feat: Add rate limiting to identity search endpoint #6438
Conversation
- Backend: Add ScopedRateThrottle to IdentityViewSet (30 req/min) - Frontend: Increase debounce from 500ms to 750ms - Config: Add IDENTITY_SEARCH_THROTTLE_RATE env variable - Tests: Add test for identity search throttling Fixes aggressive API requests when searching for identities.
1-23-smy
requested review from
khvn26 and
talissoncosta
and removed request for
a team
|
@smy-637q is attempting to deploy a commit to the Flagsmith Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
bot
added
front-end
There was a problem hiding this comment.
Pull request overview
This PR adds rate limiting to the identity search endpoint to prevent aggressive API requests. It includes backend throttling via Django REST Framework's ScopedRateThrottle, a configurable environment variable for the rate limit, frontend debounce increase, and a test to verify throttling behavior.
- Backend throttling implementation with
ScopedRateThrottleat 30 requests/minute - Frontend debounce increase from 500ms to 750ms across all search components
- Configurable rate limit via
IDENTITY_SEARCH_THROTTLE_RATEenvironment variable
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| api/environments/identities/views.py | Adds ScopedRateThrottle with identity_search scope to IdentityViewSet |
| api/app/settings/common.py | Adds IDENTITY_SEARCH_THROTTLE_RATE environment variable configuration (default: 30/min) |
| api/tests/unit/environments/identities/test_unit_identities_views.py | Adds test to verify identity search throttling behavior |
| frontend/common/useDebouncedSearch.ts | Increases debounce time from 500ms to 750ms for all search operations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| def test_identity_search_is_throttled( | ||
| admin_client: APIClient, | ||
| environment: Environment, | ||
| settings, |
There was a problem hiding this comment.
The test is missing the reset_cache fixture parameter which is used in other throttle tests to ensure proper cache cleanup between tests. DRF's ScopedRateThrottle uses Django's cache backend to track request counts, and without cache clearing, throttle state could persist between tests causing flaky test failures.
Add reset_cache to the function parameters (see examples in api/tests/integration/custom_auth/end_to_end/test_custom_auth_integration.py lines 486-491 and 527-533).
| settings, | |
| settings, | |
| reset_cache, |
| const [debounceTime, setDebounceTime] = useState(750) | ||
|
|
||
| useEffect(() => { | ||
| setDebounceTime(searchInput.length < 1 ? 0 : 500) | ||
| setDebounceTime(searchInput.length < 1 ? 0 : 750) |
There was a problem hiding this comment.
Increasing the debounce time from 500ms to 750ms will affect all components using useDebouncedSearch, not just identity search. This includes:
- AuditLog.tsx
- ConversionEventSelect.tsx
- CreateSegment.tsx (segment search)
- SegmentsPage.tsx
- SplitTestPage.tsx
- UserPage.tsx
- UsersPage.tsx (identity search)
- TableValueFilter.tsx
While this may be acceptable to reduce API calls globally, consider whether a 250ms increase is appropriate for all these use cases. If the intent is to only throttle identity search, consider creating a separate hook like useDebouncedIdentitySearch with the higher debounce time, or make the debounce time configurable via a parameter.
There was a problem hiding this comment.
@Zaimwa9 are you able to chime in here - do you think this is something we need to be concerned about?
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
api/tests/unit/environments/identities/test_unit_identities_views.py
Outdated
Show resolved
Hide resolved
- Use get_throttles() method to conditionally apply throttle only to 'list' action - Update test to use mocker.patch and reset_cache fixture for proper cleanup - Follow existing patterns from FFAdminUserViewSet and OrganisationViewSet
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
|
@1-23-smy could you check the unit test failures here please? |
|
matthewelwell Sure, I will look into it |
The test.py settings file overrides DEFAULT_THROTTLE_RATES from common.py, so identity_search scope was missing in the test environment.
3 participants
ScopedRateThrottletoIdentityViewSet(30 req/min)IDENTITY_SEARCH_THROTTLE_RATEenv variableThis fixes aggressive API requests when searching for identities.
Thanks for submitting a PR! Please check the boxes below:
docs/if required so people know about the featureChanges
Backend Changes
api/environments/identities/views.pyAdded
ScopedRateThrottletoIdentityViewSetwith scopeidentity_searchapi/app/settings/common.pyAdded configurable
IDENTITY_SEARCH_THROTTLE_RATEenvironment variable (default:30/min)Frontend Changes
frontend/common/useDebouncedSearch.tsIncreased debounce time from 500ms to 750ms to reduce request frequency during typing
Configuration
The rate limit can be customized via environment variable:
How did you test this code?
Unit Tests
test_identity_search_is_throttledinapi/tests/unit/environments/identities/test_unit_identities_views.pyManual Testing