Commit 1b56d493 authored by Kerri Miller's avatar Kerri Miller

Merge branch '350623-remove-feature-flag' into 'master'

Treat API requests from the frontend as web traffic in the rate limiter

See merge request gitlab-org/gitlab!80404
parents 5b932caf 5e823d82
---
name: rate_limit_frontend_requests
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79341
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350623
milestone: '14.8'
type: development
group: group::integrations
default_enabled: false
...@@ -23,7 +23,8 @@ By default, all Git operations are first tried unauthenticated. Because of this, ...@@ -23,7 +23,8 @@ By default, all Git operations are first tried unauthenticated. Because of this,
may trigger the rate limits configured for unauthenticated requests. may trigger the rate limits configured for unauthenticated requests.
NOTE: NOTE:
The rate limits for API requests don't affect requests made by the frontend, as these are always [In GitLab 14.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/344807),
the rate limits for API requests don't affect requests made by the frontend, as these are always
counted as web traffic. counted as web traffic.
## Enable unauthenticated API request rate limit ## Enable unauthenticated API request rate limit
......
...@@ -198,8 +198,6 @@ module Gitlab ...@@ -198,8 +198,6 @@ module Gitlab
end end
def frontend_request? def frontend_request?
return false unless Feature.enabled?(:rate_limit_frontend_requests, default_enabled: :yaml)
strong_memoize(:frontend_request) do strong_memoize(:frontend_request) do
next false unless env.include?('HTTP_X_CSRF_TOKEN') && session.include?(:_csrf_token) next false unless env.include?('HTTP_X_CSRF_TOKEN') && session.include?(:_csrf_token)
......
...@@ -267,23 +267,6 @@ RSpec.describe Gitlab::RackAttack::Request do ...@@ -267,23 +267,6 @@ RSpec.describe Gitlab::RackAttack::Request do
with_them do with_them do
it { is_expected.to eq(expected) } it { is_expected.to eq(expected) }
end end
context 'when the feature flag is disabled' do
before do
stub_feature_flags(rate_limit_frontend_requests: false)
end
where(:session, :env) do
{} | {} # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands
{} | { 'HTTP_X_CSRF_TOKEN' => valid_token }
{ _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => other_token }
{ _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => valid_token }
end
with_them do
it { is_expected.to be(false) }
end
end
end end
describe '#deprecated_api_request?' do describe '#deprecated_api_request?' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment