Fix active rate limits endpoint and add targeted reset capability (#81)

Copilot · azvoleff · web-flow · commit b9e0b95f6e97 · 2025-11-02T10:06:51.000-05:00
* Initial plan

* Fix active rate limits endpoint and add reset by ID functionality

- Fix get_current_rate_limits() to only return limits with count &gt; 0
- Add reset_rate_limit_by_key() helper function to reset individual limits
- Add new endpoint POST /api/v1/rate-limit/reset/&lt;identifier&gt; for targeted resets
- Add comprehensive tests for new functionality
- All code passes ruff linting and formatting

Co-authored-by: azvoleff &lt;107753+azvoleff@users.noreply.github.com&gt;

* Address code review feedback

- Fix Python 3.10+ union syntax (list | tuple) to use isinstance(keys, (list, tuple))
- Clarify comment about filtering limits with count &gt; 0
- Move jwt import to top of test file per PEP 8
- All ruff checks pass

Co-authored-by: azvoleff &lt;107753+azvoleff@users.noreply.github.com&gt;

* Use fixture instead of JWT decoding in tests

- Replace manual JWT decoding with regular_user fixture for better security
- Remove jwt import as it's no longer needed
- Avoid disabling signature verification in tests
- Use project's standard fixtures for consistent test patterns

Co-authored-by: azvoleff &lt;107753+azvoleff@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: azvoleff &lt;107753+azvoleff@users.noreply.github.com&gt;
diff --git a/gefapi/routes/api/v1/admin.py b/gefapi/routes/api/v1/admin.py
@@ -100,6 +100,61 @@ def get_rate_limit_status():
         return jsonify({"error": "Failed to retrieve rate limiting status"}), 500
 
 
+@endpoints.route("/rate-limit/reset/<string:identifier>", methods=["POST"])
+@jwt_required()
+def reset_rate_limit_by_identifier(identifier):
+    """
+    Reset a specific rate limit by its identifier.
+
+    **Access**: Restricted to users with `role: "SUPERADMIN"`
+    **Purpose**: Clears rate limit counters for a specific user or IP address
+
+    **Path Parameters**:
+    - `identifier`: The rate limit identifier (e.g., "user:123", "ip:192.168.1.1",
+      "auth:hash:ip")
+
+    **Success Response Schema**:
+    ```json
+    {
+      "message": "Rate limit reset for identifier: user:123"
+    }
+    ```
+
+    **Use Cases**:
+    - Clear rate limit for specific user who was legitimately rate limited
+    - Remove rate limit for specific IP address
+    - Targeted rate limit management without affecting all users
+
+    **Error Responses**:
+    - `403 Forbidden`: User does not have SUPERADMIN privileges
+    - `401 Unauthorized`: Valid JWT token required
+    - `404 Not Found`: No rate limit found for the specified identifier
+    - `500 Internal Server Error`: Failed to reset rate limit
+    """
+    current_user_id = get_jwt_identity()
+    user = UserService.get_user(current_user_id)
+
+    if not user or user.role != "SUPERADMIN":
+        return jsonify({"msg": "Superadmin access required"}), 403
+
+    try:
+        from gefapi.utils.rate_limiting import reset_rate_limit_by_key
+
+        success = reset_rate_limit_by_key(identifier)
+
+        if success:
+            return jsonify(
+                {"message": f"Rate limit reset for identifier: {identifier}"}
+            ), 200
+        return jsonify(
+            {"error": f"No rate limit found for identifier: {identifier}"}
+        ), 404
+
+    except Exception as e:
+        app.logger.error(f"Failed to reset rate limit for {identifier}: {e}")
+        return jsonify({"error": "Failed to reset rate limit"}), 500
+
+
 @endpoints.route("/rate-limit/reset", methods=["POST"])
 @jwt_required()
 def reset_rate_limits():
diff --git a/gefapi/utils/rate_limiting.py b/gefapi/utils/rate_limiting.py
@@ -572,7 +572,7 @@ def get_current_rate_limits():
                 # Redis storage - get all keys matching rate limit patterns
                 pattern = "LIMITER/*"
                 keys = storage.storage.keys(pattern)
-                if isinstance(keys, list | tuple):
+                if isinstance(keys, (list, tuple)):
                     rate_limit_keys = [
                         key.decode() if isinstance(key, bytes) else key for key in keys
                     ]
@@ -712,7 +712,8 @@ def get_current_rate_limits():
                     limit_info["identifier"] = rate_key
 
                 # Only include limits that have a current count > 0 (actively limiting)
-                if current_count_numeric is not None:
+                # This filters out keys that are tracked but have no current activity
+                if current_count_numeric is not None and current_count_numeric > 0:
                     active_limits.append(limit_info)
 
             except Exception as e:
@@ -736,6 +737,88 @@ def get_current_rate_limits():
         }
 
 
+def reset_rate_limit_by_key(limit_key: str) -> bool:
+    """
+    Reset a specific rate limit by its key identifier.
+
+    Args:
+        limit_key: The rate limit key to reset (e.g., "user:123", "ip:192.168.1.1")
+
+    Returns:
+        True if the rate limit was reset successfully, False otherwise.
+    """
+    try:
+        from gefapi import limiter
+
+        if not limiter.enabled or not RateLimitConfig.is_enabled():
+            logger.warning("Rate limiting is disabled, cannot reset rate limit")
+            return False
+
+        storage = limiter._storage
+        keys_deleted = 0
+
+        # Try to find and delete all keys matching this rate limit identifier
+        try:
+            # For Redis storage
+            if hasattr(storage, "storage") and hasattr(storage.storage, "keys"):
+                # Redis storage - find all keys matching this identifier
+                pattern = f"LIMITER/{limit_key}/*"
+                keys = storage.storage.keys(pattern)
+                if isinstance(keys, (list, tuple)):
+                    for key in keys:
+                        key_str = key.decode() if isinstance(key, bytes) else key
+                        try:
+                            storage.storage.delete(key)
+                            keys_deleted += 1
+                            logger.info(f"Deleted rate limit key: {key_str}")
+                        except Exception as e:
+                            logger.warning(f"Failed to delete key {key_str}: {e}")
+
+            elif hasattr(storage, "storage") and hasattr(storage.storage, "scan_iter"):
+                # Redis storage with scan_iter method
+                pattern = f"LIMITER/{limit_key}/*"
+                for key in storage.storage.scan_iter(match=pattern):
+                    key_str = key.decode() if isinstance(key, bytes) else key
+                    try:
+                        storage.storage.delete(key)
+                        keys_deleted += 1
+                        logger.info(f"Deleted rate limit key: {key_str}")
+                    except Exception as e:
+                        logger.warning(f"Failed to delete key {key_str}: {e}")
+
+            elif hasattr(storage, "storage") and isinstance(storage.storage, dict):
+                # Memory storage - direct dictionary access
+                keys_to_delete = [
+                    k for k in storage.storage if k.startswith(f"LIMITER/{limit_key}/")
+                ]
+                for key in keys_to_delete:
+                    try:
+                        del storage.storage[key]
+                        keys_deleted += 1
+                        logger.info(f"Deleted rate limit key: {key}")
+                    except Exception as e:
+                        logger.warning(f"Failed to delete key {key}: {e}")
+            else:
+                logger.warning("Unable to determine storage type for rate limit reset")
+                return False
+
+        except Exception as e:
+            logger.error(f"Failed to reset rate limit for key {limit_key}: {e}")
+            return False
+
+        if keys_deleted > 0:
+            logger.info(
+                f"Successfully reset {keys_deleted} rate limit keys for {limit_key}"
+            )
+            return True
+        logger.warning(f"No rate limit keys found for {limit_key}")
+        return False
+
+    except Exception as e:
+        logger.error(f"Failed to reset rate limit by key: {e}")
+        return False
+
+
 def reconfigure_limiter_for_testing():
     """
     Reconfigure the Flask-Limiter instance for testing.
diff --git a/tests/test_rate_limit_reset_by_id.py b/tests/test_rate_limit_reset_by_id.py
@@ -0,0 +1,186 @@
+"""Tests for rate limit reset by identifier functionality"""
+
+
+class TestRateLimitResetByIdentifier:
+    """Test resetting specific rate limits by identifier"""
+
+    def test_reset_rate_limit_by_identifier_superadmin_access(
+        self,
+        client,
+        auth_headers_user,
+        auth_headers_superadmin,
+        reset_rate_limits,
+        regular_user,
+    ):
+        """Test that superadmin can reset a specific rate limit by identifier"""
+        # First, reset all rate limits to start fresh
+        reset_rate_limits()
+
+        # Trigger rate limit for a specific user
+        responses = []
+        for i in range(100):  # Make many requests to trigger rate limiting
+            response = client.get("/api/v1/user/me", headers=auth_headers_user)
+            responses.append(response)
+            if response.status_code == 429:
+                break
+
+        # Check if user was rate limited
+        rate_limited = any(r.status_code == 429 for r in responses)
+        if not rate_limited:
+            # If not rate limited, skip this part of the test
+            return
+
+        # Get the user ID from the fixture
+        # The regular_user fixture provides the user object with known ID
+        user_id = regular_user.id
+
+        # Reset the rate limit for this specific user
+        response = client.post(
+            f"/api/v1/rate-limit/reset/user:{user_id}",
+            headers=auth_headers_superadmin,
+        )
+        assert response.status_code in [
+            200,
+            404,
+        ], f"Expected 200 or 404, got {response.status_code}: {response.json}"
+
+        # If reset was successful, verify the response
+        if response.status_code == 200:
+            data = response.json
+            assert "message" in data
+            assert str(user_id) in data["message"]
+
+    def test_reset_rate_limit_by_identifier_admin_forbidden(
+        self, client, auth_headers_admin
+    ):
+        """Test that admin cannot reset rate limits by identifier"""
+        response = client.post(
+            "/api/v1/rate-limit/reset/user:123", headers=auth_headers_admin
+        )
+        assert response.status_code == 403
+        assert "Superadmin access required" in response.json["msg"]
+
+    def test_reset_rate_limit_by_identifier_user_forbidden(
+        self, client, auth_headers_user
+    ):
+        """Test that regular user cannot reset rate limits by identifier"""
+        response = client.post(
+            "/api/v1/rate-limit/reset/user:123", headers=auth_headers_user
+        )
+        assert response.status_code == 403
+        assert "Superadmin access required" in response.json["msg"]
+
+    def test_reset_rate_limit_by_identifier_no_auth_forbidden(self, client):
+        """Test that unauthenticated request cannot reset rate limits by identifier"""
+        response = client.post("/api/v1/rate-limit/reset/user:123")
+        assert response.status_code == 401  # JWT required
+
+    def test_reset_rate_limit_by_ip(self, client, auth_headers_superadmin):
+        """Test resetting rate limit by IP address"""
+        # Try to reset a rate limit by IP
+        response = client.post(
+            "/api/v1/rate-limit/reset/ip:192.168.1.100", headers=auth_headers_superadmin
+        )
+        # Should either succeed (200) or not find the rate limit (404)
+        assert response.status_code in [200, 404]
+
+        if response.status_code == 200:
+            data = response.json
+            assert "message" in data
+            assert "192.168.1.100" in data["message"]
+        else:
+            # 404 is acceptable if no rate limit exists for this IP
+            data = response.json
+            assert "error" in data
+
+    def test_reset_rate_limit_returns_404_for_nonexistent(
+        self, client, auth_headers_superadmin, reset_rate_limits
+    ):
+        """Test that resetting a nonexistent rate limit returns 404"""
+        # First, reset all rate limits to ensure clean state
+        reset_rate_limits()
+
+        # Try to reset a rate limit that doesn't exist
+        response = client.post(
+            "/api/v1/rate-limit/reset/user:nonexistent-user-id",
+            headers=auth_headers_superadmin,
+        )
+        assert response.status_code == 404
+        data = response.json
+        assert "error" in data
+        assert "No rate limit found" in data["error"]
+
+    def test_reset_rate_limit_by_auth_identifier(self, client, auth_headers_superadmin):
+        """Test resetting rate limit by auth identifier"""
+        # Try to reset an auth-type rate limit
+        response = client.post(
+            "/api/v1/rate-limit/reset/auth:somehash:someip",
+            headers=auth_headers_superadmin,
+        )
+        # Should either succeed (200) or not find the rate limit (404)
+        assert response.status_code in [200, 404]
+
+
+class TestRateLimitStatusImprovements:
+    """Test improvements to rate limit status endpoint"""
+
+    def test_rate_limit_status_shows_only_active_limits(
+        self, client, auth_headers_user, auth_headers_superadmin, reset_rate_limits
+    ):
+        """Test that rate limit status only shows limits with count > 0"""
+        # Reset all limits first
+        reset_rate_limits()
+
+        # Make a few requests (but not enough to trigger rate limiting)
+        for i in range(3):
+            client.get("/api/v1/user/me", headers=auth_headers_user)
+
+        # Check rate limit status
+        response = client.get(
+            "/api/v1/rate-limit/status", headers=auth_headers_superadmin
+        )
+        assert response.status_code == 200
+
+        data = response.json["data"]
+        if data["enabled"]:
+            # All active limits should have current_count > 0
+            for limit in data["active_limits"]:
+                assert "current_count" in limit
+                # Current count should be greater than 0 for "active" limits
+                if isinstance(limit["current_count"], (int, float)):
+                    assert limit["current_count"] > 0
+
+    def test_rate_limit_status_includes_user_info_for_user_limits(
+        self, client, auth_headers_user, auth_headers_superadmin, reset_rate_limits
+    ):
+        """Test that user-type limits include user information"""
+        # Reset and trigger some user requests
+        reset_rate_limits()
+
+        # Make requests to trigger rate limit tracking
+        for i in range(5):
+            client.get("/api/v1/user/me", headers=auth_headers_user)
+
+        # Check rate limit status
+        response = client.get(
+            "/api/v1/rate-limit/status", headers=auth_headers_superadmin
+        )
+        assert response.status_code == 200
+
+        data = response.json["data"]
+        if data["enabled"] and data["active_limits"]:
+            # Find any user-type limits
+            user_limits = [
+                limit for limit in data["active_limits"] if limit["type"] == "user"
+            ]
+
+            # If there are user limits, they should have user_info
+            for limit in user_limits:
+                assert "type" in limit
+                assert limit["type"] == "user"
+                # User info may or may not be present depending on whether
+                # the user lookup succeeded
+                if limit.get("user_info"):
+                    assert "id" in limit["user_info"]
+                    assert "email" in limit["user_info"]
+                    assert "role" in limit["user_info"]
