Add ENABLE_RATE_LIMITS configuration for backend rate limiting

2026-05-08 23:15:11 -04:00 · 2026-03-31 21:55:28 -04:00
parent a7aa1ca636
commit e2a7e1886a
3 changed files with 13 additions and 5 deletions
--- a/backend/server/.env.example
+++ b/backend/server/.env.example
@@ -9,6 +9,9 @@ PUBLIC_URL='http://127.0.0.1:8000'

 DEBUG=True

+# Set to True to enable DRF throttling and allauth account rate limits
+ENABLE_RATE_LIMITS=False
+
 FRONTEND_URL='http://localhost:3000'

 EMAIL_BACKEND='console'
--- a/backend/server/main/settings.py
+++ b/backend/server/main/settings.py
@@ -272,6 +272,10 @@ SOCIALACCOUNT_EMAIL_AUTHENTICATION = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True  # Auto-link by email
 SOCIALACCOUNT_AUTO_SIGNUP = True  # Allow auto-signup post adapter checks

+# Enable or disable app-level rate limiting/throttling globally.
+# Defaults to disabled for local/dev convenience.
+ENABLE_RATE_LIMITS = getenv('ENABLE_RATE_LIMITS', 'false').lower() == 'true'
+
 FORCE_SOCIALACCOUNT_LOGIN = getenv('FORCE_SOCIALACCOUNT_LOGIN', 'false').lower() == 'true' # When true, only social login is allowed (no password login) and the login page will show only social providers or redirect directly to the first provider if only one is configured.

 if getenv('EMAIL_BACKEND', 'console') == 'console':
@@ -312,7 +316,7 @@ ACCOUNT_RATE_LIMITS = {
    "login": "30/m/ip",                      # 30 login attempts per minute per IP
    "login_failed": "10/m/ip,5/5m/key",      # 10 failed logins per minute per IP, 5 per 5 min per user
    "confirm_email": "1/3m/key",             # 1 email confirmation per 3 minutes per email
-}
+} if ENABLE_RATE_LIMITS else {}

 # ---------------------------------------------------------------------------
 # Django REST Framework
@@ -325,11 +329,11 @@ REST_FRAMEWORK = {
    'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema',
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.UserRateThrottle',
-    ],
+    ] if ENABLE_RATE_LIMITS else [],
    'DEFAULT_THROTTLE_RATES': {
-        'user': '1000/day',
-        'image_proxy': '60/minute',
-    },
+        'user': '100000/day',
+        'image_proxy': '1000/minute',
+    } if ENABLE_RATE_LIMITS else {},
 }

 if DEBUG:
--- a/documentation/docs/install/docker.md
+++ b/documentation/docs/install/docker.md
@@ -62,6 +62,7 @@ The `.env` file contains all the configuration settings for your AdventureLog in
 | `FRONTEND_URL`          | Yes      | URL to the **frontend**, used for email generation.                                | `http://localhost:8015`                       |
 | `BACKEND_PORT`          | Yes      | Port that the backend will run on inside Docker.                                   | `8016`                                        |
 | `DEBUG`                 | No       | Should be `False` in production.                                                   | `False`                                       |
+| `ENABLE_RATE_LIMITS`    | No       | Enable rate limits on the backend. Should be `True` in production.                 | `True`                                        |

 ## Optional Configuration