Update rate limits and Swagger docs

2025-03-07 15:31:00 +08:00 · 2023-01-23 12:32:54 +01:00 · 2023-01-23 12:32:54 +01:00 · aa2a72a970
commit aa2a72a970
parent 0c71864347
4 changed files with 34 additions and 25 deletions
--- a/backend/src/main/java/io/papermc/hangar/config/SwaggerConfig.java
+++ b/backend/src/main/java/io/papermc/hangar/config/SwaggerConfig.java
@ -23,28 +23,37 @@ public class SwaggerConfig {
    OpenApiCustomizer apiInfo() {
        return (openApi) -> openApi
            .info(new Info().title("Hangar API")
-                .description("This page describes the format for the current Hangar REST API, in addition to common questions when using it.<br>" +
-                    "Note that all routes **not** listed here should be considered **internal**, and can change at a moment's notice. **Do not use them**." +
-                    "<h2>Authentication and Authorization</h2>" +
-                    "There are two ways to consume the API: Authenticated or Anonymous." +
-                    "<h3>Anonymous</h3>" +
-                    "When using anonymous authentication you only get access to public information, but don't need to worry about creating and storing an API key or handing JWTs." +
-                    "<h3>Authenticated</h3>" +
-                    "If you need access to non-public actions, or want to do something programmatically, you likely want an API key.<br>" +
-                    "These can be created by going to your user page and clicking on the key icon.<br>" +
-                    "API keys allow you to impersonate yourself, so they should be handled like passwords, **never** share them!" +
-                    "<h4>Authentication</h4>" +
-                    "Once you have an api key, you need to authenticate yourself. For that you `POST` your API Key to `/api/v1/authenticate?apiKey=yourKey`. The response will contain your JWT.<br>" +
-                    "You want to store that JWT and send it with every request. It's valid for a certain amount of time, the token itself contains a field with a timestamp when it will expire. If it expired, you want to reauthenticate yourself." +
-                    "<h4>Authorization</h4>" +
-                    "Now that you have your JWT, you want to set it in the Authorization header for every request like so `Authorization: HangarAuth your.jwt`. The request will be then executed with the permission scope of your api key." +
-                    "<br>" +
-                    "While talking about headers. Please also set a useful User-Agent header. This allows us to better identify loads and need for potentially new endpoints." +
-                    "<h2>FAQ</h2>" +
-                    "<h3>What format do dates have?</h3>" +
-                    "Standard ISO types. Where possible, we use the OpenAPI format modifier. You can view its meanings [here](https://swagger.io/docs/specification/data-models/data-types/#format)." +
-                    "<h3>Are there rate-limits? What about caching?</h3>" +
-                    "There are currently no rate limits. Please don't abuse that fact. If applicable, always cache the responses. The Hangar API itself is cached by CloudFlare and internally.")
+                .description("""
+                    This page describes the format for the current Hangar REST API as well as general usage guidelines.<br>
+                    Note that all routes **not** listed here should be considered **internal**, and can change at a moment's notice. **Do not use them**.
+
+                    <h2>Authentication and Authorization</h2>
+                    There are two ways to consume the API: Authenticated or anonymous.
+
+                    <h3>Anonymous</h3>
+                    When using anonymous authentication, you only have access to public information, but you don't need to worry about creating and storing an API key or handing JWTs.
+
+                    <h3>Authenticated</h3>
+                    If you need access to non-public content or actions, you need to create and use API keys.
+                    These can be created by going to the API keys page via the profile dropdown or by going to your user page and clicking on the key icon.<br><br>
+
+                    API keys allow you to impersonate yourself, so they should be handled like passwords. **Do not share them with anyone else!**
+
+                    <h4>Getting and Using a JWT</h4>
+                    Once you have an API key, you need to authenticate yourself: Send a `POST` request with your API key identifier (a UUID) to `/api/v1/authenticate?apiKey=yourKey`. The response will contain your JWT as well as an expiration time.
+                    Put this JWT into the `Authentication` header of every request and make sure to request a new JWT after the expiration time has passed.<br><br>
+
+                    Please also set a meaningful `User-Agent` header. This allows us to better identify loads and needs for potentially new endpoints.
+
+                    <h2>Misc</h2>
+                    <h3>Date Formats</h3>
+                    Standard ISO types. Where possible, we use the [OpenAPI format modifier](https://swagger.io/docs/specification/data-models/data-types/#format).
+
+                    <h3>Rate Limits and Caching</h3>
+                    The default rate limit is set at 20 requests every 5 seconds with an initial overdraft for extra leniency.
+                    Individual endpoints, such as version creation, may have stricter rate limiting.<br><br>
+
+                    If applicable, always cache responses. The Hangar API itself is cached by CloudFlare and internally.""")
                .version("1.0"));
    }

--- a/backend/src/main/java/io/papermc/hangar/controller/api/v1/ProjectsController.java
+++ b/backend/src/main/java/io/papermc/hangar/controller/api/v1/ProjectsController.java
@ -34,7 +34,7 @@ import org.springframework.stereotype.Controller;

@Anyone
@Controller
-@RateLimit(path = "apiprojects", overdraft = 200, refillTokens = 50, greedy = true)
+@RateLimit(path = "apiprojects", greedy = true)
 public class ProjectsController extends HangarComponent implements IProjectsController {

    private final ProjectsApiService projectsApiService;
--- a/backend/src/main/java/io/papermc/hangar/controller/api/v1/UsersController.java
+++ b/backend/src/main/java/io/papermc/hangar/controller/api/v1/UsersController.java
@ -20,7 +20,7 @@ import org.springframework.stereotype.Controller;

@Anyone
@Controller
-@RateLimit(path = "apiusers", overdraft = 200, refillTokens = 50, greedy = true)
+@RateLimit(path = "apiusers", greedy = true)
 public class UsersController extends HangarComponent implements IUsersController {

    private final UsersApiService usersApiService;
--- a/backend/src/main/java/io/papermc/hangar/controller/api/v1/VersionsController.java
+++ b/backend/src/main/java/io/papermc/hangar/controller/api/v1/VersionsController.java
@ -34,7 +34,7 @@ import org.springframework.web.multipart.MultipartFile;
@Anyone
@Controller
@ResponseBody
-@RateLimit(path = "apiversions", overdraft = 200, refillTokens = 50, greedy = true)
+@RateLimit(path = "apiversions", greedy = true)
 public class VersionsController implements IVersionsController {

    private final DownloadService downloadService;