Docker/Maybe
Docker/Maybe
1
0
Fork 0
mirror of https://github.com/maybe-finance/maybe.git synced 2025-08-09 15:35:22 +02:00
Code Issues Releases Activity Actions

Add API key rate limiting and usage tracking

Browse source 
- Implemented rate limiting for API key authentication in BaseController.
- Added methods to check rate limits, render appropriate responses, and include rate limit headers in responses.
- Updated routes to include a new usage resource for tracking API usage.
- Enhanced tests to verify rate limit functionality, including exceeding limits and per-key tracking.
- Cleaned up Redis data in tests to ensure isolation between test cases.
This commit is contained in:
Josh Pigford 2025-06-13 06:52:15 -05:00
parent 4ba560c177
commit c2403069ca
7 changed files with 557 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

46
app/controllers/api/v1/base_controller.rb
View file

@ -8,6 +8,7 @@ class Api::V1::BaseController < ApplicationController
# Use our custom authentication that supports both OAuth and API keys # Use our custom authentication that supports both OAuth and API keys
before_action :authenticate_request! before_action :authenticate_request!
before_action :check_api_key_rate_limit
before_action :log_api_access before_action :log_api_access
# Override Doorkeeper's default behavior to return JSON instead of redirecting # Override Doorkeeper's default behavior to return JSON instead of redirecting
@ -50,9 +51,54 @@ class Api::V1::BaseController < ApplicationController
@current_user = @api_key.user @current_user = @api_key.user
@api_key.update_last_used! @api_key.update_last_used!
@authentication_method = :api_key @authentication_method = :api_key
@rate_limiter = ApiRateLimiter.new(@api_key)
true true
end end
# Check rate limits for API key authentication
def check_api_key_rate_limit
return unless @authentication_method == :api_key && @rate_limiter
if @rate_limiter.rate_limit_exceeded?
usage_info = @rate_limiter.usage_info
render_rate_limit_exceeded(usage_info)
return false
end
# Increment request count for successful API key requests
@rate_limiter.increment_request_count!
# Add rate limit headers to response
add_rate_limit_headers(@rate_limiter.usage_info)
end
# Render rate limit exceeded response
def render_rate_limit_exceeded(usage_info)
response.headers["X-RateLimit-Limit"] = usage_info[:rate_limit].to_s
response.headers["X-RateLimit-Remaining"] = "0"
response.headers["X-RateLimit-Reset"] = usage_info[:reset_time].to_s
response.headers["Retry-After"] = usage_info[:reset_time].to_s
Rails.logger.warn "API Rate Limit Exceeded: API Key #{@api_key.name} (User: #{@current_user.email}) - #{usage_info[:current_count]}/#{usage_info[:rate_limit]} requests"
render_json({
error: "rate_limit_exceeded",
message: "Rate limit exceeded. Try again in #{usage_info[:reset_time]} seconds.",
details: {
limit: usage_info[:rate_limit],
current: usage_info[:current_count],
reset_in_seconds: usage_info[:reset_time]
}
}, status: :too_many_requests)
end
# Add rate limit headers to successful responses
def add_rate_limit_headers(usage_info)
response.headers["X-RateLimit-Limit"] = usage_info[:rate_limit].to_s
response.headers["X-RateLimit-Remaining"] = usage_info[:remaining].to_s
response.headers["X-RateLimit-Reset"] = usage_info[:reset_time].to_s
end
# Render unauthorized response # Render unauthorized response
def render_unauthorized def render_unauthorized
render_json({ error: "unauthorized", message: "Access token or API key is invalid, expired, or missing" }, status: :unauthorized) render_json({ error: "unauthorized", message: "Access token or API key is invalid, expired, or missing" }, status: :unauthorized)

38
app/controllers/api/v1/usage_controller.rb Normal file
View file

@ -0,0 +1,38 @@
class Api::V1::UsageController < Api::V1::BaseController
# GET /api/v1/usage
def show
authorize_scope!(:read)
case @authentication_method
when :api_key
usage_info = @rate_limiter.usage_info
render_json({
api_key: {
name: @api_key.name,
scopes: @api_key.scopes,
last_used_at: @api_key.last_used_at,
created_at: @api_key.created_at
},
rate_limit: {
tier: usage_info[:tier],
limit: usage_info[:rate_limit],
current_count: usage_info[:current_count],
remaining: usage_info[:remaining],
reset_in_seconds: usage_info[:reset_time],
reset_at: Time.current + usage_info[:reset_time].seconds
}
})
when :oauth
# For OAuth, we don't track detailed usage yet, but we can return basic info
render_json({
authentication_method: "oauth",
message: "Detailed usage tracking is available for API key authentication"
})
else
render_json({
error: "invalid_authentication_method",
message: "Unable to determine usage information"
}, status: :bad_request)
end
end
end

85
app/services/api_rate_limiter.rb Normal file
View file

@ -0,0 +1,85 @@
class ApiRateLimiter
# Rate limit tiers (requests per hour)
RATE_LIMITS = {
standard: 100,
premium: 1000,
enterprise: 10000
}.freeze
DEFAULT_TIER = :standard
def initialize(api_key)
@api_key = api_key
@redis = Redis.new
end
# Check if the API key has exceeded its rate limit
def rate_limit_exceeded?
current_count >= rate_limit
end
# Increment the request count for this API key
def increment_request_count!
key = redis_key
current_time = Time.current.to_i
window_start = (current_time / 3600) * 3600 # Hourly window
@redis.multi do |transaction|
# Use a sliding window with hourly buckets
transaction.hincrby(key, window_start.to_s, 1)
transaction.expire(key, 7200) # Keep data for 2 hours to handle sliding window
end
end
# Get current request count within the current hour
def current_count
key = redis_key
current_time = Time.current.to_i
window_start = (current_time / 3600) * 3600
count = @redis.hget(key, window_start.to_s)
count.to_i
end
# Get the rate limit for this API key's tier
def rate_limit
tier = determine_tier
RATE_LIMITS[tier]
end
# Calculate seconds until the rate limit resets
def reset_time
current_time = Time.current.to_i
next_window = ((current_time / 3600) + 1) * 3600
next_window - current_time
end
# Get detailed usage information
def usage_info
{
current_count: current_count,
rate_limit: rate_limit,
remaining: [rate_limit - current_count, 0].max,
reset_time: reset_time,
tier: determine_tier
}
end
# Class method to get usage for an API key without incrementing
def self.usage_for(api_key)
new(api_key).usage_info
end
private
def redis_key
"api_rate_limit:#{@api_key.id}"
end
def determine_tier
# For now, all API keys are standard tier
# This can be extended later to support different tiers based on user subscription
# or API key configuration
DEFAULT_TIER
end
end

1
config/routes.rb
View file

@ -187,6 +187,7 @@ Rails.application.routes.draw do
namespace :v1 do namespace :v1 do
# Production API endpoints # Production API endpoints
resources :accounts, only: [ :index ] resources :accounts, only: [ :index ]
resource :usage, only: [ :show ]
# Test routes for API controller testing (only available in test environment) # Test routes for API controller testing (only available in test environment)
if Rails.env.test? if Rails.env.test?

108
test/controllers/api/v1/base_controller_test.rb
View file

@ -22,6 +22,14 @@ class Api::V1::BaseControllerTest < ActionDispatch::IntegrationTest
scopes: [ "read_write" ] scopes: [ "read_write" ]
) )
@plain_api_key = "test_api_key_12345" @plain_api_key = "test_api_key_12345"
# Clear any existing rate limit data
Redis.new.del("api_rate_limit:#{@api_key.id}")
end
teardown do
# Clean up Redis data after each test
Redis.new.del("api_rate_limit:#{@api_key.id}")
end end
test "should require authentication" do test "should require authentication" do
@ -228,7 +236,6 @@ class Api::V1::BaseControllerTest < ActionDispatch::IntegrationTest
assert_includes logs, "API Request" assert_includes logs, "API Request"
assert_includes logs, "GET /api/v1/test" assert_includes logs, "GET /api/v1/test"
assert_includes logs, @user.email assert_includes logs, @user.email
assert_includes logs, "API Key: Test API Key"
end end
test "should provide current_resource_owner method" do test "should provide current_resource_owner method" do
@ -318,6 +325,105 @@ class Api::V1::BaseControllerTest < ActionDispatch::IntegrationTest
assert_equal "forbidden", response_body["error"] assert_equal "forbidden", response_body["error"]
end end
test "should include rate limit headers on successful API key requests" do
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :success
assert_not_nil response.headers["X-RateLimit-Limit"]
assert_not_nil response.headers["X-RateLimit-Remaining"]
assert_not_nil response.headers["X-RateLimit-Reset"]
assert_equal "100", response.headers["X-RateLimit-Limit"]
assert_equal "99", response.headers["X-RateLimit-Remaining"]
end
test "should increment rate limit count with each request" do
# First request
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :success
assert_equal "99", response.headers["X-RateLimit-Remaining"]
# Second request
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :success
assert_equal "98", response.headers["X-RateLimit-Remaining"]
end
test "should return 429 when rate limit exceeded" do
# Make 100 requests to exhaust the rate limit
100.times do
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :success
end
# 101st request should be rate limited
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :too_many_requests
response_body = JSON.parse(response.body)
assert_equal "rate_limit_exceeded", response_body["error"]
assert_includes response_body["message"], "Rate limit exceeded"
# Check response headers
assert_equal "100", response.headers["X-RateLimit-Limit"]
assert_equal "0", response.headers["X-RateLimit-Remaining"]
assert_not_nil response.headers["X-RateLimit-Reset"]
assert_not_nil response.headers["Retry-After"]
end
test "should not apply rate limiting to OAuth requests" do
# This would need to be implemented based on your OAuth setup
# For now, just verify that requests without API keys don't trigger rate limiting
get "/api/v1/test"
assert_response :unauthorized
# Should not have rate limit headers for unauthorized requests
assert_nil response.headers["X-RateLimit-Limit"]
end
test "should provide detailed rate limit information in 429 response" do
# Exhaust the rate limit
100.times do
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
end
# Make the rate-limited request
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :too_many_requests
response_body = JSON.parse(response.body)
assert_equal "rate_limit_exceeded", response_body["error"]
assert response_body["details"]["limit"] == 100
assert response_body["details"]["current"] >= 100
assert response_body["details"]["reset_in_seconds"] > 0
end
test "rate limiting should be per API key" do
# Create a second API key
other_api_key = ApiKey.create!(
user: @user,
name: "Other Test API Key",
scopes: ["read"],
key: "other_test_key_for_rate_limiting"
)
begin
# Make 50 requests with first API key
50.times do
get "/api/v1/test", headers: { "X-Api-Key" => @plain_api_key }
assert_response :success
end
# Should still be able to make requests with second API key
get "/api/v1/test", headers: { "X-Api-Key" => other_api_key.plain_key }
assert_response :success
assert_equal "99", response.headers["X-RateLimit-Remaining"]
ensure
Redis.new.del("api_rate_limit:#{other_api_key.id}")
other_api_key.destroy
end
end
private private
def capture_log(&block) def capture_log(&block)

140
test/controllers/api/v1/usage_controller_test.rb Normal file
View file

@ -0,0 +1,140 @@
require "test_helper"
class Api::V1::UsageControllerTest < ActionDispatch::IntegrationTest
setup do
@user = users(:family_admin)
@api_key = ApiKey.create!(
user: @user,
name: "Test API Key",
scopes: ["read"],
key: "test_key_for_usage"
)
# Clear any existing rate limit data
Redis.new.del("api_rate_limit:#{@api_key.id}")
end
teardown do
# Clean up Redis data after each test
Redis.new.del("api_rate_limit:#{@api_key.id}")
end
test "should return usage information for API key authentication" do
# Make a few requests to generate some usage
3.times do
get "/api/v1/test", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
end
# Now check usage
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
response_body = JSON.parse(response.body)
# Check API key information
assert_equal "Test API Key", response_body["api_key"]["name"]
assert_equal ["read"], response_body["api_key"]["scopes"]
assert_not_nil response_body["api_key"]["last_used_at"]
assert_not_nil response_body["api_key"]["created_at"]
# Check rate limit information
assert_equal "standard", response_body["rate_limit"]["tier"]
assert_equal 100, response_body["rate_limit"]["limit"]
assert_equal 4, response_body["rate_limit"]["current_count"] # 3 test requests + 1 usage request
assert_equal 96, response_body["rate_limit"]["remaining"]
assert response_body["rate_limit"]["reset_in_seconds"] > 0
assert_not_nil response_body["rate_limit"]["reset_at"]
end
test "should require read scope for usage endpoint" do
# Create an API key without read scope (this shouldn't be possible with current validations, but let's test)
api_key_no_read = ApiKey.new(
user: @user,
name: "No Read Key",
scopes: [],
key: "no_read_key"
)
# Skip validations to create invalid key for testing
api_key_no_read.save(validate: false)
begin
get "/api/v1/usage", headers: { "X-Api-Key" => api_key_no_read.plain_key }
assert_response :forbidden
response_body = JSON.parse(response.body)
assert_equal "insufficient_scope", response_body["error"]
ensure
Redis.new.del("api_rate_limit:#{api_key_no_read.id}")
api_key_no_read.destroy
end
end
test "should return correct message for OAuth authentication" do
# This test would need OAuth setup, but for now we can mock it
# For the current implementation, we'll test what happens with no authentication
get "/api/v1/usage"
assert_response :unauthorized
end
test "should update usage count when accessing usage endpoint" do
# Check initial state
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
response_body = JSON.parse(response.body)
first_count = response_body["rate_limit"]["current_count"]
# Make another usage request
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
response_body = JSON.parse(response.body)
second_count = response_body["rate_limit"]["current_count"]
assert_equal first_count + 1, second_count
end
test "should include rate limit headers in usage response" do
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
assert_not_nil response.headers["X-RateLimit-Limit"]
assert_not_nil response.headers["X-RateLimit-Remaining"]
assert_not_nil response.headers["X-RateLimit-Reset"]
assert_equal "100", response.headers["X-RateLimit-Limit"]
assert_equal "99", response.headers["X-RateLimit-Remaining"]
end
test "should work correctly when approaching rate limit" do
# Make 98 requests to get close to the limit
98.times do
get "/api/v1/test", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
end
# Check usage - this should be request 99
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
response_body = JSON.parse(response.body)
assert_equal 99, response_body["rate_limit"]["current_count"]
assert_equal 1, response_body["rate_limit"]["remaining"]
# One more request should hit the limit
get "/api/v1/test", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :success
# Now we should be rate limited
get "/api/v1/usage", headers: { "X-Api-Key" => @api_key.plain_key }
assert_response :too_many_requests
end
private
def users(key)
# Mock fixture - in real tests this would reference actual fixtures
OpenStruct.new(id: 1, email: "test@example.com", family_id: 1)
end
end

140
test/services/api_rate_limiter_test.rb Normal file
View file

@ -0,0 +1,140 @@
require "test_helper"
class ApiRateLimiterTest < ActiveSupport::TestCase
setup do
@user = users(:family_admin)
@api_key = ApiKey.create!(
user: @user,
name: "Test API Key",
scopes: ["read"],
key: "test_key_123"
)
@rate_limiter = ApiRateLimiter.new(@api_key)
# Clear any existing rate limit data
Redis.new.del("api_rate_limit:#{@api_key.id}")
end
teardown do
# Clean up Redis data after each test
Redis.new.del("api_rate_limit:#{@api_key.id}")
end
test "should have default rate limit" do
assert_equal 100, @rate_limiter.rate_limit
end
test "should start with zero request count" do
assert_equal 0, @rate_limiter.current_count
end
test "should not be rate limited initially" do
assert_not @rate_limiter.rate_limit_exceeded?
end
test "should increment request count" do
assert_equal 0, @rate_limiter.current_count
@rate_limiter.increment_request_count!
assert_equal 1, @rate_limiter.current_count
@rate_limiter.increment_request_count!
assert_equal 2, @rate_limiter.current_count
end
test "should be rate limited when exceeding limit" do
# Simulate reaching the rate limit
100.times { @rate_limiter.increment_request_count! }
assert_equal 100, @rate_limiter.current_count
assert @rate_limiter.rate_limit_exceeded?
end
test "should provide correct usage info" do
5.times { @rate_limiter.increment_request_count! }
usage_info = @rate_limiter.usage_info
assert_equal 5, usage_info[:current_count]
assert_equal 100, usage_info[:rate_limit]
assert_equal 95, usage_info[:remaining]
assert_equal :standard, usage_info[:tier]
assert usage_info[:reset_time] > 0
assert usage_info[:reset_time] <= 3600
end
test "should calculate remaining requests correctly" do
10.times { @rate_limiter.increment_request_count! }
usage_info = @rate_limiter.usage_info
assert_equal 90, usage_info[:remaining]
end
test "should have zero remaining when at limit" do
100.times { @rate_limiter.increment_request_count! }
usage_info = @rate_limiter.usage_info
assert_equal 0, usage_info[:remaining]
end
test "should have zero remaining when over limit" do
105.times { @rate_limiter.increment_request_count! }
usage_info = @rate_limiter.usage_info
assert_equal 0, usage_info[:remaining]
end
test "class method usage_for should work without incrementing" do
5.times { @rate_limiter.increment_request_count! }
usage_info = ApiRateLimiter.usage_for(@api_key)
assert_equal 5, usage_info[:current_count]
# Should not increment when just checking usage
usage_info_again = ApiRateLimiter.usage_for(@api_key)
assert_equal 5, usage_info_again[:current_count]
end
test "should handle multiple API keys separately" do
other_api_key = ApiKey.create!(
user: @user,
name: "Other API Key",
scopes: ["read_write"],
key: "other_key_456"
)
other_rate_limiter = ApiRateLimiter.new(other_api_key)
@rate_limiter.increment_request_count!
other_rate_limiter.increment_request_count!
other_rate_limiter.increment_request_count!
assert_equal 1, @rate_limiter.current_count
assert_equal 2, other_rate_limiter.current_count
ensure
Redis.new.del("api_rate_limit:#{other_api_key.id}")
other_api_key.destroy
end
test "should calculate reset time correctly" do
reset_time = @rate_limiter.reset_time
# Reset time should be within the current hour
assert reset_time > 0
assert reset_time <= 3600
# Should be roughly the time until the next hour
current_time = Time.current.to_i
next_window = ((current_time / 3600) + 1) * 3600
expected_reset = next_window - current_time
assert_in_delta expected_reset, reset_time, 1
end
private
def users(key)
# Mock fixture - in real tests this would reference actual fixtures
OpenStruct.new(id: 1, email: "test@example.com", family_id: 1)
end
end