Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: auth rate limit docs and default rate #1997

Merged
merged 3 commits into from
Feb 23, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 65 additions & 65 deletions flask_appbuilder/api/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -244,78 +244,78 @@ class BaseApi(AbstractViewApi):

version: Optional[str] = "v1"
"""
Define the Api version for this resource/class
Define the Api version for this resource/class
"""
route_base: Optional[str] = None
"""
Define the route base where all methods will suffix from
Define the route base where all methods will suffix from
"""
resource_name: Optional[str] = None
"""
Defines a custom resource name, overrides the inferred from Class name
makes no sense to use it with route base
Defines a custom resource name, overrides the inferred from Class name
makes no sense to use it with route base
"""
base_permissions: Optional[List[str]] = None
"""
A list of allowed base permissions::
A list of allowed base permissions::

class ExampleApi(BaseApi):
base_permissions = ['can_get']
class ExampleApi(BaseApi):
base_permissions = ['can_get']

"""
class_permission_name: Optional[str] = None
"""
Override class permission name default fallback to self.__class__.__name__
Override class permission name default fallback to self.__class__.__name__
"""
previous_class_permission_name: Optional[str] = None
"""
If set security converge will replace all permissions tuples
with this name by the class_permission_name or self.__class__.__name__
If set security converge will replace all permissions tuples
with this name by the class_permission_name or self.__class__.__name__
"""
method_permission_name: Optional[Dict[str, str]] = None
"""
Override method permission names, example::
Override method permission names, example::

method_permissions_name = {
'get_list': 'read',
'get': 'read',
'put': 'write',
'post': 'write',
'delete': 'write'
}
method_permissions_name = {
'get_list': 'read',
'get': 'read',
'put': 'write',
'post': 'write',
'delete': 'write'
}
"""
previous_method_permission_name: Optional[Dict[str, str]] = None
"""
Use same structure as method_permission_name. If set security converge
will replace all method permissions by the new ones
Use same structure as method_permission_name. If set security converge
will replace all method permissions by the new ones
"""
allow_browser_login = False
"""
Will allow flask-login cookie authorization on the API
default is False.
Will allow flask-login cookie authorization on the API
default is False.
"""
csrf_exempt = True
"""
If using flask-wtf CSRFProtect exempt the API from check
If using flask-wtf CSRFProtect exempt the API from check
"""
apispec_parameter_schemas: Optional[Dict[str, Dict[str, Any]]] = None
"""
Set your custom Rison parameter schemas here so that
they get registered on the OpenApi spec::
Set your custom Rison parameter schemas here so that
they get registered on the OpenApi spec::

custom_parameter = {
"type": "object"
"properties": {
"name": {
"type": "string"
}
custom_parameter = {
"type": "object"
"properties": {
"name": {
"type": "string"
}
}
}

class CustomApi(BaseApi):
apispec_parameter_schemas = {
"custom_parameter": custom_parameter
}
class CustomApi(BaseApi):
apispec_parameter_schemas = {
"custom_parameter": custom_parameter
}
"""
_apispec_parameter_schemas: Optional[Dict[str, Dict[str, Any]]] = None

Expand Down Expand Up @@ -404,66 +404,66 @@ class Schema1(Schema):
},
}
"""
Override custom OpenApi responses
Override custom OpenApi responses
"""

exclude_route_methods: Set[str] = set()
"""
Does not register routes for a set of builtin ModelRestApi functions.
example::
Does not register routes for a set of builtin ModelRestApi functions.
example::

class ContactModelView(ModelRestApi):
datamodel = SQLAInterface(Contact)
exclude_route_methods = {"info", "get_list", "get"}
class ContactModelView(ModelRestApi):
datamodel = SQLAInterface(Contact)
exclude_route_methods = {"info", "get_list", "get"}


The previous examples will only register the `put`, `post` and `delete` routes
The previous examples will only register the `put`, `post` and `delete` routes
"""
include_route_methods: Optional[Set[str]] = None
"""
If defined will assume a white list setup, where all endpoints are excluded
except those define on this attribute
example::
If defined will assume a white list setup, where all endpoints are excluded
except those define on this attribute
example::

class ContactModelView(ModelRestApi):
datamodel = SQLAInterface(Contact)
include_route_methods = {"list"}
class ContactModelView(ModelRestApi):
datamodel = SQLAInterface(Contact)
include_route_methods = {"list"}


The previous example will exclude all endpoints except the `list` endpoint
The previous example will exclude all endpoints except the `list` endpoint
"""
openapi_spec_methods: Dict[str, Any] = {}
"""
Merge OpenAPI spec defined on the method's doc.
For example to merge/override `get_list`::
Merge OpenAPI spec defined on the method's doc.
For example to merge/override `get_list`::


class GreetingApi(BaseApi):
resource_name = "greeting"
openapi_spec_methods = {
"greeting": {
"get": {
"description": "Override description",
}
class GreetingApi(BaseApi):
resource_name = "greeting"
openapi_spec_methods = {
"greeting": {
"get": {
"description": "Override description",
}
}
}
"""
openapi_spec_tag: Optional[str] = None
"""
By default all endpoints will be tagged (grouped) to their class name.
Use this attribute to override the tag name
By default all endpoints will be tagged (grouped) to their class name.
Use this attribute to override the tag name
"""

limits: Optional[List[Limit]] = None
"""
List of limits for this api.
List of limits for this api.

Use it like this if you want to restrict the rate of requests to a view:
Use it like this if you want to restrict the rate of requests to a view::

class MyView(ModelView):
limits = [Limit("2 per 5 second")]
class MyView(ModelView):
limits = [Limit("2 per 5 second")]

or use the decorator @limit.
or use the decorator @limit.
"""

def __init__(self) -> None:
Expand Down
2 changes: 1 addition & 1 deletion flask_appbuilder/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ def __init__(self, appbuilder):

# Rate limiting
app.config.setdefault("AUTH_RATE_LIMITED", True)
app.config.setdefault("AUTH_RATE_LIMIT", "2 per 5 second")
app.config.setdefault("AUTH_RATE_LIMIT", "10 per 20 second")

if self.auth_type == AUTH_OID:
from flask_openid import OpenID
Expand Down
1 change: 1 addition & 0 deletions flask_appbuilder/tests/security/test_rate_limiter.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ def setUp(self):
self.app.jinja_env.undefined = jinja2.StrictUndefined
self.app.config.from_object("flask_appbuilder.tests.config_api")
self.app.config["RATELIMIT_ENABLED"] = True
self.app.config["AUTH_RATE_LIMIT"] = "2 per 5 second"
logging.basicConfig(level=logging.ERROR)

self.db = SQLA(self.app)
Expand Down