From e2a7e1886a4002f4d4ae90ab4dc0c5745c5538e6 Mon Sep 17 00:00:00 2001
From: Sean Morley <git@seanmorley.com>
Date: Tue, 31 Mar 2026 21:55:28 -0400
Subject: [PATCH] Add ENABLE_RATE_LIMITS configuration for backend rate
 limiting

---
 backend/server/.env.example          |  3 +++
 backend/server/main/settings.py      | 14 +++++++++-----
 documentation/docs/install/docker.md |  1 +
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/backend/server/.env.example b/backend/server/.env.example
index 1d8fcff7..deaec40b 100644
--- a/backend/server/.env.example
+++ b/backend/server/.env.example
@@ -9,6 +9,9 @@ PUBLIC_URL='http://127.0.0.1:8000'
 
 DEBUG=True
 
+# Set to True to enable DRF throttling and allauth account rate limits
+ENABLE_RATE_LIMITS=False
+
 FRONTEND_URL='http://localhost:3000'
 
 EMAIL_BACKEND='console'
diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py
index d1f9c5b6..ba5472d9 100644
--- a/backend/server/main/settings.py
+++ b/backend/server/main/settings.py
@@ -272,6 +272,10 @@ SOCIALACCOUNT_EMAIL_AUTHENTICATION = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True  # Auto-link by email
 SOCIALACCOUNT_AUTO_SIGNUP = True  # Allow auto-signup post adapter checks
 
+# Enable or disable app-level rate limiting/throttling globally.
+# Defaults to disabled for local/dev convenience.
+ENABLE_RATE_LIMITS = getenv('ENABLE_RATE_LIMITS', 'false').lower() == 'true'
+
 FORCE_SOCIALACCOUNT_LOGIN = getenv('FORCE_SOCIALACCOUNT_LOGIN', 'false').lower() == 'true' # When true, only social login is allowed (no password login) and the login page will show only social providers or redirect directly to the first provider if only one is configured.
 
 if getenv('EMAIL_BACKEND', 'console') == 'console':
@@ -312,7 +316,7 @@ ACCOUNT_RATE_LIMITS = {
     "login": "30/m/ip",                      # 30 login attempts per minute per IP
     "login_failed": "10/m/ip,5/5m/key",      # 10 failed logins per minute per IP, 5 per 5 min per user
     "confirm_email": "1/3m/key",             # 1 email confirmation per 3 minutes per email
-}
+} if ENABLE_RATE_LIMITS else {}
 
 # ---------------------------------------------------------------------------
 # Django REST Framework
@@ -325,11 +329,11 @@ REST_FRAMEWORK = {
     'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema',
     'DEFAULT_THROTTLE_CLASSES': [
         'rest_framework.throttling.UserRateThrottle',
-    ],
+    ] if ENABLE_RATE_LIMITS else [],
     'DEFAULT_THROTTLE_RATES': {
-        'user': '1000/day',
-        'image_proxy': '60/minute',
-    },
+        'user': '100000/day',
+        'image_proxy': '1000/minute',
+    } if ENABLE_RATE_LIMITS else {},
 }
 
 if DEBUG:
diff --git a/documentation/docs/install/docker.md b/documentation/docs/install/docker.md
index 0271d26f..d574287c 100644
--- a/documentation/docs/install/docker.md
+++ b/documentation/docs/install/docker.md
@@ -62,6 +62,7 @@ The `.env` file contains all the configuration settings for your AdventureLog in
 | `FRONTEND_URL`          | Yes      | URL to the **frontend**, used for email generation.                                | `http://localhost:8015`                       |
 | `BACKEND_PORT`          | Yes      | Port that the backend will run on inside Docker.                                   | `8016`                                        |
 | `DEBUG`                 | No       | Should be `False` in production.                                                   | `False`                                       |
+| `ENABLE_RATE_LIMITS`    | No       | Enable rate limits on the backend. Should be `True` in production.                 | `True`                                        |
 
 ## Optional Configuration