Document how to restrict/throttle API access

[ajdlinux]

Requested by Konstantin: https://lists.ozlabs.org/pipermail/patchwork/2019-November/006369.html

Site admins may want to restrict API access to authenticated users only to control server load.

---

edit: Looks like with some settings in REST_FRAMEWORK, restricting to authenticated users is probably doable by setting the right default permission classes, and there's settings for throttling too. We should add a mention of this to the documentation for the sake of admins who are unfamiliar

[daxtens]

Do we want to go the whole hog and implement proper ratelimiting, with configurable limits for anonymous/logged in users? I'm thinking about how to protect against misbehaving but authorised scripts...

[ajdlinux]

Yeah why not, DRF seems to support that in a very straightforward manner

[ajdlinux]

Happy to take this, feel free to assign to me

[ajdlinux]

Having asked on IRC, I was helpfully pointed to https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ]
}

seems like it'd probably do it.

DRF also has throttling options: https://www.django-rest-framework.org/api-guide/throttling/

@mricon would overriding the built-in DRF permission and throttling settings work for your use case? In which case maybe we add a link to the DRF documentation and leave it at that.

[ajdlinux]

Ugh turns out we define our own permissions class and use that, but we can easily fix that class