Bird
Raised Fist0
Rest APIprogramming~3 mins

Per-user vs per-IP limits in Rest API - When to Use Which

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
The Big Idea

What if your website unfairly blocks real users just because they share an internet connection?

The Scenario

Imagine you run a popular website where many people log in and use your services. You want to stop anyone from sending too many requests and slowing down your system. So, you try to limit how many requests come from each IP address manually.

The Problem

But this manual way is tricky because many users can share the same IP (like in offices or cafes), and some users might use different IPs. This causes unfair blocking or lets some users overload your system. It's slow and full of mistakes.

The Solution

Using per-user and per-IP limits together helps you control traffic smartly. You can limit each user's requests no matter where they connect from, and also limit requests from suspicious IPs. This keeps your system fair and safe without blocking good users.

Before vs After
Before
if requests_from_ip > 100:
    block_ip()
After
if requests_from_user > 50:
    block_user()
if requests_from_ip > 100:
    block_ip()
What It Enables

This approach lets you protect your service from overload while treating users fairly, improving reliability and user experience.

Real Life Example

A streaming service limits each logged-in user to 3 devices (per-user limit) and also blocks IPs that send thousands of requests in minutes (per-IP limit) to stop hackers and keep streams smooth.

Key Takeaways

Manual IP-only limits can block many good users sharing one IP.

Per-user limits track individual users regardless of IP changes.

Combining both limits protects systems fairly and effectively.

Practice

(1/5)
1. What is the main difference between per-user and per-IP rate limits in REST APIs?
easy
A. Per-user limits block IP addresses; per-IP limits block user accounts.
B. Per-user limits count requests from each IP; per-IP limits count requests from each user.
C. Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address.
D. Per-user limits apply only to logged-out users; per-IP limits apply only to logged-in users.

Solution

  1. Step 1: Understand per-user limits

    Per-user limits count how many requests each user (identified by login or token) makes.

  2. Step 2: Understand per-IP limits

    Per-IP limits count requests based on the IP address making the request, regardless of user identity.

  3. Final Answer:

    Per-user limits track requests by user identity; per-IP limits track requests by the requester's IP address. -> Option C

  4. Quick Check:

    Per-user = user identity, Per-IP = IP address [OK]
Hint: User limits track users; IP limits track locations [OK]
Common Mistakes:
  • Confusing user identity with IP address
  • Thinking per-IP limits block users
  • Assuming per-user limits apply only to logged-out users
2. Which of the following is the correct way to check a per-user rate limit in pseudocode?
easy
A. if requests_from_user > limit: block_request()
B. if requests_from_ip > limit: block_request()
C. if user_ip == limit: block_request()
D. if user == limit: block_request()

Solution

  1. Step 1: Identify per-user check

    Per-user limits check how many requests a user has made, so the condition should compare requests_from_user to the limit.

  2. Step 2: Verify correct syntax

    The correct syntax is to compare requests_from_user > limit and block if true.

  3. Final Answer:

    if requests_from_user > limit: block_request() -> Option A

  4. Quick Check:

    Check user requests count > limit [OK]
Hint: Per-user means check requests_from_user variable [OK]
Common Mistakes:
  • Using IP variable for per-user limit
  • Comparing user or IP directly to limit
  • Using equality instead of greater than
3. Given this pseudocode snippet for rate limiting:
requests_per_user = {"alice": 5, "bob": 3}
requests_per_ip = {"192.168.1.1": 10, "10.0.0.2": 2}
user = "alice"
ip = "192.168.1.1"
user_limit = 5
ip_limit = 10

if requests_per_user[user] >= user_limit:
    print("User limit reached")
elif requests_per_ip[ip] >= ip_limit:
    print("IP limit reached")
else:
    print("Request allowed")

What will be printed?
medium
A. Request allowed
B. User limit reached
C. IP limit reached
D. Error: Key not found

Solution

  1. Step 1: Check user request count

    requests_per_user["alice"] is 5, which is equal to user_limit (5), so the first if condition is true.

  2. Step 2: Determine which print runs

    Since the first condition is true, it prints "User limit reached" and skips the rest.

  3. Final Answer:

    User limit reached -> Option B

  4. Quick Check:

    5 >= 5 triggers user limit [OK]
Hint: Check user count first; equal means limit reached [OK]
Common Mistakes:
  • Thinking IP limit triggers first
  • Ignoring >= condition
  • Assuming else runs when equal
4. This code snippet is intended to enforce per-IP rate limits but has a bug:
requests_per_ip = {"1.2.3.4": 8}
ip_limit = 10
ip = "1.2.3.4"

if requests_per_ip[ip] > ip_limit:
    print("Limit exceeded")
else:
    print("Allowed")

What is the bug and how to fix it?
medium
A. Bug: Uses > instead of >=; fix by changing to >=.
B. Bug: ip variable is wrong type; fix by converting to string.
C. Bug: requests_per_ip key missing; fix by adding default value.
D. Bug: prints wrong message; fix by swapping print statements.

Solution

  1. Step 1: Analyze condition logic

    The code blocks requests only if requests_per_ip[ip] > ip_limit, so if requests equal ip_limit, it allows the request.

  2. Step 2: Fix condition to include equal case

    Change > to >= so requests equal to ip_limit also get blocked.

  3. Final Answer:

    Bug: Uses > instead of >=; fix by changing to >=. -> Option A

  4. Quick Check:

    Use >= to block at limit [OK]
Hint: Use >= to block requests at limit, not just above [OK]
Common Mistakes:
  • Ignoring equal case in condition
  • Assuming IP variable type is wrong
  • Thinking missing keys cause this bug
5. You want to implement a rate limiter that blocks requests if either the user or the IP address exceeds their limits. Which pseudocode correctly enforces this combined rule?
hard
A. if requests_per_user[user] > user_limit and requests_per_ip[ip] > ip_limit: block_request()
B. if requests_per_user[user] == user_limit and requests_per_ip[ip] == ip_limit: block_request()
C. if requests_per_user[user] < user_limit or requests_per_ip[ip] < ip_limit: block_request()
D. if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request()

Solution

  1. Step 1: Understand combined blocking logic

    The request should be blocked if either the user or the IP exceeds their limit, so the condition must use OR.

  2. Step 2: Check condition correctness

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() uses OR with > comparisons, correctly blocking if user or IP exceeds limits.

  3. Final Answer:

    if requests_per_user[user] > user_limit or requests_per_ip[ip] > ip_limit: block_request() -> Option D

  4. Quick Check:

    Block if user OR IP exceeds limit [OK]
Hint: Use OR to block if either user or IP exceeds limit [OK]
Common Mistakes:
  • Using AND instead of OR
  • Using < instead of >
  • Checking equality only