python 40 lines · 8 steps

A login rate throttle in Django REST Framework

Limits login attempts per username-plus-IP and locks the pair out once the limit is hit.

Explained by highlit
1from django.core.cache import cache
2from rest_framework.throttling import SimpleRateThrottle
3 
4 
5class LoginRateThrottle(SimpleRateThrottle):
6 scope = "login"
7 
8 def get_cache_key(self, request, view):
9 username = (request.data.get("username") or "").strip().lower()
10 if not username:
11 return None
12 ident = self.get_ident(request)
13 return self.cache_format % {
14 "scope": self.scope,
15 "ident": f"{username}:{ident}",
16 }
17 
18 def allow_request(self, request, view):
19 self.key = self.get_cache_key(request, view)
20 if self.key is None:
21 return True
22 
23 if cache.get(f"{self.key}:locked"):
24 self.wait_time = cache.ttl(f"{self.key}:locked") or self.duration
25 return False
26 
27 self.history = self.cache.get(self.key, [])
28 self.now = self.timer()
29 while self.history and self.history[-1] <= self.now - self.duration:
30 self.history.pop()
31 
32 if len(self.history) >= self.num_requests:
33 cache.set(f"{self.key}:locked", True, timeout=self.duration)
34 self.wait_time = self.duration
35 return False
36 
37 return self.throttle_success()
38 
39 def wait(self):
40 return getattr(self, "wait_time", None) or super().wait()
01 / 01
STEP 01

Walkthrough

Space play step click any line
Three takeaways
  1. 1Keying a throttle on username-plus-IP targets brute-force attempts without blocking whole networks.
  2. 2A short-lived lock flag in the cache turns a soft rate limit into a hard cooldown once tripped.
  3. 3Returning None from the cache key cleanly opts a request out of throttling entirely.

Related explainers

Share this explainer

Here's the card — post it anywhere.

A login rate throttle in Django REST Framework — share card
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code