Merge branch '337829-deprecated-api-endpoint-rate-limiting' into 'master'

Rate limiting for GET /api/:version/groups/:id when the projects member is requested

See merge request gitlab-org/gitlab!70310

app/helpers/application_settings_helper.rb

@@ -333,6 +333,9 @@ module ApplicationSettingsHelper
       :throttle_authenticated_files_api_enabled,
       :throttle_authenticated_files_api_period_in_seconds,
       :throttle_authenticated_files_api_requests_per_period,
+      :throttle_authenticated_deprecated_api_enabled,
+      :throttle_authenticated_deprecated_api_period_in_seconds,
+      :throttle_authenticated_deprecated_api_requests_per_period,
       :throttle_unauthenticated_api_enabled,
       :throttle_unauthenticated_api_period_in_seconds,
       :throttle_unauthenticated_api_requests_per_period,
@@ -345,6 +348,9 @@ module ApplicationSettingsHelper
       :throttle_unauthenticated_files_api_enabled,
       :throttle_unauthenticated_files_api_period_in_seconds,
       :throttle_unauthenticated_files_api_requests_per_period,
+      :throttle_unauthenticated_deprecated_api_enabled,
+      :throttle_unauthenticated_deprecated_api_period_in_seconds,
+      :throttle_unauthenticated_deprecated_api_requests_per_period,
       :throttle_protected_paths_enabled,
       :throttle_protected_paths_period_in_seconds,
       :throttle_protected_paths_requests_per_period,

app/models/application_setting.rb

@@ -479,6 +479,8 @@ class ApplicationSetting < ApplicationRecord
     validates :throttle_unauthenticated_packages_api_period_in_seconds
     validates :throttle_unauthenticated_files_api_requests_per_period
     validates :throttle_unauthenticated_files_api_period_in_seconds
+    validates :throttle_unauthenticated_deprecated_api_requests_per_period
+    validates :throttle_unauthenticated_deprecated_api_period_in_seconds
     validates :throttle_authenticated_api_requests_per_period
     validates :throttle_authenticated_api_period_in_seconds
     validates :throttle_authenticated_git_lfs_requests_per_period
@@ -489,6 +491,8 @@ class ApplicationSetting < ApplicationRecord
     validates :throttle_authenticated_packages_api_period_in_seconds
     validates :throttle_authenticated_files_api_requests_per_period
     validates :throttle_authenticated_files_api_period_in_seconds
+    validates :throttle_authenticated_deprecated_api_requests_per_period
+    validates :throttle_authenticated_deprecated_api_period_in_seconds
     validates :throttle_protected_paths_requests_per_period
     validates :throttle_protected_paths_period_in_seconds
   end

app/models/application_setting_implementation.rb

@@ -176,6 +176,9 @@ module ApplicationSettingImplementation
         throttle_authenticated_files_api_enabled: false,
         throttle_authenticated_files_api_period_in_seconds: 15,
         throttle_authenticated_files_api_requests_per_period: 500,
+        throttle_authenticated_deprecated_api_enabled: false,
+        throttle_authenticated_deprecated_api_period_in_seconds: 3600,
+        throttle_authenticated_deprecated_api_requests_per_period: 3600,
         throttle_incident_management_notification_enabled: false,
         throttle_incident_management_notification_per_period: 3600,
         throttle_incident_management_notification_period_in_seconds: 3600,
@@ -194,6 +197,9 @@ module ApplicationSettingImplementation
         throttle_unauthenticated_files_api_enabled: false,
         throttle_unauthenticated_files_api_period_in_seconds: 15,
         throttle_unauthenticated_files_api_requests_per_period: 125,
+        throttle_unauthenticated_deprecated_api_enabled: false,
+        throttle_unauthenticated_deprecated_api_period_in_seconds: 3600,
+        throttle_unauthenticated_deprecated_api_requests_per_period: 1800,
         time_tracking_limit_to_hours: false,
         two_factor_grace_period: 48,
         unique_ips_limit_enabled: false,

app/views/admin/application_settings/network.html.haml

@@ -49,6 +49,18 @@
     .settings-content
       = render partial: 'network_rate_limits', locals: { anchor: 'js-files-limits-settings', setting_fragment: 'files_api' }
 
+%section.settings.as-deprecated-limits.no-animate#js-deprecated-limits-settings{ class: ('expanded' if expanded_by_default?) }
+  .settings-header
+    %h4
+      = _('Deprecated API rate limits')
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded_by_default? ? _('Collapse') : _('Expand')
+    %p
+      = _('Configure specific limits for deprecated API requests that supersede the general user and IP rate limits.')
+      = link_to _('Which API requests are affected?'), help_page_path('user/admin_area/settings/deprecated_api_rate_limits.md'), target: '_blank', rel: 'noopener noreferrer'
+  .settings-content
+    = render partial: 'network_rate_limits', locals: { anchor: 'js-deprecated-limits-settings', setting_fragment: 'deprecated_api' }
+
 %section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?), data: { qa_selector: 'git_lfs_limits_content' } }
   .settings-header
     %h4

db/migrate/20210914145810_add_throttle_deprecated_api_columns.rb

+# frozen_string_literal: true
+
+class AddThrottleDeprecatedApiColumns < Gitlab::Database::Migration[1.0]
+  def change
+    add_column :application_settings, :throttle_unauthenticated_deprecated_api_requests_per_period, :integer, default: 3600, null: false
+    add_column :application_settings, :throttle_unauthenticated_deprecated_api_period_in_seconds, :integer, default: 3600, null: false
+    add_column :application_settings, :throttle_unauthenticated_deprecated_api_enabled, :boolean, default: false, null: false
+
+    add_column :application_settings, :throttle_authenticated_deprecated_api_requests_per_period, :integer, default: 3600, null: false
+    add_column :application_settings, :throttle_authenticated_deprecated_api_period_in_seconds, :integer, default: 1800, null: false
+    add_column :application_settings, :throttle_authenticated_deprecated_api_enabled, :boolean, default: false, null: false
+  end
+end

db/schema_migrations/20210914145810

+a30acb6d2a3772be29dfefc7d8cda2f2df94002556fa5de85483b7fca245be86
\ No newline at end of file

db/structure.sql

@@ -10338,6 +10338,12 @@ CREATE TABLE application_settings (
     sidekiq_job_limiter_compression_threshold_bytes integer DEFAULT 100000 NOT NULL,
     sidekiq_job_limiter_limit_bytes integer DEFAULT 0 NOT NULL,
     suggest_pipeline_enabled boolean DEFAULT true NOT NULL,
+    throttle_unauthenticated_deprecated_api_requests_per_period integer DEFAULT 1800 NOT NULL,
+    throttle_unauthenticated_deprecated_api_period_in_seconds integer DEFAULT 3600 NOT NULL,
+    throttle_unauthenticated_deprecated_api_enabled boolean DEFAULT false NOT NULL,
+    throttle_authenticated_deprecated_api_requests_per_period integer DEFAULT 3600 NOT NULL,
+    throttle_authenticated_deprecated_api_period_in_seconds integer DEFAULT 3600 NOT NULL,
+    throttle_authenticated_deprecated_api_enabled boolean DEFAULT false NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
     CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),

doc/administration/instance_limits.md

@@ -102,6 +102,15 @@ This setting limits the request rate on the Packages API per user or IP address.
 
 - **Default rate limit**: Disabled by default.
 
+### Deprecated API endpoints
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68645) in GitLab 14.4.
+
+This setting limits the request rate on deprecated API endpoints per user or IP address. For more information, read
+[Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md).
+
+- **Default rate limit**: Disabled by default.
+
 ### Import/Export
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35728) in GitLab 13.2.

doc/security/rate_limits.md

@@ -36,6 +36,7 @@ These are rate limits you can set in the Admin Area of your instance:
 - [Package registry rate limits](../user/admin_area/settings/package_registry_rate_limits.md)
 - [Git LFS rate limits](../user/admin_area/settings/git_lfs_rate_limits.md)
 - [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md)
+- [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md)
 
 ## Non-configurable limits
 

doc/user/admin_area/settings/deprecated_api_rate_limits.md

+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+type: reference
+---
+
+# Deprecated API rate limits **(FREE SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68645) in GitLab 14.4.
+
+Deprecated API endpoints are those which have been replaced with alternative
+functionality, but cannot be removed without breaking backward compatibility.
+Setting a restrictive rate limit on these endpoints can encourage users to
+switch to the alternatives.
+
+## Deprecated API endpoints
+
+Not all deprecated API endpoints are included in this rate limit - just those
+that might have a performance impact:
+
+- [`GET /groups/:id`](../../../api/groups.md#details-of-a-group) **without** the `with_projects=0` query parameter.
+
+## Define Deprecated API rate limits
+
+Rate limits for deprecated API endpoints are disabled by default. When enabled, they supersede
+the general user and IP rate limits for requests to deprecated endpoints. You can keep any general user
+and IP rate limits already in place, and increase or decrease the rate limits
+for deprecated API endpoints. No other new features are provided by this override.
+
+Prerequisites:
+
+- You must have the Administrator role for your instance.
+
+To override the general user and IP rate limits for requests to deprecated API endpoints:
+
+1. On the top bar, select **Menu > Admin**.
+1. On the left sidebar, select **Settings > Network**.
+1. Expand **Deprecated API Rate Limits**.
+1. Select the check boxes for the types of rate limits you want to enable:
+   - **Unauthenticated API request rate limit**
+   - **Authenticated API request rate limit**
+1. _If you enabled unauthenticated API request rate limits:_
+   1. Select the **Maximum unauthenticated API requests per period per IP**.
+   1. Select the **Unauthenticated API rate limit period in seconds**.
+1. _If you enabled authenticated API request rate limits:_
+   1. Select the **Maximum authenticated API requests per period per user**.
+   1. Select the **Authenticated API rate limit period in seconds**.
+
+## Resources
+
+- [Rate limits](../../../security/rate_limits.md)
+- [User and IP rate limits](user_and_ip_rate_limits.md)

doc/user/admin_area/settings/index.md

@@ -99,6 +99,7 @@ To access the default page for Admin Area settings:
 | [Package Registry Rate Limits](package_registry_rate_limits.md) | Configure specific limits for Packages API requests that supersede the user and IP rate limits. |
 | [Git LFS Rate Limits](git_lfs_rate_limits.md) | Configure specific limits for Git LFS requests that supersede the user and IP rate limits. |
 | [Files API Rate Limits](files_api_rate_limits.md) | Configure specific limits for Files API requests that supersede the user and IP rate limits. |
+| [Deprecated API Rate Limits](deprecated_api_rate_limits.md) | Configure specific limits for deprecated API requests that supersede the user and IP rate limits. |
 | [Outbound requests](../../../security/webhooks.md) | Allow requests to the local network from hooks and services. |
 | [Protected Paths](protected_paths.md) | Configure paths to be protected by Rack Attack. |
 | [Incident Management](../../../operations/incident_management/index.md) Limits | Limit the number of inbound alerts that can be sent to a project. |

doc/user/admin_area/settings/user_and_ip_rate_limits.md

@@ -191,6 +191,8 @@ The possible names are:
 - `throttle_authenticated_git_lfs`
 - `throttle_unauthenticated_files_api`
 - `throttle_authenticated_files_api`
+- `throttle_unauthenticated_deprecated_api`
+- `throttle_authenticated_deprecated_api`
 
 For example, to try out throttles for all authenticated requests to
 non-protected paths can be done by setting

lib/gitlab/metrics/subscribers/rack_attack.rb

@@ -22,7 +22,8 @@ module Gitlab
           :throttle_authenticated_protected_paths_web,
           :throttle_authenticated_packages_api,
           :throttle_authenticated_git_lfs,
-          :throttle_authenticated_files_api
+          :throttle_authenticated_files_api,
+          :throttle_authenticated_deprecated_api
         ].freeze
 
         PAYLOAD_KEYS = [

lib/gitlab/rack_attack/request.rb

@@ -4,6 +4,7 @@ module Gitlab
   module RackAttack
     module Request
       FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze
+      GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze
 
       def unauthenticated?
         !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id)
@@ -71,6 +72,7 @@ module Gitlab
         !should_be_skipped? &&
         !throttle_unauthenticated_packages_api? &&
         !throttle_unauthenticated_files_api? &&
+        !throttle_unauthenticated_deprecated_api? &&
         Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&
         unauthenticated?
       end
@@ -87,6 +89,7 @@ module Gitlab
         api_request? &&
         !throttle_authenticated_packages_api? &&
         !throttle_authenticated_files_api? &&
+        !throttle_authenticated_deprecated_api? &&
         Gitlab::Throttle.settings.throttle_authenticated_api_enabled
       end
 
@@ -147,6 +150,17 @@ module Gitlab
         Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
       end
 
+      def throttle_unauthenticated_deprecated_api?
+        deprecated_api_request? &&
+        Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&
+        unauthenticated?
+      end
+
+      def throttle_authenticated_deprecated_api?
+        deprecated_api_request? &&
+        Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled
+      end
+
       private
 
       def authenticated_user_id(request_formats)
@@ -176,6 +190,15 @@ module Gitlab
       def files_api_path?
         path =~ FILES_PATH_REGEX
       end
+
+      def deprecated_api_request?
+        # The projects member of the groups endpoint is deprecated. If left
+        # unspecified, with_projects defaults to true
+        with_projects = params['with_projects']
+        with_projects = true if with_projects.blank?
+
+        path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects)
+      end
     end
   end
 end

lib/gitlab/throttle.rb

@@ -7,7 +7,7 @@ module Gitlab
     # Each of these settings follows the same pattern of specifying separate
     # authenticated and unauthenticated rates via settings. New throttles should
     # ideally be regular as well.
-    REGULAR_THROTTLES = [:api, :packages_api, :files_api].freeze
+    REGULAR_THROTTLES = [:api, :packages_api, :files_api, :deprecated_api].freeze
 
     def self.settings
       Gitlab::CurrentSettings.current_application_settings

locale/gitlab.pot

@@ -8610,6 +8610,9 @@ msgstr ""
 msgid "Configure specific limits for Git LFS requests that supersede the general user and IP rate limits."
 msgstr ""
 
+msgid "Configure specific limits for deprecated API requests that supersede the general user and IP rate limits."
+msgstr ""
+
 msgid "Configure the %{link} integration."
 msgstr ""
 
@@ -11420,6 +11423,9 @@ msgstr ""
 msgid "Deployment|success"
 msgstr ""
 
+msgid "Deprecated API rate limits"
+msgstr ""
+
 msgid "Deprioritize label"
 msgstr ""
 
@@ -38137,6 +38143,9 @@ msgstr ""
 msgid "When:"
 msgstr ""
 
+msgid "Which API requests are affected?"
+msgstr ""
+
 msgid "While it's rare to have no vulnerabilities, it can happen. In any event, we ask that you please double check your settings to make sure you've set up your dashboard correctly."
 msgstr ""
 

spec/features/admin/admin_settings_spec.rb

@@ -646,6 +646,13 @@ RSpec.describe 'Admin updates settings' do
 
         include_examples 'regular throttle rate limit settings'
       end
+
+      context 'Deprecated API rate limits' do
+        let(:selector) { 'as-deprecated-limits' }
+        let(:fragment) { :deprecated_api }
+
+        include_examples 'regular throttle rate limit settings'
+      end
     end
 
     context 'Preferences page' do

spec/lib/gitlab/rack_attack/request_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::RackAttack::Request do
+  using RSpec::Parameterized::TableSyntax
+
   describe 'FILES_PATH_REGEX' do
     subject { described_class::FILES_PATH_REGEX }
 
@@ -13,4 +15,33 @@ RSpec.describe Gitlab::RackAttack::Request do
     it { is_expected.to match('/api/v4/projects/some%2Fnested%2Frepo/repository/files/README') }
     it { is_expected.not_to match('/api/v4/projects/some/nested/repo/repository/files/README') }
   end
+
+  describe '#deprecated_api_request?' do
+    let(:env) { { 'REQUEST_METHOD' => 'GET', 'rack.input' => StringIO.new, 'PATH_INFO' => path, 'QUERY_STRING' => query } }
+    let(:request) { ::Rack::Attack::Request.new(env) }
+
+    subject { !!request.__send__(:deprecated_api_request?) }
+
+    where(:path, :query, :expected) do
+      '/' | '' | false
+
+      '/api/v4/groups/1/'   | '' | true
+      '/api/v4/groups/1'    | '' | true
+      '/api/v4/groups/foo/' | '' | true
+      '/api/v4/groups/foo'  | '' | true
+
+      '/api/v4/groups/1'  | 'with_projects='  | true
+      '/api/v4/groups/1'  | 'with_projects=1' | true
+      '/api/v4/groups/1'  | 'with_projects=0' | false
+
+      '/foo/api/v4/groups/1' | '' | false
+      '/api/v4/groups/1/foo' | '' | false
+
+      '/api/v4/groups/nested%2Fgroup' | '' | true
+    end
+
+    with_them do
+      it { is_expected.to eq(expected) }
+    end
+  end
 end

spec/models/application_setting_spec.rb

@@ -946,6 +946,10 @@ RSpec.describe ApplicationSetting do
           throttle_unauthenticated_files_api_period_in_seconds
           throttle_authenticated_files_api_requests_per_period
           throttle_authenticated_files_api_period_in_seconds
+          throttle_unauthenticated_deprecated_api_requests_per_period
+          throttle_unauthenticated_deprecated_api_period_in_seconds
+          throttle_authenticated_deprecated_api_requests_per_period
+          throttle_authenticated_deprecated_api_period_in_seconds
           throttle_authenticated_git_lfs_requests_per_period
           throttle_authenticated_git_lfs_period_in_seconds
         ]

spec/requests/rack_attack_global_spec.rb

@@ -30,7 +30,11 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
       throttle_unauthenticated_files_api_requests_per_period: 100,
       throttle_unauthenticated_files_api_period_in_seconds: 1,
       throttle_authenticated_files_api_requests_per_period: 100,
-      throttle_authenticated_files_api_period_in_seconds: 1
+      throttle_authenticated_files_api_period_in_seconds: 1,
+      throttle_unauthenticated_deprecated_api_requests_per_period: 100,
+      throttle_unauthenticated_deprecated_api_period_in_seconds: 1,
+      throttle_authenticated_deprecated_api_requests_per_period: 100,
+      throttle_authenticated_deprecated_api_period_in_seconds: 1
     }
   end
 
@@ -790,6 +794,213 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
     end
   end
 
+  describe 'Deprecated API', :api do
+    let_it_be(:group) { create(:group, :public) }
+
+    let(:request_method) { 'GET' }
+    let(:path) { "/groups/#{group.id}" }
+    let(:params) { {} }
+
+    context 'unauthenticated' do
+      let(:throttle_setting_prefix) { 'throttle_unauthenticated_deprecated_api' }
+
+      def do_request
+        get(api(path), params: params)
+      end
+
+      before do
+        settings_to_set[:throttle_unauthenticated_deprecated_api_requests_per_period] = requests_per_period
+        settings_to_set[:throttle_unauthenticated_deprecated_api_period_in_seconds] = period_in_seconds
+      end
+
+      context 'when unauthenticated deprecated api throttle is disabled' do
+        before do
+          settings_to_set[:throttle_unauthenticated_deprecated_api_enabled] = false
+          stub_application_setting(settings_to_set)
+        end
+
+        it 'allows requests over the rate limit' do
+          (1 + requests_per_period).times do
+            do_request
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+
+        context 'when unauthenticated api throttle is enabled' do
+          before do
+            settings_to_set[:throttle_unauthenticated_api_requests_per_period] = requests_per_period
+            settings_to_set[:throttle_unauthenticated_api_period_in_seconds] = period_in_seconds
+            settings_to_set[:throttle_unauthenticated_api_enabled] = true
+            stub_application_setting(settings_to_set)
+          end
+
+          it 'rejects requests over the unauthenticated api rate limit' do
+            requests_per_period.times do
+              do_request
+              expect(response).to have_gitlab_http_status(:ok)
+            end
+
+            expect_rejection { do_request }
+          end
+        end
+
+        context 'when unauthenticated web throttle is enabled' do
+          before do
+            settings_to_set[:throttle_unauthenticated_web_requests_per_period] = requests_per_period
+            settings_to_set[:throttle_unauthenticated_web_period_in_seconds] = period_in_seconds
+            settings_to_set[:throttle_unauthenticated_web_enabled] = true
+            stub_application_setting(settings_to_set)
+          end
+
+          it 'ignores unauthenticated web throttle' do
+            (1 + requests_per_period).times do
+              do_request
+              expect(response).to have_gitlab_http_status(:ok)
+            end
+          end
+        end
+      end
+
+      context 'when unauthenticated deprecated api throttle is enabled' do
+        before do
+          settings_to_set[:throttle_unauthenticated_deprecated_api_requests_per_period] = requests_per_period # 1
+          settings_to_set[:throttle_unauthenticated_deprecated_api_period_in_seconds] = period_in_seconds # 10_000
+          settings_to_set[:throttle_unauthenticated_deprecated_api_enabled] = true
+          stub_application_setting(settings_to_set)
+        end
+
+        context 'when group endpoint is given with_project=false' do
+          let(:params) { { with_projects: false } }
+
+          it 'permits requests over the rate limit' do
+            (1 + requests_per_period).times do
+              do_request
+              expect(response).to have_gitlab_http_status(:ok)
+            end
+          end
+        end
+
+        it 'rejects requests over the rate limit' do
+          requests_per_period.times do
+            do_request
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+
+          expect_rejection { do_request }
+        end
+
+        context 'when unauthenticated api throttle is lower' do
+          before do
+            settings_to_set[:throttle_unauthenticated_api_requests_per_period] = 0
+            settings_to_set[:throttle_unauthenticated_api_period_in_seconds] = period_in_seconds
+            settings_to_set[:throttle_unauthenticated_api_enabled] = true
+            stub_application_setting(settings_to_set)
+          end
+
+          it 'ignores unauthenticated api throttle' do
+            requests_per_period.times do
+              do_request
+              expect(response).to have_gitlab_http_status(:ok)
+            end
+
+            expect_rejection { do_request }
+          end
+        end
+
+        it_behaves_like 'tracking when dry-run mode is set' do
+          let(:throttle_name) { 'throttle_unauthenticated_deprecated_api' }
+        end
+      end
+    end
+
+    context 'authenticated' do
+      let_it_be(:user) { create(:user) }
+      let_it_be(:member) { group.add_owner(user) }
+      let_it_be(:token) { create(:personal_access_token, user: user) }
+      let_it_be(:other_user) { create(:user) }
+      let_it_be(:other_user_token) { create(:personal_access_token, user: other_user) }
+
+      let(:throttle_setting_prefix) { 'throttle_authenticated_deprecated_api' }
+
+      before do
+        stub_application_setting(settings_to_set)
+      end
+
+      context 'with the token in the query string' do
+        let(:request_args) { [api(path, personal_access_token: token), {}] }
+        let(:other_user_request_args) { [api(path, personal_access_token: other_user_token), {}] }
+
+        it_behaves_like 'rate-limited token-authenticated requests'
+      end
+
+      context 'with the token in the headers' do
+        let(:request_args) { api_get_args_with_token_headers(path, personal_access_token_headers(token)) }
+        let(:other_user_request_args) { api_get_args_with_token_headers(path, personal_access_token_headers(other_user_token)) }
+
+        it_behaves_like 'rate-limited token-authenticated requests'
+      end
+
+      context 'precedence over authenticated api throttle' do
+        before do
+          settings_to_set[:throttle_authenticated_deprecated_api_requests_per_period] = requests_per_period
+          settings_to_set[:throttle_authenticated_deprecated_api_period_in_seconds] = period_in_seconds
+        end
+
+        def do_request
+          get(api(path, personal_access_token: token), params: params)
+        end
+
+        context 'when authenticated deprecated api throttle is enabled' do
+          before do
+            settings_to_set[:throttle_authenticated_deprecated_api_enabled] = true
+          end
+
+          context 'when authenticated api throttle is lower' do
+            before do
+              settings_to_set[:throttle_authenticated_api_requests_per_period] = 0
+              settings_to_set[:throttle_authenticated_api_period_in_seconds] = period_in_seconds
+              settings_to_set[:throttle_authenticated_api_enabled] = true
+              stub_application_setting(settings_to_set)
+            end
+
+            it 'ignores authenticated api throttle' do
+              requests_per_period.times do
+                do_request
+                expect(response).to have_gitlab_http_status(:ok)
+              end
+
+              expect_rejection { do_request }
+            end
+          end
+        end
+
+        context 'when authenticated deprecated api throttle is disabled' do
+          before do
+            settings_to_set[:throttle_authenticated_deprecated_api_enabled] = false
+          end
+
+          context 'when authenticated api throttle is enabled' do
+            before do
+              settings_to_set[:throttle_authenticated_api_requests_per_period] = requests_per_period
+              settings_to_set[:throttle_authenticated_api_period_in_seconds] = period_in_seconds
+              settings_to_set[:throttle_authenticated_api_enabled] = true
+              stub_application_setting(settings_to_set)
+            end
+
+            it 'rejects requests over the authenticated api rate limit' do
+              requests_per_period.times do
+                do_request
+                expect(response).to have_gitlab_http_status(:ok)
+              end
+
+              expect_rejection { do_request }
+            end
+          end
+        end
+      end
+    end
+  end
+
   describe 'throttle bypass header' do
     let(:headers) { {} }
     let(:bypass_header) { 'gitlab-bypass-rate-limiting' }

spec/services/application_settings/update_service_spec.rb

@@ -413,6 +413,32 @@ RSpec.describe ApplicationSettings::UpdateService do
     end
   end
 
+  context 'when deprecated API rate limits are passed' do
+    let(:params) do
+      {
+        throttle_unauthenticated_deprecated_api_enabled: 1,
+        throttle_unauthenticated_deprecated_api_period_in_seconds: 500,
+        throttle_unauthenticated_deprecated_api_requests_per_period: 20,
+        throttle_authenticated_deprecated_api_enabled: 1,
+        throttle_authenticated_deprecated_api_period_in_seconds: 600,
+        throttle_authenticated_deprecated_api_requests_per_period: 10
+      }
+    end
+
+    it 'updates deprecated API throttle settings' do
+      subject.execute
+
+      application_settings.reload
+
+      expect(application_settings.throttle_unauthenticated_deprecated_api_enabled).to be_truthy
+      expect(application_settings.throttle_unauthenticated_deprecated_api_period_in_seconds).to eq(500)
+      expect(application_settings.throttle_unauthenticated_deprecated_api_requests_per_period).to eq(20)
+      expect(application_settings.throttle_authenticated_deprecated_api_enabled).to be_truthy
+      expect(application_settings.throttle_authenticated_deprecated_api_period_in_seconds).to eq(600)
+      expect(application_settings.throttle_authenticated_deprecated_api_requests_per_period).to eq(10)
+    end
+  end
+
   context 'when git lfs rate limits are passed' do
     let(:params) do
       {

spec/support/shared_examples/requests/rack_attack_shared_examples.rb

 # frozen_string_literal: true
 #
 # Requires let variables:
-# * throttle_setting_prefix: "throttle_authenticated_api", "throttle_authenticated_web", "throttle_protected_paths", "throttle_authenticated_packages_api", "throttle_authenticated_git_lfs", "throttle_authenticated_files_api"
+# * throttle_setting_prefix: "throttle_authenticated_api", "throttle_authenticated_web", "throttle_protected_paths", "throttle_authenticated_packages_api", "throttle_authenticated_git_lfs", "throttle_authenticated_files_api", "throttle_authenticated_deprecated_api"
 # * request_method
 # * request_args
 # * other_user_request_args
@@ -16,7 +16,8 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
       "throttle_authenticated_web" => "throttle_authenticated_web",
       "throttle_authenticated_packages_api" => "throttle_authenticated_packages_api",
       "throttle_authenticated_git_lfs" => "throttle_authenticated_git_lfs",
-      "throttle_authenticated_files_api" => "throttle_authenticated_files_api"
+      "throttle_authenticated_files_api" => "throttle_authenticated_files_api",
+      "throttle_authenticated_deprecated_api" => "throttle_authenticated_deprecated_api"
     }
   end