implement API rate limiter and throttling

[6reenhorn]

This PR introduces a robust rate-limiting (throttling) layer to the QueueLess API to protect against spam, brute-force joins, and aggressive polling. By implementing this, we ensure system stability even during high-traffic spikes and prevent individual users from monopolizing server resources.

Key Changes

• Multi-Layer Throttling

  • Join Queue Protection: Added a strict limit of 5 requests per minute for the /api/queue/join/ endpoint.
  • Burst/Polling Protection: Added a generous 30 requests per minute limit for status checks, check-ins, and cancellations to accommodate active browser sessions while blocking excessive automation.
  • Daily Quotas: Set base anonymous limits to 100/day and authenticated limits to 1000/day.

• Architectural Cleanliness

  • Introduced queue_tracker/throttles.py to house custom throttle classes (JoinQueueRateThrottle, BurstRateThrottle).
  • Decoupled throttle rates into settings.py for easy environment-specific adjustments.

• Load Balancer Ready

  • The throttling state is managed via the Redis cache, ensuring that rate limits are enforced consistently even when the application is scaled horizontally across multiple instances.

Testing Done

• Verified that existing QueueJoinViewTests and other tracking tests pass.
• Manually verified that exceeding the 5-join-per-minute limit correctly returns a 429 Too Many Requests status code.
• Confirmed that legitimate polling within the 30/min window remains uninterrupted.

Test Results:

Ran 3 tests in 0.210s
OK

How to Test

1. Try to join a queue more than 5 times within one minute from the same IP.
2. You should receive a 429 Too Many Requests response with a message indicating when you can try again.
3. Verify that normal status polling (once every few seconds) still works without being blocked.

[Copilot]

Pull request overview

This PR adds Django REST Framework throttling to protect key QueueLess API endpoints (queue join + polling-style endpoints) and introduces custom throttle scopes intended to cap burst traffic and joins.

Changes:

• Added global DRF throttling configuration (daily anon/user quotas + scoped rates) in settings.py.
• Introduced JoinQueueRateThrottle / BurstRateThrottle and applied them to queue join/status/check-in/cancel endpoints.
• Added a scratch throttling “test” script.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
scratch/test_throttling.py	Adds a script-like throttling check, currently named/structured like a pytest test.
queueless_backend/queueless_backend/settings.py	Configures DRF default throttles/rates (daily quotas + join/burst rates).
queueless_backend/queue_tracker/views.py	Applies join/burst throttles to public queue endpoints.
queueless_backend/queue_tracker/throttles.py	Defines two throttle classes with join and burst scopes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.