django.urls import path
from .views import ProductList
urlpatterns = [
path('products/', ProductList.as_view()),
]
- Run the development server and test the API:
$ python manage.py runserver
- Open your web browser and go to http://127.0.0.1:8000/products/. You should see a list of products. If you refresh the page more than 5 times per hour (or 10 times from the same IP address), you should receive a 429 Too Many Requests error.
That’s it! You have successfully implemented ScopedRateThrottle in your Django Rest Framework project.
