🔒️(back) throttle user list endpoint

The user list endpoint is throttle to avoid users discovery. The throttle is set to 500 requests per day. This can be changed using the settings API_USERS_LIST_THROTTLE_RATE.
2025-03-21 10:39:11 +01:00
parent 5db446e8a8
commit 8473facbee
3 changed files with 55 additions and 0 deletions
--- a/src/backend/core/tests/test_api_users.py
+++ b/src/backend/core/tests/test_api_users.py
@@ -106,6 +106,28 @@ def test_api_users_list_limit(settings):
    assert len(response.json()) == 15


+def test_api_users_list_throttling_authenticated(settings):
+    """
+    Authenticated users should be throttled.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    settings.REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["user_list_burst"] = "3/minute"
+
+    for _i in range(3):
+        response = client.get(
+            "/api/v1.0/users/?q=alice",
+        )
+        assert response.status_code == 200
+
+    response = client.get(
+        "/api/v1.0/users/?q=alice",
+    )
+    assert response.status_code == 429
+
+
 def test_api_users_list_query_email_matching():
    """While filtering by email, results should be filtered and sorted by Levenstein distance."""
    user = factories.UserFactory()