Bird
Raised Fist0
Rest APIprogramming~20 mins

Per-user vs per-IP limits in Rest API - Practice Questions

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Rate Limit Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding Rate Limits: Per-User vs Per-IP

In a REST API, what is the main difference between applying rate limits per user and per IP address?

APer-user limits apply only to authenticated users, while per-IP limits apply only to unauthenticated users.
BPer-user limits restrict requests based on user identity, while per-IP limits restrict requests based on the client IP address.
CPer-user limits restrict requests based on IP address, while per-IP limits restrict requests based on user identity.
DPer-user limits allow unlimited requests, while per-IP limits always block after one request.
Attempts:
2 left
💡 Hint

Think about what uniquely identifies a user versus what identifies a network location.

Predict Output
intermediate
1:30remaining
Output of Rate Limit Check Function

Given this Python function that checks rate limits, what will be the output when calling check_limit('user123', '192.168.1.10') if the user has made 5 requests and the IP has made 10 requests?

Rest API
def check_limit(user_id, ip):
    user_limit = 5
    ip_limit = 10
    user_requests = {'user123': 5}
    ip_requests = {'192.168.1.10': 10}
    if user_requests.get(user_id, 0) >= user_limit:
        return 'User limit exceeded'
    if ip_requests.get(ip, 0) >= ip_limit:
        return 'IP limit exceeded'
    return 'Allowed'
AKeyError
B"IP limit exceeded"
C"Allowed"
D"User limit exceeded"
Attempts:
2 left
💡 Hint

Check which limit is reached first in the code.

🔧 Debug
advanced
2:00remaining
Identify the Bug in Rate Limiting Logic

What error will this code raise when calling increment_request('user1', '10.0.0.1') for the first time?

Rest API
user_requests = {}
ip_requests = {}
user_limit = 3
ip_limit = 5

def increment_request(user_id, ip):
    if user_requests[user_id] >= user_limit:
        return 'User limit reached'
    if ip_requests[ip] >= ip_limit:
        return 'IP limit reached'
    user_requests[user_id] += 1
    ip_requests[ip] += 1
    return 'Request allowed'
AKeyError
BTypeError
CValueError
DNo error, returns 'Request allowed'
Attempts:
2 left
💡 Hint

Think about what happens when you try to access a dictionary key that does not exist.

📝 Syntax
advanced
1:30remaining
Syntax Error in Rate Limit Decorator

Which option contains the correct syntax for a Python decorator that limits API calls per user?

Rest API
def rate_limit(func):
    def wrapper(user_id):
        # limit logic here
        return func(user_id)
    return wrapper
A
def rate_limit(func):
    def wrapper(user_id):
        # limit logic
        return func(user_id)
    return wrapper
B
def rate_limit(func):
    def wrapper(user_id):
        # limit logic
        return func(user_id)
    wrapper
C
def rate_limit(func):
    def wrapper(user_id):
        # limit logic
        return func(user_id)
    return wrapper()
D
def rate_limit(func):
    def wrapper(user_id):
        # limit logic
        return func(user_id)
    return func
Attempts:
2 left
💡 Hint

Remember what a decorator must return.

🚀 Application
expert
2:30remaining
Choosing Rate Limit Strategy for a Public API

You manage a public REST API used by many anonymous users behind shared IP addresses. Which rate limiting strategy is best to prevent abuse while minimizing false blocks?

AApply per-user limits only, ignoring IP addresses since users are anonymous.
BApply strict per-IP limits only, blocking IPs after few requests.
CCombine per-IP limits with a higher threshold and per-user limits for authenticated users.
DDo not apply any rate limits to avoid blocking legitimate users.
Attempts:
2 left
💡 Hint

Consider how anonymous users and shared IPs affect rate limiting.

Practice

(1/5)
1. What is the main difference between per-user and per-IP rate limits in REST APIs?
easy
A. Per-user limits block IP addresses; per-IP limits block user accounts.
B. Per-user limits count requests from each IP; per-IP limits count requests from each user.
C. Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address.
D. Per-user limits apply only to logged-out users; per-IP limits apply only to logged-in users.

Solution

  1. Step 1: Understand per-user limits

    Per-user limits count how many requests each user (identified by login or token) makes.

  2. Step 2: Understand per-IP limits

    Per-IP limits count requests based on the IP address making the request, regardless of user identity.

  3. Final Answer:

    Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address. -> Option C

  4. Quick Check:

    Per-user = user identity, Per-IP = IP address [OK]
Hint: User limits track users; IP limits track locations [OK]
Common Mistakes:
  • Confusing user identity with IP address
  • Thinking per-IP limits block users
  • Assuming per-user limits apply only to logged-out users
2. Which of the following is the correct way to check a per-user rate limit in pseudocode?
easy
A. if requests_from_user > limit: block_request()
B. if requests_from_ip > limit: block_request()
C. if user_ip == limit: block_request()
D. if user == limit: block_request()

Solution

  1. Step 1: Identify per-user check

    Per-user limits check how many requests a user has made, so the condition should compare requests_from_user to the limit.

  2. Step 2: Verify correct syntax

    The correct syntax is to compare requests_from_user > limit and block if true.

  3. Final Answer:

    if requests_from_user > limit: block_request() -> Option A

  4. Quick Check:

    Check user requests count > limit [OK]
Hint: Per-user means check requests_from_user variable [OK]
Common Mistakes:
  • Using IP variable for per-user limit
  • Comparing user or IP directly to limit
  • Using equality instead of greater than
3. Given this pseudocode snippet for rate limiting:
requests_per_user = {"alice": 5, "bob": 3}
requests_per_ip = {"192.168.1.1": 10, "10.0.0.2": 2}
user = "alice"
ip = "192.168.1.1"
user_limit = 5
ip_limit = 10

if requests_per_user[user] >= user_limit:
    print("User limit reached")
elif requests_per_ip[ip] >= ip_limit:
    print("IP limit reached")
else:
    print("Request allowed")

What will be printed?
medium
A. Request allowed
B. User limit reached
C. IP limit reached
D. Error: Key not found

Solution

  1. Step 1: Check user request count

    requests_per_user["alice"] is 5, which is equal to user_limit (5), so the first if condition is true.

  2. Step 2: Determine which print runs

    Since the first condition is true, it prints "User limit reached" and skips the rest.

  3. Final Answer:

    User limit reached -> Option B

  4. Quick Check:

    5 >= 5 triggers user limit [OK]
Hint: Check user count first; equal means limit reached [OK]
Common Mistakes:
  • Thinking IP limit triggers first
  • Ignoring >= condition
  • Assuming else runs when equal
4. This code snippet is intended to enforce per-IP rate limits but has a bug:
requests_per_ip = {"1.2.3.4": 8}
ip_limit = 10
ip = "1.2.3.4"

if requests_per_ip[ip] > ip_limit:
    print("Limit exceeded")
else:
    print("Allowed")

What is the bug and how to fix it?
medium
A. Bug: Uses > instead of >=; fix by changing to >=.
B. Bug: ip variable is wrong type; fix by converting to string.
C. Bug: requests_per_ip key missing; fix by adding default value.
D. Bug: prints wrong message; fix by swapping print statements.

Solution

  1. Step 1: Analyze condition logic

    The code blocks requests only if requests_per_ip[ip] > ip_limit, so if requests equal ip_limit, it allows the request.

  2. Step 2: Fix condition to include equal case

    Change > to >= so requests equal to ip_limit also get blocked.

  3. Final Answer:

    Bug: Uses > instead of >=; fix by changing to >=. -> Option A

  4. Quick Check:

    Use >= to block at limit [OK]
Hint: Use >= to block requests at limit, not just above [OK]
Common Mistakes:
  • Ignoring equal case in condition
  • Assuming IP variable type is wrong
  • Thinking missing keys cause this bug
5. You want to implement a rate limiter that blocks requests if either the user or the IP address exceeds their limits. Which pseudocode correctly enforces this combined rule?
hard
A. if requests_per_user[user] > user_limit and requests_per_ip[ip] > ip_limit: block_request()
B. if requests_per_user[user] == user_limit and requests_per_ip[ip] == ip_limit: block_request()
C. if requests_per_user[user] < user_limit or requests_per_ip[ip] < ip_limit: block_request()
D. if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request()

Solution

  1. Step 1: Understand combined blocking logic

    The request should be blocked if either the user or the IP exceeds their limit, so the condition must use OR.

  2. Step 2: Check condition correctness

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() uses OR with > comparisons, correctly blocking if user or IP exceeds limits.

  3. Final Answer:

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() -> Option D

  4. Quick Check:

    Block if user OR IP exceeds limit [OK]
Hint: Use OR to block if either user or IP exceeds limit [OK]
Common Mistakes:
  • Using AND instead of OR
  • Using < instead of >
  • Checking equality only