[Feature] API Rate Limiting

[bagasme]

Description

As #8353 will add TOS, we'd like to apply rate limiting on Gitea API.

Per GH:

• 60 requests per hour for unauthenticated requests:
• 5000 requests per hour for all authenticated requests, regardless made either via basic authentication or OAuth.
• 403 error returned if exceeding the limit.
• If OAuth application makes unauthenticated call to API by passing its client ID and secret as part of query string, the limit bumped to 5000 requests per hour (treated as authenticated requests).

[6543]

link conversation: https://mastodon.technology/@codeberg/103480576712180186

[Codeberg-org]

Reputation-based limits as suggested in #9847 and https://codeberg.org/hugot/gitea-api-protector might also be worth considering.

(reputation based on number of accepted PRs, issues not flagged as spam/deleted by project owner, number of high-quality public repos [no mirror, not single README], number of stars and repo watchers, etc)

[guillep2k]

If we're going to use a reputation based system, I'd suggest adding a column to the user table and using a daily task for calculation, so to avoid adding complexity to the issue/comment workflow.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[stale]

This issue has been automatically closed because of inactivity. You can re-open it if needed.

[lunny]

golang.org/x/time/rate maybe helpful.

+1, i just found out that it's too easy to flood resource-intensive endpoints of gitea, which will try to respond to all requests even long after they time out, and overload the server.