500 Errors on Rate Limit When Using the Admin API Via Keys


(Geoffrey Challen) #1

I use Discourse as a course forum, and have a bunch of scripts that I use to manage the installation through the admin API. I have an API key for an admin user and use that to perform various administrative tasks.

Today I’m trying to disable a bunch of users since we are transitioning between semesters. For each student that has left the class, I first log them out and then suspend them.

Unfortunately I’m having two problems:

  • My requests are hitting some kind of internal rate limit, which it seems like I can’t control. It looks like the logic to bypass rate limiting for admins doesn’t work when you are using API keys.
  • The offending requests are returning 500 errors rather than 429s.

Here’s a snippet of the relevant logs:

Started PUT "/admin/users/926/suspend?api_key=[FILTERED]&api_username=admin" for 192.17.148.54 at 2018-01-11 19:45:18 +0000
RateLimiter::LimitExceeded (RateLimiter::LimitExceeded)
/var/www/discourse/lib/rate_limiter.rb:87:in `performed!'

Ideally this rate limiting (a) wouldn’t be done for admin requests and (b) wouldn’t be returning the wrong error code.


#2

I thought the rate limiter had been disabled for staff users so this might be one for the team to answer.

 def rate_unlimited?
!!(RateLimiter.disabled? || (@user && @user.staff?))
  end

(Jeff Atwood) #3

Any ideas on this @sam?


(Sam Saffron) #4

Are we hosting your site or are you self hosted? What version are you running?


(Geoffrey Challen) #5

I know—I saw this. But it doesn’t seem to be working. Hence my speculation about the API key not setting up the user properly. But that’s just a guess.


(Geoffrey Challen) #6

Self hosted. On tests-passed, currently v2.0.0.beta1+76.


(Sam Saffron) #7

OK this is fixed per:

But it will take a bit for it to land cause I need to clean plugin tests.

The particular reason you are getting rate limited is:

if you are self hosting you can raise DISCOURSE_MAX_ADMIN_API_REQS_PER_KEY_PER_MINUTE to a higher number. We introduced this limit to protect from unintentional API abuse.


(Geoffrey Challen) #8

OK done, thanks! We’ll see if this helps.