Add Rate Limiting to Payment Creation Endpoint #48
Description
Description
API allows unlimited payment creation which could be abused for spam or denial of service attacks.
Tasks
- Install Django REST Framework throttling
- Configure rate limits for payment creation
- Add different limits for authenticated vs anonymous users
- Add tests for rate limiting
- Document rate limits
- Add monitoring for rate limit hits
Implementation
# settings.py
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_CLASSES': [
'rest_framework.throttling.AnonRateThrottle',
'rest_framework.throttling.UserRateThrottle'
],
'DEFAULT_THROTTLE_RATES': {
'anon': '10/hour', # Guest users
'user': '100/hour', # Authenticated users
'payment_create': '5/minute', # Specific for payment creation
}
}
# views.py
from rest_framework.throttling import UserRateThrottle
class PaymentCreateThrottle(UserRateThrottle):
rate = '5/minute'
scope = 'payment_create'
class PayFastPaymentModelViewSet(ModelViewSet):
throttle_classes = [PaymentCreateThrottle]
def get_throttles(self):
if self.action == 'create':
return [PaymentCreateThrottle()]
return []Acceptance Criteria
- Rate limits enforced on creation endpoint
- Different limits for different user types
- Tests verify rate limiting works
- Documentation explains rate limits