Bird
Raised Fist0
Rest APIprogramming~30 mins

Per-user vs per-IP limits in Rest API - Hands-On Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Implementing Per-User and Per-IP Rate Limits in a REST API
📖 Scenario: You are building a simple REST API server that needs to control how many requests each user and each IP address can make. This helps keep the server safe and fair for everyone.
🎯 Goal: Build a basic Python REST API that tracks requests and limits them per user and per IP address.
📋 What You'll Learn
Create a dictionary called user_requests to track requests per user ID
Create a dictionary called ip_requests to track requests per IP address
Set a limit variable called MAX_REQUESTS to 3
Write a function can_make_request(user_id, ip_address) that returns True if both user and IP are under the limit, otherwise False
Print the result of calling can_make_request for a test user and IP
💡 Why This Matters
🌍 Real World
APIs often need to limit how many requests a user or IP can make to prevent overload or abuse.
💼 Career
Understanding rate limiting is important for backend developers and API designers to build reliable and secure services.
Progress0 / 4 steps
1
Create dictionaries to track requests
Create two empty dictionaries called user_requests and ip_requests to keep track of how many requests each user and IP address has made.
Rest API
Hint

Use curly braces {} to create empty dictionaries.

2
Set the maximum allowed requests
Create a variable called MAX_REQUESTS and set it to 3. This will be the limit for requests per user and per IP.
Rest API
Hint

Just assign the number 3 to the variable MAX_REQUESTS.

3
Write the function to check request limits
Write a function called can_make_request(user_id, ip_address) that: - Checks how many requests the user_id has made using user_requests (default 0 if not found) - Checks how many requests the ip_address has made using ip_requests (default 0 if not found) - Returns True only if both counts are less than MAX_REQUESTS, otherwise returns False
Rest API
Hint

Use the get method on dictionaries to get counts with a default of 0.

4
Test the function with sample data
Add some sample counts to user_requests and ip_requests for user_id = 'user123' and ip_address = '192.168.1.1'. Then print the result of calling can_make_request('user123', '192.168.1.1').
Rest API
Hint

Set the counts below the limit and then print the function call result.

Practice

(1/5)
1. What is the main difference between per-user and per-IP rate limits in REST APIs?
easy
A. Per-user limits block IP addresses; per-IP limits block user accounts.
B. Per-user limits count requests from each IP; per-IP limits count requests from each user.
C. Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address.
D. Per-user limits apply only to logged-out users; per-IP limits apply only to logged-in users.

Solution

  1. Step 1: Understand per-user limits

    Per-user limits count how many requests each user (identified by login or token) makes.

  2. Step 2: Understand per-IP limits

    Per-IP limits count requests based on the IP address making the request, regardless of user identity.

  3. Final Answer:

    Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address. -> Option C

  4. Quick Check:

    Per-user = user identity, Per-IP = IP address [OK]
Hint: User limits track users; IP limits track locations [OK]
Common Mistakes:
  • Confusing user identity with IP address
  • Thinking per-IP limits block users
  • Assuming per-user limits apply only to logged-out users
2. Which of the following is the correct way to check a per-user rate limit in pseudocode?
easy
A. if requests_from_user > limit: block_request()
B. if requests_from_ip > limit: block_request()
C. if user_ip == limit: block_request()
D. if user == limit: block_request()

Solution

  1. Step 1: Identify per-user check

    Per-user limits check how many requests a user has made, so the condition should compare requests_from_user to the limit.

  2. Step 2: Verify correct syntax

    The correct syntax is to compare requests_from_user > limit and block if true.

  3. Final Answer:

    if requests_from_user > limit: block_request() -> Option A

  4. Quick Check:

    Check user requests count > limit [OK]
Hint: Per-user means check requests_from_user variable [OK]
Common Mistakes:
  • Using IP variable for per-user limit
  • Comparing user or IP directly to limit
  • Using equality instead of greater than
3. Given this pseudocode snippet for rate limiting:
requests_per_user = {"alice": 5, "bob": 3}
requests_per_ip = {"192.168.1.1": 10, "10.0.0.2": 2}
user = "alice"
ip = "192.168.1.1"
user_limit = 5
ip_limit = 10

if requests_per_user[user] >= user_limit:
    print("User limit reached")
elif requests_per_ip[ip] >= ip_limit:
    print("IP limit reached")
else:
    print("Request allowed")

What will be printed?
medium
A. Request allowed
B. User limit reached
C. IP limit reached
D. Error: Key not found

Solution

  1. Step 1: Check user request count

    requests_per_user["alice"] is 5, which is equal to user_limit (5), so the first if condition is true.

  2. Step 2: Determine which print runs

    Since the first condition is true, it prints "User limit reached" and skips the rest.

  3. Final Answer:

    User limit reached -> Option B

  4. Quick Check:

    5 >= 5 triggers user limit [OK]
Hint: Check user count first; equal means limit reached [OK]
Common Mistakes:
  • Thinking IP limit triggers first
  • Ignoring >= condition
  • Assuming else runs when equal
4. This code snippet is intended to enforce per-IP rate limits but has a bug:
requests_per_ip = {"1.2.3.4": 8}
ip_limit = 10
ip = "1.2.3.4"

if requests_per_ip[ip] > ip_limit:
    print("Limit exceeded")
else:
    print("Allowed")

What is the bug and how to fix it?
medium
A. Bug: Uses > instead of >=; fix by changing to >=.
B. Bug: ip variable is wrong type; fix by converting to string.
C. Bug: requests_per_ip key missing; fix by adding default value.
D. Bug: prints wrong message; fix by swapping print statements.

Solution

  1. Step 1: Analyze condition logic

    The code blocks requests only if requests_per_ip[ip] > ip_limit, so if requests equal ip_limit, it allows the request.

  2. Step 2: Fix condition to include equal case

    Change > to >= so requests equal to ip_limit also get blocked.

  3. Final Answer:

    Bug: Uses > instead of >=; fix by changing to >=. -> Option A

  4. Quick Check:

    Use >= to block at limit [OK]
Hint: Use >= to block requests at limit, not just above [OK]
Common Mistakes:
  • Ignoring equal case in condition
  • Assuming IP variable type is wrong
  • Thinking missing keys cause this bug
5. You want to implement a rate limiter that blocks requests if either the user or the IP address exceeds their limits. Which pseudocode correctly enforces this combined rule?
hard
A. if requests_per_user[user] > user_limit and requests_per_ip[ip] > ip_limit: block_request()
B. if requests_per_user[user] == user_limit and requests_per_ip[ip] == ip_limit: block_request()
C. if requests_per_user[user] < user_limit or requests_per_ip[ip] < ip_limit: block_request()
D. if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request()

Solution

  1. Step 1: Understand combined blocking logic

    The request should be blocked if either the user or the IP exceeds their limit, so the condition must use OR.

  2. Step 2: Check condition correctness

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() uses OR with > comparisons, correctly blocking if user or IP exceeds limits.

  3. Final Answer:

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() -> Option D

  4. Quick Check:

    Block if user OR IP exceeds limit [OK]
Hint: Use OR to block if either user or IP exceeds limit [OK]
Common Mistakes:
  • Using AND instead of OR
  • Using < instead of >
  • Checking equality only