Add Request Rate Limit
Implement request rate limit over the api in order to protect it from (D)DOS and automated web crawlers
Two libraries to do it easily in fastapi: https://github.com/long2ice/fastapi-limiter https://github.com/laurentS/slowapi
Since slowapi has several limitations, which I found crucial, I propose to stick to fastapi-limiter (and we are already using redis, so...)
On the following screenshot, you can see, that someone tried to get credential information from our applocation, yet it was unsuccessful. But, we always should be ready for real attacks and prevent these situations in the future. A good solution against these types of attacks - RRL (request rate limit). When a fake client exceeds rate limit (e.g. makes 60 requests per minute) it gets banned for some time.
It is important to keep rate request limit on that level so real users do not suffer, while fake clients are efficiency banned. Usually this is done with "try-adjust" method, so for now I propose rate limit of 10 requests per minute on all routers. Lately, we will adjust this value.