From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 3 Mar 2026 16:36:55 +0000 (+0000)
Subject: ratelimiter: Use the API key as bucket for authenticated users
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83b734bbbe92fb444aead31309a881b63ea81862;p=dbl.git

ratelimiter: Use the API key as bucket for authenticated users

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/dbl/ratelimiter.py b/src/dbl/ratelimiter.py
index 0b56d48..f006c47 100644
--- a/src/dbl/ratelimiter.py
+++ b/src/dbl/ratelimiter.py
@@ -105,8 +105,21 @@ class RateLimiterRequest(object):
 
 		# Store the key and address
 		self.key = key
+
+		# Fetch the client IP address
 		self.address, port = self.request.client
 
+		# Check if the user is authenticated
+		self.api_key = self.request.headers.get("X-Api-Key")
+
+		# Make the bucket
+		# Use the API key for authenticated users,
+		# or otherwise use the client IP address
+		if self.api_key:
+			self.bucket = self.api_key
+		else:
+			self.bucket = "%s" % self.address
+
 		# What is the current time?
 		self.now = datetime.datetime.utcnow()
 
@@ -150,7 +163,7 @@ class RateLimiterRequest(object):
 			.where(
 				ratelimiter.c.key        == self.key,
 				ratelimiter.c.timestamp  >= since,
-				ratelimiter.c.bucket     == "%s" % self.address,
+				ratelimiter.c.bucket     == self.bucket,
 			)
 		)
 
@@ -196,7 +209,7 @@ class RateLimiterRequest(object):
 			.values({
 				"key"        : self.key,
 				"timestamp"  : now,
-				"bucket"     : "%s" % self.address,
+				"bucket"     : self.bucket,
 				"requests"   : 1,
 				"expires_at" : expires_at,
 			})