Enhancing Your Calm with Throttling

In the last video, I dug a little deeper into permissions. 0:00 Permissions determine if a request is authorized. 0:03 Throttling is similar permissions in that it controls access to an API view. 0:06 The difference is that throttling controls the rate of requests that a client 0:10 can make to an API. 0:14 For example, you might want a throttle that lets authenticated users make 500 0:16 requests per day. 0:19 But anonymous or unauthenticated users only get 100. 0:20 There are many different approaches to throttling and 0:24 it all depends on the needs of your API. 0:27 After this video check out the teacher's notes for 0:29 a link to the REST framework documentation on throttling. 0:31 It's a good idea to at least look at the different approaches so 0:34 that you can make the best decision for your project. 0:37 I'm going to enable a global throttle for my API. 0:40 I'll also set a limit for authenticated and unauthenticated requests per minute. 0:43 Let's go do it. 0:47 Okay, to set up throttling, I have to start over here in settings.py and 0:49 right down here in my REST framework dictionary again. 0:55 So we set up authentication, permissions, pagination, all that stuff, so 0:59 now let's add in throttling. 1:02 As you can probably guess we set a DEFAULT_THROTTLE_CLASS or sorry CLASSES. 1:05 And this is also a tuple and we're gonna actually put two items into this one. 1:12 So we're going to rest framework.throttling.AnonRateThrottle. 1:16 So this one applies to anonymous users. 1:23 And rest_framework.throttling.UserRateThrot- 1:26 tle. 1:32 And that applies to authenticated users. 1:33 I kind of wish that was called AuthRateThrottle or something like that. 1:35 But beggars can't be choosers. 1:39 And then we'll do DEFAULT_THROTTLE_RATES. 1:42 And this is actually pretty awesome, how this works. 1:49 So, I specify that the anon rate, which applies to this one, right? 1:51 And then I set this as five per minute. 1:59 And you can do hours, days, all kinds of stuff there. 2:02 Check the docs or the teacher's notes of course. 2:06 But it's kind of neat how you just write it like it's English. 2:10 And then so for users I'm gonna say they get to do ten per minute. 2:14 All right, so not a really heavy throttle but not a really lax one either. 2:18 These are probably a little bit, 2:24 okay, these are definitely lower than you would use in production. 2:25 But it's a lot harder for me to go, 2:28 hey I'm gonna show you 1,000 requests in a minute when I'm doing a screencast. 2:30 So you understand where I'm coming from, I understand where you're going to go, 2:36 you're going to have higher rates in the real world. 2:39 You may also have way more complicated of rates where you have to identify like 2:42 this user's a paying customer versus this one who's a free customer, and 2:46 stuff like that. 2:50 Okay, let's not worry about that, let's just make sure that the throttling works. 2:51 So let's come over here and let's go to POST, 2:56 and I wanna grab my super user. 3:01 I mean I guess it doesn't matter. 3:05 It's authenticated user. 3:06 Okay, so I've got my user here and I'm just gonna try to get courses, so send. 3:08 All right, fine, let's use the super user then. 3:21 Cool, okay, so sorry about that, it's just, it's weird. 3:27 Okay, so I'm going to, I've done one, I get to do ten per minute, right? 3:31 So I'm just gonna click this button a few times. 3:37 So, one, two, three, four, five, six, seven, eight, nine, ten, 11. 3:39 And so I got throttled, right? 3:46 I got a 429 Too Many Requests. 3:49 And my request was throttled and it will be available again in 41 seconds. 3:51 So I've gotta wait just a little bit. 3:56 So that's cool, 3:58 that's great that I get told how long I have to wait and what's going on. 3:59 One last thing about throttling. 4:05 How did REST framework know how many requests I had made within the time limit? 4:07 REST framework relies on Django's cache backend settings to handle the storage 4:11 of the information necessary to track and throttle responses. 4:14 I didn't set a cache backend in my project, though, so 4:18 Django defaults the local memory cache backend. 4:21 This backend is primarily meant for local development as it's not very efficient. 4:23 Django provides a couple of different cache backend choices, and 4:28 there are many third-party packages that will extend your options. 4:30 In a production setting, you'll probably use something like the memcached backend. 4:34 I've put a link in the teacher's notes to Django's documentation on cache backends. 4:38