fix: disable rate limit by default (#1999)

* fix: disable rate limit by default

* fix tests

* lint

docs/security.rst

@@ -392,9 +392,10 @@ to get an idea of a simple use for this.
 Authentication: Rate limiting
 -----------------------------
 
-To prevent brute-forcing of credentials, FlaskApplicationBuilder applies rate limits to AuthViews in 4.2.0, so that
-only 2 POST requests can be made every 5 seconds. This can be disabled by setting ``AUTH_RATE_LIMITED`` to
-``False`` or can be changed by adjusting ``AUTH_RATE_LIMIT`` to, for example, ``1 per 10 seconds``. Take a look
+To prevent brute-forcing of credentials, you can apply rate limits to AuthViews in 4.2.0, so that
+only 10 POST requests can be made every 20 seconds. This can be enabled by setting
+``AUTH_RATE_LIMITED`` and ``RATELIMIT_ENABLED`` to ``True``.
+The rate can be changed by adjusting ``AUTH_RATE_LIMIT`` to, for example, ``1 per 10 seconds``. Take a look
 at the `documentation <https://flask-limiter.readthedocs.io/en/stable/>`_ of Flask-Limiter for more options and
 examples.
 

flask_appbuilder/base.py

@@ -162,6 +162,7 @@ def init_app(self, app: Flask, session: SessionBase) -> None:
         app.config.setdefault("APP_ICON", "")
         app.config.setdefault("LANGUAGES", {"en": {"flag": "gb", "name": "English"}})
         app.config.setdefault("ADDON_MANAGERS", [])
+        app.config.setdefault("RATELIMIT_ENABLED", False)
         app.config.setdefault("FAB_API_MAX_PAGE_SIZE", 100)
         app.config.setdefault("FAB_BASE_TEMPLATE", self.base_template)
         app.config.setdefault("FAB_STATIC_FOLDER", self.static_folder)

flask_appbuilder/security/manager.py

@@ -258,7 +258,7 @@ def __init__(self, appbuilder):
             app.config.setdefault("AUTH_LDAP_EMAIL_FIELD", "mail")
 
         # Rate limiting
-        app.config.setdefault("AUTH_RATE_LIMITED", True)
+        app.config.setdefault("AUTH_RATE_LIMITED", False)
         app.config.setdefault("AUTH_RATE_LIMIT", "10 per 20 second")
 
         if self.auth_type == AUTH_OID:

flask_appbuilder/tests/config_api.py

@@ -18,5 +18,3 @@
         [".*", "can_show"],
     ]
 }
-
-RATELIMIT_ENABLED = False

flask_appbuilder/tests/config_oauth.py

@@ -34,5 +34,3 @@
 
 # The default user self registration role for all users
 AUTH_USER_REGISTRATION_ROLE = "Admin"
-
-RATELIMIT_ENABLED = False

flask_appbuilder/tests/config_security.py

@@ -15,4 +15,3 @@
     "FAB_ROLE1": [["Model1View", "can_list"], ["Model2View", "can_list"]],
     "FAB_ROLE2": [["Model3View", "can_list"], ["Model4View", "can_list"]],
 }
-RATELIMIT_ENABLED = False

flask_appbuilder/tests/config_security_api.py

@@ -20,4 +20,3 @@
         [".*", "can_show"],
     ]
 }
-RATELIMIT_ENABLED = False

flask_appbuilder/tests/security/test_rate_limiter.py

@@ -17,6 +17,7 @@ def setUp(self):
         self.app.jinja_env.undefined = jinja2.StrictUndefined
         self.app.config.from_object("flask_appbuilder.tests.config_api")
         self.app.config["RATELIMIT_ENABLED"] = True
+        self.app.config["AUTH_RATE_LIMITED"] = True
         self.app.config["AUTH_RATE_LIMIT"] = "2 per 5 second"
         logging.basicConfig(level=logging.ERROR)