Implement API Rate Limiting in Flask with Flask-Limiter

from flask import Flask, jsonify, request
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)

# Initialize Limiter with a default rate limit and a key function
# get_remote_address is used by default, but explicitly setting it clarifies intent
limiter = Limiter(
    app,
    key_func=get_remote_address, # Identifies the client by their IP address
    default_limits=["200 per day", "50 per hour"]
)

@app.route("/api/public")
@limiter.limit("10 per minute") # Specific limit for this endpoint, overrides default
def public_api():
    return jsonify({"message": "This is a public API, limited to 10 requests per minute."})

@app.route("/api/login", methods=["POST"])
@limiter.limit("5 per 15 minutes", exempt_when=lambda: request.method == 'OPTIONS') # Stricter for login
def login_api():
    # Simulate a login process
    username = request.json.get('username')
    password = request.json.get('password')

    if username == "user" and password == "password": # Placeholder credential check
        return jsonify({"message": "Login successful!"}), 200
    else:
        return jsonify({"message": "Invalid credentials."}), 401

@app.route("/api/dashboard")
@limiter.limit("60 per hour") # Another specific limit
def dashboard_api():
    # This endpoint could be for authenticated users
    return jsonify({"message": "Welcome to your dashboard! Limited to 60 requests per hour."})

@app.route("/api/unlimited")
@limiter.exempt # No rate limit for this endpoint
def unlimited_api():
    return jsonify({"message": "This endpoint has no rate limit."})

if __name__ == "__main__":
    app.run(debug=True)