Improve "Too many requests" page with an explanation

RESOLVED FIXED

Status

()

enhancement
--
major
RESOLVED FIXED
9 months ago
6 months ago

People

(Reporter: philipp, Assigned: dylan)

Tracking

({bmo-ux})

Production

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 months ago
in the past couple of days i'm starting to receive the "Too Many Requests" blocking message a number of times when trying to access bugzilla. it's ip based, since switching to a different vpn can work around that.

i'm not entirely sure what triggers it - either opening multiple bug reports within a short amount of time (that would always be in a logged-in state) or i'm also using an addon that would query bugzilla's rest api for information for a probably rather large amount of bugs while browsing https://crash-stats.mozilla.com: 
https://addons.mozilla.org/firefox/addon/crash-stats-state-of-the-bug/
dylan, you manage the throttling stuff. Any ideas on this?
Flags: needinfo?(dylan)
(Reporter)

Comment 2

8 months ago
i think i'm getting the problem/temporary bmo ban after using the tool at https://mozilla.github.io/stab-crashes/compare-betas.html
(In reply to [:philipp] from comment #2)
> i think i'm getting the problem/temporary bmo ban after using the tool at
> https://mozilla.github.io/stab-crashes/compare-betas.html

https://mozilla.github.io/stab-crashes/compare-betas.html in particular doesn't hit Bugzilla, but some tools at https://mozilla.github.io/stab-crashes/ use the rest API without an API key.
Yes. I would check to see if you have any tabs open that are using bug dashboards that poll BMO with a lot of REST API calls. REST API calls and show_bug.cgi from the same IP are considered the same when it comes to rate limiting. So if your scripts or dashboards are making a large number of requests and then you go to load a bug through the UI, you could still get the too many requests error. Trying shutting down scripts/containers or open dashboard tabs when not being used would be helpful.
(Assignee)

Comment 5

8 months ago
Being logged in is a good way to prevent this from happening.

We're also exploring options for making this better.
Ultimately you can expect such "Too Many Requests" results to replaced with some sort of "Are you a human being?" check.
Flags: needinfo?(dylan)
(Assignee)

Updated

8 months ago
Severity: normal → major
Keywords: bmo-ux
Summary: receiving "Too many requests" recently → Improve the "Too many requests" page to explain why it has happened and what the user can do if it is a mistake
I think we want to consider what we allow with API keys for logged in users, and that we may want API keys to have limited roles (in case someone leaks a key as part of a static web app), and require additional steps/approvals for API keys that allow for editing bugs or accessing bugs through group permissions.
(Assignee)

Updated

7 months ago
Summary: Improve the "Too many requests" page to explain why it has happened and what the user can do if it is a mistake → Improve the "Too many requests" page to explain why it has happened and offer a recaptcha
(Assignee)

Updated

7 months ago
Assignee: nobody → dylan
(Assignee)

Updated

6 months ago
Summary: Improve the "Too many requests" page to explain why it has happened and offer a recaptcha → Improve "Too many requests" page with an explaination
Merged to master.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED

Updated

6 months ago
Summary: Improve "Too many requests" page with an explaination → Improve "Too many requests" page with an explanation
You need to log in before you can comment on or make changes to this bug.