Bird
Raised Fist0
Rest APIprogramming~10 mins

Per-user vs per-IP limits in Rest API - Visual Side-by-Side Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Per-user vs per-IP limits
Request Received
Identify User or IP
Check Limit Type
Per-User
Limit Exceeded?
NoAllow Request
Reject Request
When a request comes in, the system identifies if limits apply per user or per IP, checks the count, and either allows or rejects the request.
Execution Sample
Rest API
def check_limit(request):
    id = request.user_id or request.ip
    limit = 5 if request.user_id else 3
    count = get_request_count(id)
    if count >= limit:
        return 'Limit Exceeded'
    else:
        increment_count(id)
        return 'Allowed'
This code checks if a request exceeds the limit based on user ID or IP address and returns if it's allowed or rejected.
Execution Table
StepRequest ID (User/IP)Current CountCondition (count >= LIMIT)ActionResult
1User12344 >= 5? Falseincrement_count(User123)Allowed
2User12355 >= 5? Truereject requestLimit Exceeded
3192.168.1.122 >= 3? Falseincrement_count(192.168.1.1)Allowed
4192.168.1.133 >= 3? Truereject requestLimit Exceeded
5User45600 >= 5? Falseincrement_count(User456)Allowed
6User45611 >= 5? Falseincrement_count(User456)Allowed
7User45655 >= 5? Truereject requestLimit Exceeded
💡 Requests are rejected once the count reaches or exceeds the limit.
Variable Tracker
IDStartAfter 1After 2After 3After 4After 5After 6Final
User12345555555
192.168.1.123333333
User45601234555
Key Moments - 3 Insights
Why does the request get rejected when count equals the limit, not just when it exceeds?
Because the condition uses '>=' (greater or equal), so reaching the limit count triggers rejection as shown in rows 2, 4, and 7 of the execution_table.
How does the system decide whether to use user ID or IP for counting?
It first tries to identify the user ID; if not available, it falls back to the IP address, as shown in the code sample where 'id = request.user_id or request.ip'.
Can different users from the same IP share the same limit?
If limits are per-IP, yes; all requests from that IP share the count. If per-user, each user has their own count. This distinction is shown in the concept_flow branching.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the count for User123 at step 2?
A4
B5
C6
D3
💡 Hint
Check the 'Current Count' column at step 2 in the execution_table.
At which step does the IP 192.168.1.1 reach its limit?
AStep 5
BStep 3
CStep 4
DStep 2
💡 Hint
Look for when 'Condition (count >= LIMIT)' becomes True for 192.168.1.1 in the execution_table.
If the limit for users was increased to 6, what would happen at step 7 for User456?
ARequest would be allowed
BRequest would be rejected
CCount would reset
DNo change
💡 Hint
Refer to the condition check in the execution_table and consider how changing LIMIT affects it.
Concept Snapshot
Per-user vs per-IP limits control how many requests are allowed.
Identify user ID first; if missing, use IP address.
Check request count against a limit.
If count >= limit, reject request.
Otherwise, increment count and allow.
This prevents abuse by users or IPs.
Full Transcript
When a request arrives, the system first identifies if it can track the user by user ID. If no user ID is found, it uses the IP address instead. Then it checks how many requests have been made by that user or IP. If the count is equal to or greater than the allowed limit, the request is rejected. Otherwise, the count is increased by one and the request is allowed. This approach helps control traffic and prevent abuse either per individual user or per IP address. The execution table shows examples of counts increasing and when requests get rejected once limits are reached.

Practice

(1/5)
1. What is the main difference between per-user and per-IP rate limits in REST APIs?
easy
A. Per-user limits block IP addresses; per-IP limits block user accounts.
B. Per-user limits count requests from each IP; per-IP limits count requests from each user.
C. Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address.
D. Per-user limits apply only to logged-out users; per-IP limits apply only to logged-in users.

Solution

  1. Step 1: Understand per-user limits

    Per-user limits count how many requests each user (identified by login or token) makes.

  2. Step 2: Understand per-IP limits

    Per-IP limits count requests based on the IP address making the request, regardless of user identity.

  3. Final Answer:

    Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address. -> Option C

  4. Quick Check:

    Per-user = user identity, Per-IP = IP address [OK]
Hint: User limits track users; IP limits track locations [OK]
Common Mistakes:
  • Confusing user identity with IP address
  • Thinking per-IP limits block users
  • Assuming per-user limits apply only to logged-out users
2. Which of the following is the correct way to check a per-user rate limit in pseudocode?
easy
A. if requests_from_user > limit: block_request()
B. if requests_from_ip > limit: block_request()
C. if user_ip == limit: block_request()
D. if user == limit: block_request()

Solution

  1. Step 1: Identify per-user check

    Per-user limits check how many requests a user has made, so the condition should compare requests_from_user to the limit.

  2. Step 2: Verify correct syntax

    The correct syntax is to compare requests_from_user > limit and block if true.

  3. Final Answer:

    if requests_from_user > limit: block_request() -> Option A

  4. Quick Check:

    Check user requests count > limit [OK]
Hint: Per-user means check requests_from_user variable [OK]
Common Mistakes:
  • Using IP variable for per-user limit
  • Comparing user or IP directly to limit
  • Using equality instead of greater than
3. Given this pseudocode snippet for rate limiting:
requests_per_user = {"alice": 5, "bob": 3}
requests_per_ip = {"192.168.1.1": 10, "10.0.0.2": 2}
user = "alice"
ip = "192.168.1.1"
user_limit = 5
ip_limit = 10

if requests_per_user[user] >= user_limit:
    print("User limit reached")
elif requests_per_ip[ip] >= ip_limit:
    print("IP limit reached")
else:
    print("Request allowed")

What will be printed?
medium
A. Request allowed
B. User limit reached
C. IP limit reached
D. Error: Key not found

Solution

  1. Step 1: Check user request count

    requests_per_user["alice"] is 5, which is equal to user_limit (5), so the first if condition is true.

  2. Step 2: Determine which print runs

    Since the first condition is true, it prints "User limit reached" and skips the rest.

  3. Final Answer:

    User limit reached -> Option B

  4. Quick Check:

    5 >= 5 triggers user limit [OK]
Hint: Check user count first; equal means limit reached [OK]
Common Mistakes:
  • Thinking IP limit triggers first
  • Ignoring >= condition
  • Assuming else runs when equal
4. This code snippet is intended to enforce per-IP rate limits but has a bug:
requests_per_ip = {"1.2.3.4": 8}
ip_limit = 10
ip = "1.2.3.4"

if requests_per_ip[ip] > ip_limit:
    print("Limit exceeded")
else:
    print("Allowed")

What is the bug and how to fix it?
medium
A. Bug: Uses > instead of >=; fix by changing to >=.
B. Bug: ip variable is wrong type; fix by converting to string.
C. Bug: requests_per_ip key missing; fix by adding default value.
D. Bug: prints wrong message; fix by swapping print statements.

Solution

  1. Step 1: Analyze condition logic

    The code blocks requests only if requests_per_ip[ip] > ip_limit, so if requests equal ip_limit, it allows the request.

  2. Step 2: Fix condition to include equal case

    Change > to >= so requests equal to ip_limit also get blocked.

  3. Final Answer:

    Bug: Uses > instead of >=; fix by changing to >=. -> Option A

  4. Quick Check:

    Use >= to block at limit [OK]
Hint: Use >= to block requests at limit, not just above [OK]
Common Mistakes:
  • Ignoring equal case in condition
  • Assuming IP variable type is wrong
  • Thinking missing keys cause this bug
5. You want to implement a rate limiter that blocks requests if either the user or the IP address exceeds their limits. Which pseudocode correctly enforces this combined rule?
hard
A. if requests_per_user[user] > user_limit and requests_per_ip[ip] > ip_limit: block_request()
B. if requests_per_user[user] == user_limit and requests_per_ip[ip] == ip_limit: block_request()
C. if requests_per_user[user] < user_limit or requests_per_ip[ip] < ip_limit: block_request()
D. if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request()

Solution

  1. Step 1: Understand combined blocking logic

    The request should be blocked if either the user or the IP exceeds their limit, so the condition must use OR.

  2. Step 2: Check condition correctness

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() uses OR with > comparisons, correctly blocking if user or IP exceeds limits.

  3. Final Answer:

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() -> Option D

  4. Quick Check:

    Block if user OR IP exceeds limit [OK]
Hint: Use OR to block if either user or IP exceeds limit [OK]
Common Mistakes:
  • Using AND instead of OR
  • Using < instead of >
  • Checking equality only