refactor

2025-12-08 07:11:06 +00:00
parent 7483de6aba
commit d144f5d19a
13 changed files with 2209 additions and 842 deletions
--- a/backend/igny8_core/api/throttles.py
+++ b/backend/igny8_core/api/throttles.py
@@ -21,14 +21,9 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
    
    def allow_request(self, request, view):
        """
-        Check if request should be throttled
-        
-        Bypasses throttling if:
-        - DEBUG mode is True
-        - IGNY8_DEBUG_THROTTLE environment variable is True
-        - User belongs to aws-admin or other system accounts
-        - User is admin/developer role
-        - Public blueprint list request with site filter (for Sites Renderer)
+        Check if request should be throttled.
+        Only bypasses for DEBUG mode or public requests.
+        Enforces per-account throttling for all authenticated users.
        """
        # Check if throttling should be bypassed
        debug_bypass = getattr(settings, 'DEBUG', False)
@@ -41,12 +36,7 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
                if not request.user or not hasattr(request.user, 'is_authenticated') or not request.user.is_authenticated:
                    public_blueprint_bypass = True
        
-        # Bypass for authenticated users (avoid user-facing 429s)
-        authenticated_bypass = False
-        if hasattr(request, 'user') and request.user and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated:
-            authenticated_bypass = True  # Do not throttle logged-in users
-        
-        if debug_bypass or env_bypass or public_blueprint_bypass or authenticated_bypass:
+        if debug_bypass or env_bypass or public_blueprint_bypass:
            # In debug mode or for system accounts, still set throttle headers but don't actually throttle
            # This allows testing throttle headers without blocking requests
            if hasattr(self, 'get_rate'):
@@ -67,9 +57,27 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
                        }
            return True
        
-        # Normal throttling behavior
+        # Normal throttling with per-account keying
        return super().allow_request(request, view)
    
+    def get_cache_key(self, request, view):
+        """
+        Override to add account-based throttle keying.
+        Keys by (scope, account.id) instead of just user.
+        """
+        if not self.scope:
+            return None
+        
+        # Get account from request
+        account = getattr(request, 'account', None)
+        if not account and hasattr(request, 'user') and request.user and request.user.is_authenticated:
+            account = getattr(request.user, 'account', None)
+        
+        account_id = account.id if account else 'anon'
+        
+        # Build throttle key: scope:account_id
+        return f'{self.scope}:{account_id}'
+    
    def get_rate(self):
        """
        Get rate for the current scope