Rate limiting (if by that you mean at the firewall or the web server) is not the way to do it. That shifts the problem somewhere else in the stack, into a place that isn't under version control in the same repository.
Consider: If you moved this on to another server, would you remember to enable rate limiting there? If someone else uses your code, will they know to enable rate limiting?
Rate limiting isn't a bad idea, but your security should not depend on it, especially as you have a way of securing it in your application. base64.b16encode(os.urandom(8)) will give you a 64-bit, filename-safe, as-close-to-random-as-reasonable suffix that should be long enough to make it brute-force-proof :)
The same reasoning applies to the cron job (I presume) that is cleaning your files - that's something you have to remember to set up for future (re-)deployments.
Edit: I'd also like to add that showing your code on HN takes bravery and this is, in fact, a neat tool that solves a problem I really wish didn't exist. So, good work on both counts :)
I know this doesn't really add much to the discussion, I just wanted to let you know I really, really appreciate HN over other sites for comments like this. Ones that help you learn something new in a really intuitive and on top of that "non-condescending" way (for lack of a better word I can think of). Thank you!
Hey, I know I was not as positive & encouraging as I should have been initially, hence the edit on the end. But thank you for the kind words mate, that actually means a lot to me. <3
thanks! took me quite a while to prepare as I read a bunch of other servers failing catastrophically when posting on HN due to the sheer amount of traffic.
I will start working on your comments throughout the weekend, I agree with most of them. Would love for you to follow the github page for any other comments you may have, all are appreciated
It was while reading my above comments that I realised I should have shut up and contributed code instead, because that's definitely more helpful than being critical on HN, especially to a newcomer & their first project.
So that is what I've decided to do! First step: a PR coming out of getting this up and running on my Ubuntu box. :)
Consider: If you moved this on to another server, would you remember to enable rate limiting there? If someone else uses your code, will they know to enable rate limiting?
Rate limiting isn't a bad idea, but your security should not depend on it, especially as you have a way of securing it in your application. base64.b16encode(os.urandom(8)) will give you a 64-bit, filename-safe, as-close-to-random-as-reasonable suffix that should be long enough to make it brute-force-proof :)
The same reasoning applies to the cron job (I presume) that is cleaning your files - that's something you have to remember to set up for future (re-)deployments.
Edit: I'd also like to add that showing your code on HN takes bravery and this is, in fact, a neat tool that solves a problem I really wish didn't exist. So, good work on both counts :)