1 00:00:00,460 --> 00:00:03,610 In the last video, I dug a little deeper into permissions. 2 00:00:03,610 --> 00:00:06,450 Permissions determine if a request is authorized. 3 00:00:06,450 --> 00:00:10,749 Throttling is similar permissions in that it controls access to an API view. 4 00:00:10,749 --> 00:00:14,324 The difference is that throttling controls the rate of requests that a client 5 00:00:14,324 --> 00:00:16,060 can make to an API. 6 00:00:16,060 --> 00:00:19,528 For example, you might want a throttle that lets authenticated users make 500 7 00:00:19,528 --> 00:00:20,990 requests per day. 8 00:00:20,990 --> 00:00:24,849 But anonymous or unauthenticated users only get 100. 9 00:00:24,849 --> 00:00:27,524 There are many different approaches to throttling and 10 00:00:27,524 --> 00:00:29,449 it all depends on the needs of your API. 11 00:00:29,449 --> 00:00:31,488 After this video check out the teacher's notes for 12 00:00:31,488 --> 00:00:34,400 a link to the REST framework documentation on throttling. 13 00:00:34,400 --> 00:00:37,060 It's a good idea to at least look at the different approaches so 14 00:00:37,060 --> 00:00:39,050 that you can make the best decision for your project. 15 00:00:40,260 --> 00:00:43,180 I'm going to enable a global throttle for my API. 16 00:00:43,180 --> 00:00:47,030 I'll also set a limit for authenticated and unauthenticated requests per minute. 17 00:00:47,030 --> 00:00:47,530 Let's go do it. 18 00:00:49,720 --> 00:00:55,690 Okay, to set up throttling, I have to start over here in settings.py and 19 00:00:55,690 --> 00:00:59,160 right down here in my REST framework dictionary again. 20 00:00:59,160 --> 00:01:02,960 So we set up authentication, permissions, pagination, all that stuff, so 21 00:01:02,960 --> 00:01:05,860 now let's add in throttling. 22 00:01:05,860 --> 00:01:12,299 As you can probably guess we set a DEFAULT_THROTTLE_CLASS or sorry CLASSES. 23 00:01:12,299 --> 00:01:16,319 And this is also a tuple and we're gonna actually put two items into this one. 24 00:01:16,319 --> 00:01:23,519 So we're going to rest framework.throttling.AnonRateThrottle. 25 00:01:23,519 --> 00:01:26,319 So this one applies to anonymous users. 26 00:01:26,319 --> 00:01:32,524 And rest_framework.throttling.UserRateThrot- 27 00:01:32,524 --> 00:01:33,119 tle. 28 00:01:33,119 --> 00:01:35,780 And that applies to authenticated users. 29 00:01:35,780 --> 00:01:39,485 I kind of wish that was called AuthRateThrottle or something like that. 30 00:01:39,485 --> 00:01:42,629 But beggars can't be choosers. 31 00:01:42,629 --> 00:01:46,248 And then we'll do DEFAULT_THROTTLE_RATES. 32 00:01:49,169 --> 00:01:51,890 And this is actually pretty awesome, how this works. 33 00:01:51,890 --> 00:01:59,570 So, I specify that the anon rate, which applies to this one, right? 34 00:01:59,570 --> 00:02:01,870 And then I set this as five per minute. 35 00:02:02,960 --> 00:02:06,890 And you can do hours, days, all kinds of stuff there. 36 00:02:06,890 --> 00:02:10,189 Check the docs or the teacher's notes of course. 37 00:02:10,189 --> 00:02:14,228 But it's kind of neat how you just write it like it's English. 38 00:02:14,228 --> 00:02:18,848 And then so for users I'm gonna say they get to do ten per minute. 39 00:02:18,848 --> 00:02:24,148 All right, so not a really heavy throttle but not a really lax one either. 40 00:02:24,148 --> 00:02:25,653 These are probably a little bit, 41 00:02:25,653 --> 00:02:28,788 okay, these are definitely lower than you would use in production. 42 00:02:28,788 --> 00:02:30,830 But it's a lot harder for me to go, 43 00:02:30,830 --> 00:02:36,350 hey I'm gonna show you 1,000 requests in a minute when I'm doing a screencast. 44 00:02:36,350 --> 00:02:39,670 So you understand where I'm coming from, I understand where you're going to go, 45 00:02:39,670 --> 00:02:42,250 you're going to have higher rates in the real world. 46 00:02:42,250 --> 00:02:46,540 You may also have way more complicated of rates where you have to identify like 47 00:02:46,540 --> 00:02:50,458 this user's a paying customer versus this one who's a free customer, and 48 00:02:50,458 --> 00:02:51,409 stuff like that. 49 00:02:51,409 --> 00:02:56,589 Okay, let's not worry about that, let's just make sure that the throttling works. 50 00:02:56,589 --> 00:03:01,765 So let's come over here and let's go to POST, 51 00:03:01,765 --> 00:03:05,229 and I wanna grab my super user. 52 00:03:05,229 --> 00:03:06,740 I mean I guess it doesn't matter. 53 00:03:06,740 --> 00:03:08,730 It's authenticated user. 54 00:03:08,730 --> 00:03:14,550 Okay, so I've got my user here and I'm just gonna try to get courses, so send. 55 00:03:21,210 --> 00:03:23,070 All right, fine, let's use the super user then. 56 00:03:27,030 --> 00:03:31,570 Cool, okay, so sorry about that, it's just, it's weird. 57 00:03:31,570 --> 00:03:37,370 Okay, so I'm going to, I've done one, I get to do ten per minute, right? 58 00:03:37,370 --> 00:03:39,330 So I'm just gonna click this button a few times. 59 00:03:39,330 --> 00:03:45,580 So, one, two, three, four, five, six, seven, eight, nine, ten, 11. 60 00:03:46,590 --> 00:03:49,020 And so I got throttled, right? 61 00:03:49,020 --> 00:03:51,740 I got a 429 Too Many Requests. 62 00:03:51,740 --> 00:03:56,010 And my request was throttled and it will be available again in 41 seconds. 63 00:03:56,010 --> 00:03:58,050 So I've gotta wait just a little bit. 64 00:03:58,050 --> 00:03:59,250 So that's cool, 65 00:03:59,250 --> 00:04:03,390 that's great that I get told how long I have to wait and what's going on. 66 00:04:05,180 --> 00:04:07,240 One last thing about throttling. 67 00:04:07,240 --> 00:04:11,530 How did REST framework know how many requests I had made within the time limit? 68 00:04:11,530 --> 00:04:14,930 REST framework relies on Django's cache backend settings to handle the storage 69 00:04:14,930 --> 00:04:18,210 of the information necessary to track and throttle responses. 70 00:04:18,210 --> 00:04:21,030 I didn't set a cache backend in my project, though, so 71 00:04:21,030 --> 00:04:23,990 Django defaults the local memory cache backend. 72 00:04:23,990 --> 00:04:28,250 This backend is primarily meant for local development as it's not very efficient. 73 00:04:28,250 --> 00:04:30,870 Django provides a couple of different cache backend choices, and 74 00:04:30,870 --> 00:04:34,120 there are many third-party packages that will extend your options. 75 00:04:34,120 --> 00:04:38,340 In a production setting, you'll probably use something like the memcached backend. 76 00:04:38,340 --> 00:04:41,590 I've put a link in the teacher's notes to Django's documentation on cache backends.