FastAPI-Limiter is a rate limiting tool for fastapi routes, powered by pyrate-limiter.
Just install from pypi
> pip install fastapi-limiterFastAPI-Limiter is simple to use, which just provides a dependency RateLimiter. The following example allows 2 requests per 5 seconds on route /.
import uvicorn
from fastapi import Depends, FastAPI
from pyrate_limiter import Duration, Limiter, Rate
from fastapi_limiter.depends import RateLimiter
app = FastAPI()
@app.get(
"/",
dependencies=[Depends(RateLimiter(limiter=Limiter(Rate(2, Duration.SECOND * 5))))],
)
async def index():
return {"msg": "Hello World"}
if __name__ == "__main__":
uvicorn.run("main:app", reload=True)RateLimiter accepts the following parameters:
limiter: Apyrate_limiter.Limiterinstance that defines the rate limiting rules.identifier: A callable to identify the request source, default is by IP + path.callback: A callable invoked when the rate limit is exceeded, default raisesHTTPExceptionwith429status code.blocking: Whether to block the request when the rate limit is exceeded, default isFalse.skip: An async callable that takes a request and returnsTrueto skip rate limiting, default isNone.
Identifier of route limit, default is ip + path, you can override it such as userid and so on.
async def default_identifier(request: Union[Request, WebSocket]):
forwarded = request.headers.get("X-Forwarded-For")
if forwarded:
ip = forwarded.split(",")[0]
elif request.client:
ip = request.client.host
else:
ip = "127.0.0.1"
return ip + ":" + request.scope["path"]Callback when rate limit is exceeded, default raises HTTPException with 429 status code.
def default_callback(*args, **kwargs):
raise HTTPException(
HTTP_429_TOO_MANY_REQUESTS,
"Too Many Requests",
)You can use multiple limiters in one route.
@app.get(
"/multiple",
dependencies=[
Depends(RateLimiter(limiter=Limiter(Rate(1, Duration.SECOND * 5)))),
Depends(RateLimiter(limiter=Limiter(Rate(2, Duration.SECOND * 15)))),
],
)
async def multiple():
return {"msg": "Hello World"}Note that you should keep the stricter limiter (lower seconds/times ratio) first.
You can pass a skip callable to RateLimiter to conditionally skip rate limiting for a specific route. The callable receives the request and should return True to skip.
from fastapi.requests import Request
async def skip(request: Request):
return request.scope["path"] == "/skip"
@app.get(
"/skip",
dependencies=[
Depends(RateLimiter(limiter=Limiter(Rate(1, Duration.SECOND * 5)), skip=skip))
],
)
async def skip_route():
return {"msg": "This route skips rate limiting"}You can also use RateLimiterMiddleware to apply rate limiting globally to all routes without adding dependencies to each route individually.
from fastapi import FastAPI
from pyrate_limiter import Duration, Limiter, Rate
from fastapi_limiter.middleware import RateLimiterMiddleware
app = FastAPI()
app.add_middleware(
RateLimiterMiddleware,
limiter=Limiter(Rate(2, Duration.SECOND * 5)),
)
@app.get("/")
async def index():
return {"msg": "Hello World"}RateLimiterMiddleware accepts the same identifier, callback, blocking, and skip parameters as RateLimiter.
While the above examples work with REST requests, FastAPI also allows easy usage of websockets, which require a slightly different approach.
Because websockets are likely to be long lived, you may want to rate limit in response to data sent over the socket.
You can do this by rate limiting within the body of the websocket handler:
from fastapi_limiter.depends import WebSocketRateLimiter
@app.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket):
await websocket.accept()
ratelimit = WebSocketRateLimiter(limiter=Limiter(Rate(1, Duration.SECOND * 5)))
while True:
try:
data = await websocket.receive_text()
await ratelimit(websocket, context_key=data) # NB: context_key is optional
await websocket.send_text("Hello, world")
except HTTPException:
await websocket.send_text("Hello again")This project is licensed under the Apache-2.0 License.