DEV Community

Myke Aneke
Myke Aneke

Posted on

I built the Swiss army knife of Ratelimiting

#webdev #python #api #security

Introducing Ratethrottle

The Swiss Army knife of rate limiting - everything you need in one library.

What is RateThrottle?

An advanced rate limiting library for Python that goes far beyond basic REST API protection.

The problem: Most rate limiting libraries are limited to one framework and only handle basic REST APIs.

The solution: RateThrottle supports everything - multiple frameworks, multiple protocols, advanced features - all in one well-tested package.

🌟 Core Features

1. Universal Framework Support

Works with all major Python web frameworks:

# Flask
@app.route('/api')
@limiter.limit("100/minute")
def api(): return {'data': 'value'}

# FastAPI
@app.get("/api")
async def api(_=Depends(limiter.limit(100, 60))):
    return {"data": "value"}

# Django
@django_ratelimit(limit=100, window=60)
def api(request): return JsonResponse({'data': 'value'})
Enter fullscreen mode Exit fullscreen mode

2. Multiple Protocols

Beyond REST - WebSocket, gRPC, GraphQL:

# WebSocket - limit connections & messages
limiter = WebSocketRateLimiter(
    WebSocketLimits(
        connections_per_minute=10,
        messages_per_minute=100
    )
)

# gRPC - server interceptors
interceptor = GRPCRateLimitInterceptor(
    GRPCLimits(requests_per_minute=100)
)

# GraphQL - complexity & depth analysis
limiter = GraphQLRateLimiter(
    GraphQLLimits(
        queries_per_minute=100,
        max_complexity=1000
    )
)
Enter fullscreen mode Exit fullscreen mode

3. Four Rate Limiting Strategies

Choose the algorithm that fits your needs:

  • Token Bucket - APIs with bursts
  • Leaky Bucket - Smooth traffic
  • Fixed Window - Simple use cases
  • Sliding Window - Accurate limiting 
# Choose your strategy
RateThrottleRule(
    name='api',
    limit=100,
    window=60,
    strategy='sliding_window'  # or token_bucket, leaky_bucket, fixed_window
)
Enter fullscreen mode Exit fullscreen mode

4. DDoS Protection

Built-in attack detection:

from ratethrottle import DDoSProtection

ddos = DDoSProtection(threshold=1000)

is_attack, pattern = ddos.analyze_traffic(client_ip)

if is_attack:
    ddos.block_ip(client_ip)
    alert_ops_team(pattern)
Enter fullscreen mode Exit fullscreen mode

Detection:

  • Volume-based (request spikes)
  • Pattern-based (behavior analysis)
  • Distributed (coordinated attacks)

5. Distributed Systems Ready

Redis for multi-server deployments:

# Development: In-memory
storage = InMemoryStorage()

# Production: Redis
storage = RedisStorage('redis://localhost:6379/0')

limiter = RateThrottleCore(storage=storage)
Enter fullscreen mode Exit fullscreen mode

6. Analytics & Monitoring

Track everything:

from ratethrottle import RateThrottleAnalytics

analytics = RateThrottleAnalytics(limiter)
report = analytics.generate_report(last_24_hours)

# Metrics:
# - Total requests: 152,384
# - Blocked: 1,523 (1.0%)
# - Top violators
# - Attack patterns
Enter fullscreen mode Exit fullscreen mode

7. CLI Tools

Manage from command line:

# Monitor real-time
ratethrottle monitor --interval 1

# Test rules
ratethrottle test --rule api --requests 150

# Manage IPs
ratethrottle manage --blacklist-add 192.168.1.50
Enter fullscreen mode Exit fullscreen mode

🎯 Real-World Use Cases

Public API 

@app.route('/api/public')
@limiter.limit("60/minute")  # Conservative
def public(): return {'data': 'public'}
Enter fullscreen mode Exit fullscreen mode

WebSocket Chat 

limiter = SocketIOLimiter(
    WebSocketLimits(messages_per_minute=200)
)
Enter fullscreen mode Exit fullscreen mode

Microservices Gateway 

# Different services, different limits
limiter.add_rule(RateThrottleRule(
    name='auth_service', limit=1000
))
limiter.add_rule(RateThrottleRule(
    name='payment_service', limit=100
))
Enter fullscreen mode Exit fullscreen mode

GraphQL API 

# Prevent expensive queries
limiter = GraphQLRateLimiter(
    GraphQLLimits(max_complexity=1000)
)
Enter fullscreen mode Exit fullscreen mode

πŸ“¦ Installation 

# Basic
pip install ratethrottle

# With framework
pip install ratethrottle[flask]
pip install ratethrottle[fastapi]

# With protocols
pip install ratethrottle[grpc]
pip install ratethrottle[graphql]
pip install ratethrottle[websocket]

# Everything
pip install ratethrottle[all]
Enter fullscreen mode Exit fullscreen mode

πŸš€ Quick Start (2 minutes)

Flask:

from flask import Flask
from ratethrottle import FlaskRateLimiter

app = Flask(__name__)
limiter = FlaskRateLimiter(app)

@app.route('/api')
@limiter.limit("100/minute")
def api(): 
    return {'data': 'protected'}
Enter fullscreen mode Exit fullscreen mode

FastAPI:

from fastapi import FastAPI, Depends
from ratethrottle import FastAPIRateLimiter

app = FastAPI()
limiter = FastAPIRateLimiter()

@app.get("/api")
async def api(_=Depends(limiter.limit(100, 60))):
    return {"data": "protected"}
Enter fullscreen mode Exit fullscreen mode

πŸ“š Resources

πŸ“¦ Install: pip install ratethrottle

πŸ“– Docs: Documentation

⭐ GitHub: GitHub

πŸ—ΊοΈ What Makes It Complete?

  • βœ… Frameworks: Flask, FastAPI, Django, Starlette
  • βœ… Protocols:REST, WebSocket, gRPC, GraphQL
  • βœ… Strategies: Token Bucket, Leaky Bucket, Fixed Window, Sliding Window
  • βœ… Features: DDoS Protection, Analytics, CLI Tools.
  • βœ… Storage: In-Memory, Redis
  • βœ… Quality: comprehensive docs

πŸ’‘ Why Choose RateThrottle?

If you need:

  • βœ… Multiple frameworks β†’ RateThrottle
  • βœ… WebSocket/gRPC/GraphQL β†’ RateThrottle
  • βœ… DDoS protection β†’ RateThrottle
  • βœ… Advanced features β†’ RateThrottle
  • βœ… Everything in one place β†’ RateThrottle

πŸŽ‰ Try It Today! 

pip install ratethrottle
Enter fullscreen mode Exit fullscreen mode

⭐ Star on GitHub if useful!

Questions? Feature requests? Issues?

Drop them below! πŸ‘‡

Top comments (0)