Metadata-Version: 2.4
Name: fastapi-easylimiter
Version: 0.3.7
Summary: Async rate limiter for FastAPI with Redis or in-memory backend and advanced proxy-aware security
Author-email: cfunkz <cfunkz@duck.com>
License: MIT License
        
        Copyright (c) 2025 cFunkz
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
        
Project-URL: Homepage, https://github.com/cfunkz/fastapi-easylimiter
Project-URL: Documentation, https://github.com/cfunkz/fastapi-easylimiter
Project-URL: Source, https://github.com/cfunkz/fastapi-easylimiter
Project-URL: Issues, https://github.com/cfunkz/fastapi-easylimiter/issues
Keywords: fastapi,rate-limit,ratelimiter,rate limiting,dos protection,ddos,security,middleware,asyncio,redis,fastapi middleware,abuse prevention,throttling,x-forwarded-for,cloudflare
Classifier: Framework :: FastAPI
Classifier: Framework :: AsyncIO
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Internet :: Proxy Servers
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking
Classifier: Topic :: Software Development :: Libraries
Classifier: Intended Audience :: Developers
Classifier: Development Status :: 4 - Beta
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: fastapi>=0.110
Requires-Dist: starlette>=0.36
Requires-Dist: redis>=5.0.0
Provides-Extra: redis
Requires-Dist: redis>=5.0.0; extra == "redis"
Provides-Extra: dev
Requires-Dist: pytest; extra == "dev"
Requires-Dist: ruff; extra == "dev"
Requires-Dist: black; extra == "dev"
Requires-Dist: httpx; extra == "dev"
Dynamic: license-file

# fastapi‑easylimiter

[![GitHub stars](https://img.shields.io/github/stars/cfunkz/fastapi-easylimiter?style=social)](https://github.com/cfunkz/fastapi-easylimiter/stargazers) 
[![GitHub forks](https://img.shields.io/github/forks/cfunkz/fastapi-easylimiter?style=social)](https://github.com/cfunkz/fastapi-easylimiter/network/members) 
[![GitHub issues](https://img.shields.io/github/issues/cfunkz/fastapi-easylimiter)](https://github.com/cfunkz/fastapi-easylimiter/issues) 
[![GitHub license](https://img.shields.io/github/license/cfunkz/fastapi-easylimiter)](https://github.com/cfunkz/fastapi-easylimiter/blob/main/LICENSE) 
[![PyPI](https://img.shields.io/pypi/v/fastapi-easylimiter)](https://pypi.org/project/fastapi-easylimiter/)

---

An **ASGI async rate-limiting middleware** for FastAPI with **Redis** or **in-memory caching**, designed to handle **auto-generated routes** (e.g., FastAPI-Users) without decorators, for simplicity and performance.

---

## Features

- **Async rate limiting**
- **Optional temporary IP bans**
  - Configurable threshold (default 10 violations)
  - Sliding 15-min offense window
  - 5-min ban on repeat abuse
- **Cache Backends**
  - Redis (recommended for multi-instance deployments)
  - In-Memory (single worker dev)
- **Path-based rules**
  - Supports multi-rule prefix matching
  - Global and per-route limits
- **Standard rate-limit headers**
  - `X-RateLimit-Limit`
  - `X-RateLimit-Remaining`
  - `X-RateLimit-Reset`
  - `Retry-After` on `429` responses
- **Proxy Aware**
  - Uses `'X-Forwarded-For'` only when the sender is trusted, hardened logic
  - Rejects spoofed XFF headers
  - Supports `'CF-Connecting-IP'` from Cloudflare, verified against CF CIDRs, when enabled
    - Must be public not private IP range.
  - Fallback to ASGI `scope["client"]` if no trusted headers exist
- **Zero dependencies beyond Redis client**
  - Starlette-style ASGI middleware
- **Custom responses**
  - `HTMLResponse` for browser clients
  - `JSONResponse` for API clients
- CRLF-injection–safe header parsing
- Allows banning direct connections (no proxy/CF) for dev/testing
---

## Installation

```bash
pip install fastapi-easylimiter
```

---

## Usage

```python
from fastapi import FastAPI
from fastapi_easylimiter import AsyncRedisBackend, InMemoryBackend, RateLimiterMiddleware
import redis.asyncio as redis_async

app = FastAPI()

REDIS_URL = "redis://localhost:6379/0"

# Redis backend (recommended for multi-instance deployments)
redis_client = redis_async.from_url(REDIS_URL, decode_responses=True)
backend = AsyncRedisBackend(
  redis_client,            # Redis pool/client
  fail_open=False,         # Allow requests if Redis is down
  key_prefix="ratelimit:", # Redis key prefix
  eval_timeout=30          # Eval timeout
  )

# Or for single-instance/local development:
# backend = InMemoryBackend()

rules = {
    "/": {"limit": 50, "period": 5},            # GLOBAL: 50 req/5sec per IP
    "/api/": {"limit": 10, "period": 1},        # API: 10 req/sec per IP
    "/api/users": {"limit": 30, "period": 60},  # USER ROUTES: 30 req/60sec per IP
}

app.add_middleware(
    RateLimiterMiddleware,
    rules=rules,
    backend=backend,
    trusted_proxies=None,     # OPTIONAL: your proxy IPs (Only set if behind a proxy such as nginx)
    cloudflare=False,         # OPTIONAL: enable CF-Connecting-IP (Only set when behind cloudflare)
    enable_bans=True,         # OPTIONAL: enable temporary bans
    ban_threshold=10,         # Violations before ban
    ban_duration=300,         # Ban length in seconds
    offense_ttl=600,         # Offense counting window
    ban_page="<p>Your IP has been temporarily banned.</p>",        # OPTIONAL custom HTML ban page
    rate_page="<p>Too many requests. Please try again later.</p>", # OPTIONAL custom HTML rate-limit page
    ban_direct=True           # ONLY SET WHEN RUNNING BAREMETAL NO CF AND NO PROXY
)
```

> Example: `/api/users/me` matches `/api/users` and `/api`. If **any** rule is exceeded → `429` returned.

---

### Redis Lua Script

```lua
local key = KEYS[1]
local limit = tonumber(ARGV[1])
local window = tonumber(ARGV[2])
local now = tonumber(ARGV[3])

local count = redis.call("INCR", key)
local ttl = redis.call("TTL", key)

if ttl == -1 then
    redis.call("EXPIRE", key, window)
    ttl = window
end

local reset = now + ttl
local exceeded = count > limit and 1 or 0

return {count, reset, exceeded}
```

### Redis Key Patterns

| Full Key Pattern                         | Example                              | Purpose                                  |
| ---------------------------------------- | ------------------------------------ | ---------------------------------------- |
| `ratelimit:rl:{client_ip}:{prefix}`      | `ratelimit:rl:203.0.113.5:/api`      | Rate-limit counter per IP + route prefix |
| `ratelimit:ban:{client_ip}`              | `ratelimit:ban:203.0.113.5`          | Temporary ban flag                       |
| `ratelimit:offenses:{client_ip}`         | `ratelimit:offenses:203.0.113.5`     | Offense counter used for tracking        |

---

### Middleware Parameters

| Parameter         | Type                      | Description                                 |
| ----------------- | ------------------------- | ------------------------------------------- |
| `app`             | ASGIApp                   | FastAPI/ASGI app                            |
| `rules`           | dict                      | `{ prefix: {"limit": int, "period": int} }` |
| `backend`         | Redis or InMemory backend | Rate-limit storage                          |
| `trusted_proxies` | list[str]                 | Proxies allowed to trust XFF headers        |
| `cloudflare`      | bool                      | Enable Cloudflare IP extraction             |
| `enable_bans`     | bool                      | Enable temporary IP bans                    |
| `ban_threshold`   | int                       | Violations before ban                       |
| `ban_duration`    | int                       | Ban length in seconds                       |
| `offense_ttl`     | int                       | Offense counting window in seconds          |
| `ban_page`        | str                       | Custom HTML ban page                        |
| `rate_page`       | str                       | Custom HTML rate-limit page                 |
| `ban_direct`      | bool                      | Bypass all checks and ban directly          |

---

## Screenshot

<img width="1070" height="571" alt="image" src="https://github.com/user-attachments/assets/4579f130-ac83-457b-8fd1-eda720ce8123" />
<img width="1128" height="582" alt="image" src="https://github.com/user-attachments/assets/23752a35-5bff-4ed1-bd72-e90fe6c41e00" />
<img width="542" height="155" alt="image" src="https://github.com/user-attachments/assets/83045e50-e9a6-481e-9b65-69fb4fef6dd8" />
<img width="546" height="165" alt="image" src="https://github.com/user-attachments/assets/82f28d1c-be71-480a-a23d-3291db6d9571" />

---

## Contributing

Contributions and forks are always welcome! Adapt, improve, or extend for your own needs.

---

## Support

[![Buy Me a Coffee](https://cdn.ko-fi.com/cdn/kofi3.png?v=3)](https://ko-fi.com/cfunkz81112)

---

*Parts of this code were generated/assisted by AI (Claude, Grok).*
