blightbow/evennia_ai
2
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

[P0] Add API Rate Limiting #5

New issue
Closed
opened 2025-12-05 13:48:51 +00:00 by blightbow · 1 comment
blightbow commented 2025-12-05 13:48:51 +00:00
Owner
Copy link

Problem

The API layer has no throttling configured:

  • No DRF throttle classes configured
  • No request payload size limits
  • Staff users can inadvertently DoS the system
  • Token counting on 100k char inputs with no limits

Suggested Fix

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_RATES': {'user': '1000/hour', 'write': '100/hour'}
}

Priority

P0 — Immediate (Blocks Production)

Source

Architecture Audit 2025-12-03, Section 4: Missing Rate Limiting

## Problem The API layer has no throttling configured: - No DRF throttle classes configured - No request payload size limits - Staff users can inadvertently DoS the system - Token counting on 100k char inputs with no limits ## Suggested Fix ```python REST_FRAMEWORK = { 'DEFAULT_THROTTLE_RATES': {'user': '1000/hour', 'write': '100/hour'} } ``` ## Priority **P0 — Immediate (Blocks Production)** ## Source Architecture Audit 2025-12-03, Section 4: Missing Rate Limiting
blightbow commented 2025-12-08 05:51:29 +00:00
Author
Owner
Copy link

Implementation Complete

Committed in 40e8842e5: Add API rate limiting and payload size validation

Changes

  • PayloadValidationMixin (api/views/base.py): dispatch() override rejects POST/PATCH/PUT requests exceeding 5MB with 413 response
  • AIAssistantThrottle (api/throttles.py): UserRateThrottle with 1000 requests/hour default (configurable via settings)
  • AssistantViewSet updated with both protections (PayloadValidationMixin first in MRO)
  • 11 new tests covering payload validation and throttle configuration

Configuration

Default rate limiting works out of the box. To customize:

REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"] = {"ai_assistant": "500/hour"}

Note: Rate limiting requires Django cache backend for production use.

## Implementation Complete Committed in `40e8842e5`: Add API rate limiting and payload size validation ### Changes - **PayloadValidationMixin** (`api/views/base.py`): dispatch() override rejects POST/PATCH/PUT requests exceeding 5MB with 413 response - **AIAssistantThrottle** (`api/throttles.py`): UserRateThrottle with 1000 requests/hour default (configurable via settings) - **AssistantViewSet** updated with both protections (PayloadValidationMixin first in MRO) - **11 new tests** covering payload validation and throttle configuration ### Configuration Default rate limiting works out of the box. To customize: ```python REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"] = {"ai_assistant": "500/hour"} ``` Note: Rate limiting requires Django cache backend for production use.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feature/agentic-patterns
refactor/modular-prompt-contexts
feature/advanced-prompt-visualizer
ai-messaging-refactor
docs/bootstrap-refinement
feature/bootstrap-refactor
feature/k8s-entrypoint
gh-pages
v5.0.0
v4.0.0
v3.0.0
v2.0.0
v1.3.0
v1.0.0
v0.9.5
v5.0.1
v5.0.0
v4.5.0
v4.4.1
v4.4.0
v4.3.0
v4.2.0
v4.1.1
v4.1.0
v4.0.0
v3.2.0
v3.1.1
v3.1.0
v3.0.0
rm
v2.3.0
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.3.0
v1.2.1
v1.2.0
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0
v0.9.5
0.5.0-fork0
v0.9
last-python2.7
python-3.7
0.5.0
v0.8
v0.7
player-account-step1
v0.6
0.2.0
v0.5
show
django1.7
migrate_before_django1.7
Labels
Clear labels   
audit-2025-12-03

Architecture audit findings from 2025-12-03

  
component/api

REST API endpoints and serializers

  
component/commands

In-game commands (aisetup, aiexec, etc.)

  
component/llm

LLM providers, prompt construction, token management

  
component/memory

Entity memory, episodic index, Mem0 integration

  
component/tick-loop

at_tick(), ReAct loop, execution patterns

  
component/tools

Tool system and tool implementations

  
priority
high
Critical or blocking issue

  
priority
low
Nice to have, non-urgent

  
status
in-progress
Actively being worked on

  
status
needs-info
Waiting for more information from reporter

  
status
needs-triage
Awaiting initial review and categorization

  
status
on-hold
Blocked or intentionally paused

  
type
bug
Actual error or unwanted behavior

  
type
documentation
Docs, docstrings, or README

  
type
enhancement
Improvement to existing feature

  
type
feature
New functionality request

  
type
refactor
Code cleanup without behavior change

  
type
test
Test coverage or test infrastructure

No labels
audit-2025-12-03
component/api
component/commands
component/llm
component/memory
component/tick-loop
component/tools
priority
high
priority
low
status
in-progress
status
needs-info
status
needs-triage
status
on-hold
type
bug
type
documentation
type
enhancement
type
feature
type
refactor
type
test
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
blightbow/evennia_ai#5
No description provided.