Merge branch 'GREG-84-rate-limit' into 'master'

Rate limit invite endpoint

See merge request !134

gregsite/settings/base.py

@@ -268,6 +268,17 @@ INTERNAL_RK_PREFIX = "no.{instance}.greg".format(instance=INSTANCE_NAME)
 
 FEIDE_SOURCE = "feide"
 
+# Rate limit settings of invite endpoint
+REST_FRAMEWORK = {
+    "DEFAULT_THROTTLE_CLASSES": [
+        "rest_framework.throttling.AnonRateThrottle",
+    ],
+    "DEFAULT_THROTTLE_RATES": {
+        "anon": "100/day",
+    },
+}
+
+
 # Used by the OU import from orgreg to distinguish the OuIdentifiers from others
 ORGREG_SOURCE = "orgreg"
 ORGREG_NAME = "orgreg_id"

gregsite/settings/dev.py

@@ -45,6 +45,14 @@ SESSION_COOKIE_SAMESITE = "Lax"
 
 SESSION_COOKIE_AGE = 1209600  # two weeks for easy development
 
+# Disable throttling in development, uncomment CACHES to test
+CACHES = {
+    "default": {
+        "BACKEND": "django.core.cache.backends.dummy.DummyCache",
+    }
+}
+
+
 try:
     from .local import *
 except ImportError:

gregsite/settings/prod.py

@@ -27,6 +27,13 @@ ALLOWED_HOSTS = (
     else []
 )
 
+# This is the default values for CACHES, only present for clarity
+CACHES = {
+    "default": {
+        "BACKEND": "django.core.cache.backends.locmem.LocMemCache",
+    }
+}
+
 
 try:
     from .local import *

gregui/api/views/invitation.py

@@ -11,6 +11,7 @@ from rest_framework.generics import CreateAPIView, GenericAPIView, DestroyAPIVie
 from rest_framework.parsers import JSONParser
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
+from rest_framework.throttling import AnonRateThrottle
 from rest_framework.views import APIView
 
 from greg.models import Identity, InvitationLink, Person
@@ -96,6 +97,7 @@ class InvitationView(CreateAPIView, DestroyAPIView):
 class CheckInvitationView(APIView):
     authentication_classes = []
     permission_classes = [AllowAny]
+    throttle_classes = [AnonRateThrottle]
 
     def post(self, request, *args, **kwargs):
         """