feat(flags): add quota limiting for feature flags served up with /decide and to local_evaluation
#28564
+546
−126
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| from random import random | ||
| from typing import Any | ||
|
|
||
| import structlog | ||
| from django.conf import settings | ||
|
|
@@ -166,11 +166,16 @@ def get_base_config(token: str, team: Team, request: HttpRequest, skip_db: bool | |
| @csrf_exempt | ||
| @timed("posthog_cloud_decide_endpoint") | ||
| def get_decide(request: HttpRequest): | ||
| """Handle the /decide endpoint which provides configuration and feature flags to PostHog clients. | ||
| The decide endpoint is a critical API that tells PostHog clients (like posthog-js) how they should behave, | ||
| including which feature flags are enabled, whether to record sessions, etc. | ||
| """ | ||
| # --- 1. Handle non-POST requests --- | ||
| if request.method == "OPTIONS": | ||
| return cors_response(request, JsonResponse({"status": 1})) | ||
|
|
||
| if request.method != "POST": | ||
| # Return minimal default configuration for non-POST requests | ||
| statsd.incr(f"posthog_cloud_raw_endpoint_success", tags={"endpoint": "decide"}) | ||
| return cors_response( | ||
| request, | ||
|
|
@@ -179,51 +184,39 @@ def get_decide(request: HttpRequest): | |
| "config": {"enable_collect_everything": True}, | ||
| "toolbarParams": {}, | ||
| "isAuthenticated": False, | ||
| "supportedCompression": ["gzip", "gzip-js"], | ||
| "featureFlags": [], | ||
| "sessionRecording": False, | ||
| } | ||
| ), | ||
| ) | ||
|
|
||
| # --- 2. Parse request data and API version --- | ||
| try: | ||
| data = load_data_from_request(request) | ||
| api_version_string = request.GET.get("v") | ||
| api_version = int(api_version_string) if api_version_string else 1 | ||
| except ValueError: | ||
| # Handle legacy clients (posthog-js 1.19.0) by defaulting to v2 | ||
| statsd.incr( | ||
| f"posthog_cloud_decide_defaulted_api_version_on_value_error", | ||
| tags={"endpoint": "decide", "api_version_string": api_version_string}, | ||
| ) | ||
| api_version = 2 | ||
| except (UnspecifiedCompressionFallbackParsingError, RequestParsingError) as error: | ||
| # Return error for malformed requests | ||
| return cors_response( | ||
| request, | ||
| generate_exception_response("decide", f"Malformed request data: {error}", code="malformed_data"), | ||
| ) | ||
|
|
||
| # --- 3. Authenticate the request --- | ||
| token = get_token(data, request) | ||
| team = Team.objects.get_team_from_cache_or_token(token) | ||
|
|
||
| # Handle personal API key authentication if team lookup failed | ||
| if team is None and token: | ||
| project_id = get_project_id(data, request) | ||
| if not project_id: | ||
| return cors_response( | ||
| request, | ||
|
|
@@ -250,122 +243,42 @@ def get_decide(request: HttpRequest): | |
| ) | ||
| team = user.teams.get(id=project_id) | ||
|
|
||
| # --- 4. Process authenticated requests --- | ||
| if team: | ||
| # Set up logging and context | ||
| is_request_sampled_for_logging = random() < settings.DECIDE_REQUEST_LOGGING_SAMPLING_RATE | ||
| if is_request_sampled_for_logging: | ||
| logger.warn("DECIDE_REQUEST_STARTED", team_id=team.id, distinct_id=data.get("distinct_id")) | ||
|
|
||
| # Check if team is allowed to use decide | ||
| if team.id in settings.DECIDE_SHORT_CIRCUITED_TEAM_IDS: | ||
| return cors_response( | ||
| request, | ||
| generate_exception_response( | ||
| "decide", | ||
| f"Team with ID {team.id} cannot access the /decide endpoint. Please contact us at [email protected]", | ||
| status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, | ||
| ), | ||
| ) | ||
|
|
||
| token = team.api_token | ||
| structlog.contextvars.bind_contextvars(team_id=team.id) | ||
|
|
||
| # --- 5. Handle feature flags --- | ||
| flags_response = {} | ||
| disable_flags = process_bool(data.get("disable_flags")) is True | ||
|
|
||
| if not disable_flags: | ||
| flags_response = compute_feature_flags( | ||
| request, data, team, token, api_version, is_request_sampled_for_logging | ||
| ) | ||
|
|
||
|
Comment on lines
-318
to
-348
There was a problem hiding this comment. this code was all moved to There was a problem hiding this comment. I wish GitHub supported semantic diffs to make it easier to review changes like this. 😆 There was a problem hiding this comment. yeah, that'd be so nice. Sometimes I find the side-by-side view to help with it. |
||
| # --- 6. Build and return full response from the base config and the flags response --- | ||
| response = get_base_config(token, team, request, skip_db=flags_response.get("errorsWhileComputingFlags", False)) | ||
| response.update(flags_response) | ||
|
|
||
|
There was a problem hiding this comment. this code was also moved to
Comment on lines
-358
to
-365
There was a problem hiding this comment. this, and other logging, is moved into |
||
| else: | ||
| # No valid authentication provided | ||
| return cors_response( | ||
| request, | ||
| generate_exception_response( | ||
|
|
@@ -381,6 +294,116 @@ def get_decide(request: HttpRequest): | |
| return cors_response(request, JsonResponse(response)) | ||
|
|
||
|
|
||
| def compute_feature_flags(request, data, team, token, api_version, is_request_sampled_for_logging): | ||
| """Compute feature flags for the given request. Extracted from get_decide for clarity.""" | ||
| flags_response: dict[str, Any] = {} | ||
|
|
||
| # --- 1. Validate distinct_id --- | ||
| distinct_id = data.get("distinct_id") | ||
| if distinct_id is None: | ||
| return cors_response( | ||
| request, | ||
| generate_exception_response( | ||
| "decide", | ||
| "Decide requires a distinct_id.", | ||
| code="missing_distinct_id", | ||
| type="validation_error", | ||
| status_code=status.HTTP_400_BAD_REQUEST, | ||
| ), | ||
| ) | ||
| distinct_id = str(distinct_id) | ||
|
|
||
| # --- 2. Check feature flag quota limits --- | ||
| if settings.DECIDE_FEATURE_FLAG_QUOTA_CHECK: | ||
| from ee.billing.quota_limiting import ( | ||
| QuotaLimitingCaches, | ||
| QuotaResource, | ||
| list_limited_team_attributes, | ||
| ) | ||
|
|
||
| limited_tokens_flags = list_limited_team_attributes( | ||
| QuotaResource.FEATURE_FLAGS, QuotaLimitingCaches.QUOTA_LIMITER_CACHE_KEY | ||
| ) | ||
|
|
||
| if token in limited_tokens_flags: | ||
| flags_response.update( | ||
| { | ||
| "quotaLimited": ["feature_flags"], | ||
| "featureFlags": {}, | ||
| "errorsWhileComputingFlags": True, | ||
| "featureFlagPayloads": {}, | ||
| } | ||
| ) | ||
| return flags_response | ||
|
|
||
| # --- 3. Gather property overrides --- | ||
| property_overrides = {} | ||
| if process_bool(data.get("geoip_disable")) is False: | ||
| property_overrides = get_geoip_properties(get_ip_address(request)) | ||
|
|
||
| all_property_overrides = { | ||
| **property_overrides, | ||
| **(data.get("person_properties") or {}), | ||
| } | ||
|
|
||
| # --- 4. Compute feature flags --- | ||
| feature_flags, _, feature_flag_payloads, errors = get_all_feature_flags( | ||
| team.pk, | ||
| distinct_id, | ||
| data.get("groups") or {}, | ||
| hash_key_override=data.get("$anon_distinct_id"), | ||
| property_value_overrides=all_property_overrides, | ||
| group_property_value_overrides=(data.get("group_properties") or {}), | ||
| ) | ||
|
|
||
| # --- 5. Format response based on API version --- | ||
| active_flags = {key: value for key, value in feature_flags.items() if value} | ||
|
|
||
| if api_version == 2: | ||
| # v2: Return only active flags as a dict | ||
| flags_response["featureFlags"] = active_flags | ||
| elif api_version >= 3: | ||
| # v3: Return all flags, error status, and payloads | ||
| flags_response.update( | ||
| { | ||
| "featureFlags": feature_flags, | ||
| "errorsWhileComputingFlags": errors, | ||
| "featureFlagPayloads": feature_flag_payloads, | ||
| } | ||
| ) | ||
| else: | ||
| # v1: Return active flag keys as a list | ||
| flags_response["featureFlags"] = list(active_flags.keys()) | ||
|
|
||
| # --- 6. Record metrics and logs --- | ||
| # Track feature flag evaluation metrics | ||
| team_id_label = label_for_team_id_to_track(team.pk) | ||
| FLAG_EVALUATION_COUNTER.labels( | ||
| team_id=team_id_label, | ||
| errors_computing=errors, | ||
| has_hash_key_override=bool(data.get("$anon_distinct_id")), | ||
| ).inc() | ||
|
|
||
| if is_request_sampled_for_logging: | ||
| logger.warn( | ||
| "DECIDE_REQUEST_SUCCEEDED", | ||
| team_id=team.id, | ||
| distinct_id=distinct_id, | ||
| errors_while_computing=errors or False, | ||
| has_hash_key_override=bool(data.get("$anon_distinct_id")), | ||
| ) | ||
|
|
||
| # --- 7. Handle billing analytics --- | ||
| if feature_flags: | ||
| # Only count non-survey targeting flags for billing | ||
| if not all(flag.startswith(SURVEY_TARGETING_FLAG_PREFIX) for flag in feature_flags.keys()): | ||
| if settings.DECIDE_BILLING_SAMPLING_RATE and random() < settings.DECIDE_BILLING_SAMPLING_RATE: | ||
| count = int(1 / settings.DECIDE_BILLING_SAMPLING_RATE) | ||
| increment_request_count(team.pk, count) | ||
|
|
||
| return flags_response | ||
|
|
||
|
|
||
| def _session_recording_domain_not_allowed(team: Team, request: HttpRequest) -> bool: | ||
| return team.recording_domains and not on_permitted_recording_domain(team.recording_domains, request) | ||
|
|
||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm open to calling this
feature_flags_evaluatedinstead, that might be more clear (I like howrows_syncedis more obvious than justevents.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think
FEATURE_FLAGS_EVALUATEDmakes sense. That way it's not confused with how many feature flags a team has, which I assume is NOT quota limited?