Set up ScopedRateThrottle for endpoint-specific rate limits (#3581)

* fix: Update node and CI workflows

- Update node version to latest LTS
- Copy/paste pyjs dockerfile
- temporarily ignore optional deps
- Pytest no longer on PATH
- Ignore tsc error
- Remove coverage step
- suppress eslint errors

* Set up ScopedRateThrottle for endpoint-specific rate limits

PR #3544 disabled ratelimiting for AdminAPI views. This change improves
control over rate limits and helps prevent over-throttling.

- Removed global throttles (`AnonRateThrottle`, `UserRateThrottle`)
- Added `ScopedRateThrottle` to control rate limits per endpoint
- Defined custom rate to protect AdminAPI endpoints from DoS

@W-17141510

Author: jstvz

config/settings/base.py

@@ -456,12 +456,12 @@ def safe_key() -> str:
         "rest_framework.authentication.SessionAuthentication",
     ),
     'DEFAULT_THROTTLE_CLASSES': [
-        'rest_framework.throttling.AnonRateThrottle',
-        'rest_framework.throttling.UserRateThrottle'
+        'rest_framework.throttling.ScopedRateThrottle',
     ],
     'DEFAULT_THROTTLE_RATES': {
         'anon': '4/second',
         'user': '4/second',
+        'admin_api': '150/minute',
     }
 
 }

metadeploy/adminapi/api.py

@@ -138,7 +138,7 @@ class Meta:
 class PlanTemplateViewSet(AdminAPIViewSet):
     model_name = "PlanTemplate"
     serializer_base = PlanTemplateSerializer
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class PlanFilter(filters.FilterSet):
@@ -151,27 +151,27 @@ class PlanViewSet(AdminAPIViewSet):
     model_name = "Plan"
     serializer_base = PlanSerializer
     filterset_class = PlanFilter
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class PlanSlugViewSet(AdminAPIViewSet):
     model_name = "PlanSlug"
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class VersionViewSet(AdminAPIViewSet):
     model_name = "Version"
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class ProductCategoryViewSet(AdminAPIViewSet):
     model_name = "ProductCategory"
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class AllowedListViewSet(AdminAPIViewSet):
     model_name = "AllowedList"
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class AllowedListOrgSerializer(AdminAPISerializer):
@@ -181,7 +181,7 @@ class AllowedListOrgSerializer(AdminAPISerializer):
 class AllowedListOrgViewSet(AdminAPIViewSet):
     model_name = "AllowedListOrg"
     serializer_base = AllowedListOrgSerializer
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
 
 class TranslationViewSet(viewsets.ViewSet):
@@ -201,7 +201,7 @@ class TranslationViewSet(viewsets.ViewSet):
 
     permission_classes = [IsAPIUser]
     model_name = "Translation"
-    throttle_classes = []
+    throttle_scope = 'admin_api'
 
     def partial_update(self, request, pk=None):
         # Add or update a Translation record for each message