Treat API requests from the frontend as web traffic in the rate limiter

This was previously behind a feature flag and disabled by default, and is now being enabled globally after verifying that this change doesn't break anything on gitlab.com. Changelog: changed

Treat API requests from the frontend as web traffic in the rate limiter
This was previously behind a feature flag and disabled by default, and is now being enabled globally after verifying that this change doesn't break anything on gitlab.com. Changelog: changed
5e823d82 · Markus Koller · Kerri Miller · a5b471a6 · a5b471a6 · 5e823d82
Commit 5e823d82 authored Feb 12, 2022 by Markus Koller Committed by Kerri Miller Feb 12, 2022
4 changed files
--- a/config/feature_flags/development/rate_limit_frontend_requests.yml
+++ b/config/feature_flags/development/rate_limit_frontend_requests.yml
---
-name: rate_limit_frontend_requests
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79341
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350623
-milestone: '14.8'
-type: development
-group: group::integrations
-default_enabled: false
--- a/doc/user/admin_area/settings/user_and_ip_rate_limits.md
+++ b/doc/user/admin_area/settings/user_and_ip_rate_limits.md
@@ -23,7 +23,8 @@ By default, all Git operations are first tried unauthenticated. Because of this,
 may trigger the rate limits configured for unauthenticated requests.

 NOTE:
-The rate limits for API requests don't affect requests made by the frontend, as these are always
+[In GitLab 14.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/344807),
+the rate limits for API requests don't affect requests made by the frontend, as these are always
 counted as web traffic.

 ## Enable unauthenticated API request rate limit

--- a/lib/gitlab/rack_attack/request.rb
+++ b/lib/gitlab/rack_attack/request.rb
@@ -198,8 +198,6 @@ module Gitlab
      end

      def frontend_request?
-        return false unless Feature.enabled?(:rate_limit_frontend_requests, default_enabled: :yaml)
-
        strong_memoize(:frontend_request) do
          next false unless env.include?('HTTP_X_CSRF_TOKEN') && session.include?(:_csrf_token)


--- a/spec/lib/gitlab/rack_attack/request_spec.rb
+++ b/spec/lib/gitlab/rack_attack/request_spec.rb
@@ -267,23 +267,6 @@ RSpec.describe Gitlab::RackAttack::Request do
    with_them do
      it { is_expected.to eq(expected) }
    end
-
-    context 'when the feature flag is disabled' do
-      before do
-        stub_feature_flags(rate_limit_frontend_requests: false)
-      end
-
-      where(:session, :env) do
-        {}                           | {} # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands
-        {}                           | { 'HTTP_X_CSRF_TOKEN' => valid_token }
-        { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => other_token }
-        { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => valid_token }
-      end
-
-      with_them do
-        it { is_expected.to be(false) }
-      end
-    end
  end

  describe '#deprecated_api_request?' do