ProgrammingPro #51: JetBrains' Offline AI, Rust Vulnerability Exposed, Master Django Throttling, and Pair Programming with AI
Bite-sized actionable content, practical tutorials, and resources for programmers
Welcome to this week’s edition of ProgrammingPro!
In today’s Expert Insight, we bring you an excerpt from the newly published book,
Django in Production, that teaches you how to effectively implement and manage throttling in Django applications and best practices for securing and optimizing API request handling.
News Highlights: JetBrains' new IDE editions introduce offline AI code completion; Loubna Ben Allal's QCon London talk delves into LLMs for code; VS Code's latest update adds test coverage API and TypeScript 5.4 support; a critical Rust flaw poses security risks for Windows; and PHP's Tiobe index decline signals change in language popularity.
My top 5 picks from today’s learning resources:
🧠Python skills ‘increasingly essential’ to dev teams venturing into advanced AI
👥Developers with AI assistants need to follow the pair programming model
But there’s more, so dive right in.
Stay Awesome!
Divya Anne Selvaraj
Editor-in-Chief
PS: If you have any food for thought, feedback, or would like us to find you a specific Programming learning resource for our next issue, take the survey. We will send you one Packt credit to buy a book of your choice as a thank you!
🗞️News and Analysis🔎
Critical Rust flaw enables Windows command injection attacks: A critical vulnerability in Rust's standard library, CVE-2024-24576, enables attackers to perform command injection attacks on Windows systems. Read for insights into this critical security vulnerability within Rust's handling of batch files on Windows.
Parasoft introduces new C and C++ testing solution: The solution tailored for safety and security critical applications is meant to enhance development workflows and flexibility with open source integration and automated code coverage. Read to learn about the key features of Parasoft's new testing tool.
JetBrains launches 2024.1 editions of its IDEs with local AI code completion: The update also prioritises privacy, and provides offline functionality, and seamless user experience. Read to learn about other IDE improvements and expanded programming language support.
Large Language Models for Code by Loubna Ben Allal at QCon London: The talk focussed on the lifecycle of code completion models from pre-training on extensive codebases to fine-tuning. Read to learn how these models are shaping software development practices.
Meta based its Threads on Instagram to ship it quickly – and now has to unpick it: Meta's Threads, developed to capture Twitter users, was quickly launched using Instagram's code, leading to significant technical debt. Read to learn about the ensuing challenges and efforts to rectify the foundational code for sustainability.
VS Code updated with test coverage API, fixed floating windows, TypeScript 5.4 and more: The latest update addresses user feedback with significant fixes and new features for a more efficient coding environment. Read to learn more about the core updates.
PHP sinks in Tiobe language popularity index: PHP has fallen to its lowest ever rank of 17th in the April 2024 Tiobe index, signaling a shift from its peak popularity, while Fortran re-enters the top 10. Read to learn more.
Netlify begins rolling out latest version of its Next.js runtime: The update will enhance Next.js on Netlify with App Router support, smoother routing, and more. Read to learn about all the new features.
🎓Tutorials and Learning Resources💡
Python
Python skills ‘increasingly essential’ to dev teams venturing into advanced AI: Python's role as the go-to language for AI and machine learning is evident through a 571% increase in its use within Snowflake's Snowpark libraries, significantly outpacing Scala and Java. Read to learn how Python skills are becoming crucial for teams engaging in advanced AI.
🎓Tutorial | Boosting Python development speed with Ruff: An all-in-one lightning fast linter: Ruff, written in Rust, utilizes Python's AST parser for fast performance, supporting Python versions 3.10 and 3.11. Read to learn how it functions as a comprehensive replacement for several tools, including Flake8 and isort, with over 700 rules.
5 Reasons To Choose Django in 2024: This article advocates for Django as the optimal choice for smaller projects in 2024, emphasizing its efficiency, cost-effectiveness, and the rich resources available due to its large, seasoned community. Read if you are wondering if Django is right for you.
For more Python resources go to PythonPro
C# and .NET
🎓Tutorial | How to create a modern C# web API client - An example implementation of the C# SDK for Anthropic Claude: This article introduces "Claudia," an unofficial C# SDK for Anthropic Claude 3, a high-performance LLM surpassing GPT-4, designed for .NET and Unity. Read to learn how to leverage .NET's latest features and practices for typed, streamlined interaction with LLMs.
Speed up searches using SearchValues in .NET: .NET 8 introduced the SearchValues class, leveraging vectorization and hardware acceleration to enhance search speeds in .NET applications. Read if you are looking to optimize data retrieval in your .NET applications.
🎓Tutorial | Streamlining .NET QUIC Development with Dev Containers: This guide addresses the challenge of .NET's limited QUIC support across platforms. Read to learn how you can utilize development containers to bypass platform-specific limitations of .NET's QUIC implementation.
C and C++
Will C++ Become a Safe Language Like Rust and Others?: This article details the ongoing efforts and debates within the C++ community to enhance the language's safety features. Read to learn about the quest for balance between maintaining the language’s powerful capabilities and mitigating security vulnerabilities.
🎓Tutorial | C++20 modules and Boost: an analysis: This article examines the potential for modularizing Boost libraries, allowing for the use of import boost; in C++. Read to learn about the implementation, benefits, and current limitations of integrating C++20 modules with Boost libraries.
Compilers and Termination Revisited: This article offers an in-depth analysis of C compilers and their interpretation of programs that should, according to their abstract semantics, run indefinitely, such as a counterexample search for Fermat's Last Theorem. Read to learn about the complexities and implications of how C compilers interpret potentially non-terminating programs.
Java
Premature optimization, where software thrives unless you kill it first - a tale of Java GC: This article examines Java optimization pitfalls, focusing on premature optimization dangers, code readability, and efficient coding practices. Read to learn effective Java programming practices and strategies for garbage collection management.
Evolution of Java Usage at Netflix: Netflix's Java backend has evolved with architectural changes to meet new requirements, starting from Groovy scripts for microservices and utilizing Zuul as a gateway. Read to learn about Netflix's adaptive backend development strategies.
🎓Tutorial | Visual Studio Code for Java - The Complete Guide (Tips, Setup, and Extensions): This guide details configuring Visual Studio Code (VSCode) for Java development, highlighting its efficiency for professional projects with a focus on extensions, debugging, and Spring framework support. Read if you have been looking for an in depth guide.
JavaScript and TypeScript
🎓Tutorial | Full-stack web development with HTMX and Bun, Part 1: Elysia and MongoDB: This article introduces a setup using HTMX for the front end and Bun for the server-side, along with MongoDB for data storage and Elysia as the HTTP server. Read for insights into the ease of this setup.
We've added JavaScript-native RPC to Cloudflare Workers: The update enables efficient Worker-to-Worker and Worker-to-Durable Object communications, removing the need for boilerplate code. Read to learn about the integration and capabilities of the new RPC system in Cloudflare Workers.
🎓Tutorial | How to Use TypeScript with MongoDB Atlas: This tutorial covers setting up a project with Node.js, connecting to MongoDB Atlas, creating data models, services, and routes with TypeScript, and more. Read to learn best practices for project setup, data modeling, and schema validation.
Go
Go Developer Survey 2024 H1 Results: The responses reveal strong satisfaction and trust in the Go team, and an interest in using Go for AI-related use cases, especially for production-ready applications, despite challenges stemming from a Python-centric AI ecosystem. Read for more insights.
Go’s Error Handling Is Perfect, Actually: This article counters common criticisms of Go's verbosity and the lack of a Result type by highlighting the importance of clear, predictable error handling paths in code. Read for insights into Go's error handling philosophy.
Rust
Rust memory safety explained: Rust's emergence as a favored language for fast, memory-safe software is attributed to its built-in safety features. Read to learn how these features prevent common vulnerabilities like use-after-free errors and more.
Async C++/Rust Interoperability: This article discusses the intricacies of achieving asynchronous interoperability between C++ and Rust, focusing on challenges like memory management, type compatibility, and more. Read to learn about strategies for integrating asynchronous C++ and Rust code.
PHP
🎓Tutorial | How to Scale a Laravel App to handle +9M requests per month in a small EC2 instance: This article focuses on strategies such as utilizing jobs and queues, optimizing code and database queries, and more. Read to learn how to scale your Laravel applications by adopting asynchronous job handling.
SQL
🎓Tutorial | Logical functions - LEAST (Transact-SQL): The LEAST function efficiently identifies the minimum value from a set of expressions, offering a swift method to enforce data integrity and security by validating input types and formats. Read to learn how to use this powerful tool for database optimization and security.
Ruby
How a Ruby Method Becomes a Rails Action: Part One (Metal): This article delves into the Rails framework's internals, explaining how a Ruby method in a controller transforms into a Rails action capable of handling HTTP requests. Read for insights into the routing process, the creation of Rack applications, and the dispatch method's role in generating HTTP responses.
Swift
Run-time Polymorphism in Swift: This artilcle takes you through the mechanisms for implementing run-time polymorphism in Swift. Read to understand the roles of closures, class inheritance, protocols, and type checks in achieving dynamic behavior in your code.
Kotlin
A Comprehensive Kotlin Learning Guide for All Levels: This article provides a structured pathway through various Kotlin courses and tracks, from introductory lessons for absolute beginners to advanced topics like coroutines, channels, and Android development with Kotlin. Read to learn how to navigate the Kotlin learning landscape.
Scala
Work with stored procedures for Apache Spark: This document guides data professionals on creating and invoking Spark stored procedures within BigQuery, using languages such as Python, Java, and Scala. Read to learn how to set up permissions, create procedures in various programming languages, and more.
🌟Best Practices, Advice, and Case Studies🚀
Developers with AI assistants need to follow the pair programming model: This approach ensures continuous code review, minimizing bugs and promoting higher quality outcomes. Read to learn why you need to treat AI as a junior programming partner.
AppSec 101 – Input Validation: Input validation, likened to a bouncer for your app, is a vital security measure ensuring only correct, safe data enters your application. Read to learn how the approach contributes to preventing attacks like SQL Injection, XSS, and Command Injection.
Queuing Theory for Non-Functional Testing: Queuing theory, a mathematical study of waiting lines, is particularly beneficial in scenarios involving varying system loads, helping to optimize server utilization and reduce waiting times. Read to learn how you can make informed decisions for system improvement and resource management.
A Progressive Codebook Optimization Scheme for Sparse Code Multiple Access in Downlink Channels: The method proposed in this paper, focusing on optimizing multi-dimensional codebooks based on symbol error rate performance, significantly improves error performance in low SNR regions across various fading channels. Read if you work in the fields of wireless communications and network programming.
Take the Survey, Get a Packt credit!
🧠 Expert Insight 📚
Here’s an exclusive excerpt from “Chapter 6: Caching, Logging, and Throttling” in the book, Django in Production by Arghya Saha.
Throttling with Django
Throttling is the process of limiting the number of API requests that can be made by a user in a given time frame. Django does not provide any throttling feature out of the box, but DRF does. In this section, we will learn about how we can incorporate throttling into using DRF.
Different systems have different use cases for throttling. For a SaaS product, throttling is needed to limit the number of API calls per customer per minute depending upon their paid plan. An example is Shopify backend APIs. A standard product company doesn’t want its APIs to be abused by any outside customer, so it would throttle any request beyond a particular threshold.
Important note
We should understand that in this section we are implementing throttling in the application layer. This is generally not a recommended approach to protecting your service from brute force attacks since application-level throttling might still increase the request queue for your application and degrade the overall system performance. We should always implement throttling using a web application firewall (WAF). This will protect your system from queuing up requests when there is a large brute-force attack. Do note that when you are building a new system and not expecting high traffic, you can postpone the incorporation of WAF in your system for a later point in time. Application-level throttling provided by DRF should be used to incorporate business tier implementations.
DRF uses Django’s default caching framework as a backend. Before setting up throttling, we should set up caching in Django; we do not have to do anything extra apart from the basic Django Redis setup we learned in the previous section. Once we have Redis set up with Django backend caching, we need to configure the throttling classes. It is recommended not to use blanket throttling via DEFAULT_THROTTLE_CLASSES configuration for all the APIs using setting.py because different APIs would have different throughputs. It is better to create an individual throttle limit after assessing traffic patterns for each endpoint independently. We need to define the default throttle rate in the settings.py file. The 'anon' key represents how many non-logged-in requests are allowed and the 'user' key represents the configuration for the logged-in requests:
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_RATES': {
'anon': '100/day',
'user': '1000/day'
'scope': '10000/day'
}
}
DRF provides three different out-of-the-box throttling classes that can help us implement throttling:
AnonRateThrottle: Implement throttling for non-logged-in user requests. By default, the throttling rate would be taken as the value passed in the 'anon' default throttle rate config. Internally, DRF would use the X-Forwarded-For header to identify the IP address and determine the different sources of the request. Hence, it is very important to configure the application to forward the IP address of the client in the given header.
UserRateThrottle: Implement throttling for logged-in user requests. By default, the throttling rate would be taken as the value passed in the 'user' default throttle rate config. This puts a global rate limit on the total number of APIs called by the end user; hence, one should be cautious while attaching UserRateThrottling. It would use the user ID to generate the unique throttle key. If not found, it would fall back to the IP address. The default scope 'user' key can be overridden by assigning the new scope value to the extended class.
ScopedRateThrottle: Implement throttling to specific APIs clubbed together. For example, if we want to implement throttling for two APIs combined, we should use ScopedRateThrottle with a defined scope.
DRF APIViews has throttle_classes as a property that takes a list of all the throttle classes. If we have to attach an AnonRateThrottle to BlogApiView, we can do it by adding the throttle class in the following code snippet:
from rest_framework.views import APIView
from rest_framework.throttling import AnonRateThrottle
class BlogApiView(APIView):
throttle_classes = [AnonRateThrottle]
...
Similarly, we can attach the UserRateThrottle class to APIView. For ScopedRateThrottle, we have to pass an additional throttle_scope property. For example, BlogApiView and BlogDetailApiView both have the same throttle_scope assigned, which means the total rate limit is going to be distributed among both the APIs while Blog2ApiView shall have an independent limit:
from rest_framework.views import APIView
from rest_framework.throttling import AnonRateThrottle
class BlogApiView(APIView):
throttle_classes = [ScopedRateThrottle]
throttle_scope = 'blog_limit'
...
class BlogDetailApiView(APIView):
throttle_classes = [ScopedRateThrottle]
throttle_scope = 'blog_limit'
...
class Blog2ApiView(APIView):
throttle_classes = [ScopedRateThrottle]
throttle_scope = 'blog_2_limit'
...
We can set the throttling limit in the settings.py file, as shown in the following snippet:
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_RATES': {
'blog_limit': '1000/day',
'blog_2_limit': '100/day'
}
}
All the throttle classes are expandable and one can easily override them. It is also possible to pass multiple throttle classes to one APIView, so we can add multiple rules for a single API view. If there are multiple throttle classes attached to a single APIView, all the classes need to pass before executing the main body of the view or else exceptions.Throttled is raised.
For more details on how we can create custom throttle classes and extend existing classes, you can look into the official documentation.
Best practices for throttling in production
Now let us look into a few best practices one should follow while implementing throttling in production:
Always prefer to implement throttling using WAFs or other components. Application-level throttling should be implemented only if the application is small and the added complexity of using other methods outweighs the advantage.
Avoid adding blanket application throttling on DRF settings. It can backfire at any given time on production.
Add monitoring and logging for all the throttled requests. This helps you monitor any unexpected throttling behavior or increase the throttling limit from time to time as per the usage pattern.
Always remember to pass the correct IP address of the client to X-Forwarded-For so that the throttling backend performs the expected behavior. As we have multiple components between the client and the Django server, it is common to use the wrong IP address. Always double-check that the client IP is propagated properly to the Django server.
The default UserRateThrottle always uses a global rate limit. It is recommended to use a custom scope by extending the UserRateThrottle class.
Packt library subscribers can continue reading the book for free here. Django in Production by Arghya Saha was published in April 2024. You can read the first chapter for free and buy the book here!
🛠️ Useful Tools ⚒️
shorebird: A Flutter toolkit now in version 1.0, offering over-the-air updates, CodePush API interaction, and a suite of development tools to streamline app deployment and management.
Claude + E2B Code interpreter: a combination that leverages E2B's SDK to deploy secure cloud sandboxes for executing Jupyter notebooks via LLMs, enhanced with Firecracker for security and efficiency.
vlite: a blazing fast, lightweight vector database optimized with numpy and llama.cpp, featuring innovative OMOM file format for user context storage, and excelling in speed with binary embeddings and INT8 rescoring.
That’s all for today.
We have an entire range of newsletters with focused content for tech pros. Subscribe to the ones you find the most useful here. Complete ProgrammingPro archives can be found here. Complete PythonPro archives are here.
If your company is interested in reaching an audience of developers, software engineers, and tech decision makers, you may want to advertise with us.
If you have any comments or feedback, leave a comment below.