500 Errors on Rate Limit When Using the Admin API Via Keys

Geoffrey_Challen · January 11, 2018, 7:46pm

I use Discourse as a course forum, and have a bunch of scripts that I use to manage the installation through the admin API. I have an API key for an admin user and use that to perform various administrative tasks.

Today I’m trying to disable a bunch of users since we are transitioning between semesters. For each student that has left the class, I first log them out and then suspend them.

Unfortunately I’m having two problems:

My requests are hitting some kind of internal rate limit, which it seems like I can’t control. It looks like the logic to bypass rate limiting for admins doesn’t work when you are using API keys.
The offending requests are returning 500 errors rather than 429s.

Here’s a snippet of the relevant logs:

Started PUT "/admin/users/926/suspend?api_key=[FILTERED]&api_username=admin" for 192.17.148.54 at 2018-01-11 19:45:18 +0000
RateLimiter::LimitExceeded (RateLimiter::LimitExceeded)
/var/www/discourse/lib/rate_limiter.rb:87:in `performed!'

Ideally this rate limiting (a) wouldn’t be done for admin requests and (b) wouldn’t be returning the wrong error code.

mikechristopher · January 11, 2018, 7:52pm

I thought the rate limiter had been disabled for staff users so this might be one for the team to answer.

 def rate_unlimited?
!!(RateLimiter.disabled? || (@user && @user.staff?))
  end

codinghorror · January 11, 2018, 8:04pm

Any ideas on this @sam?

sam · January 11, 2018, 8:09pm

Are we hosting your site or are you self hosted? What version are you running?

Geoffrey_Challen · January 11, 2018, 8:10pm

I know—I saw this. But it doesn’t seem to be working. Hence my speculation about the API key not setting up the user properly. But that’s just a guess.

Geoffrey_Challen · January 11, 2018, 8:11pm

Self hosted. On tests-passed, currently v2.0.0.beta1+76.

sam · January 12, 2018, 3:28am

OK this is fixed per:

But it will take a bit for it to land cause I need to clean plugin tests.

The particular reason you are getting rate limited is:

github.com

discourse/discourse/blob/main/config/discourse_defaults.conf#L177

    
      
          message_bus_redis_password =
          
          
# skip configuring client id for cloud providers who support no client commands
          message_bus_redis_skip_client_commands = false
          
          
# enable Cross-origin Resource Sharing (CORS) directly at the application level
          enable_cors = false
          cors_origin = ''
          
          
# enable if you really need to serve assets in prod
          serve_static_assets = false
          
          
# number of sidekiq workers (launched via unicorn master)
          sidekiq_workers = 5
          
          
# adjust stylesheets to rtl (requires "rtlit" gem)
          rtl_css = false
          
          
# connection reaping helps keep connection counts down, postgres
          # will not work properly with huge numbers of open connections
          # reap connections from pool that are older than 30 seconds

if you are self hosting you can raise DISCOURSE_MAX_ADMIN_API_REQS_PER_KEY_PER_MINUTE to a higher number. We introduced this limit to protect from unintentional API abuse.

Geoffrey_Challen · January 12, 2018, 2:00pm

OK done, thanks! We’ll see if this helps.

Topic		Replies	Views
Rate limits for API users dev rest-api	14	2502	March 14, 2024
How to avoid throttling limits with admin API key? dev rest-api	11	1008	March 12, 2024
Changing/removing API rate limit with category creation dev rest-api	17	3673	August 19, 2023
DiscourseApi::TooManyRequests rate limit? dev rest-api	2	525	February 9, 2023
Increase rate limit for API? dev rest-api	2	280	February 20, 2024

500 Errors on Rate Limit When Using the Admin API Via Keys

Related Topics