Skip to content

Teja079/Rate-Limiter--.NET-

BranchesTags

Repository files navigation

Dotnet-RateLimiter

A .NET 10 API demonstrating multiple rate limiting strategies, including a distributed implementation backed by Redis.

What's in here

The project implements five rate limiting approaches:

  • Fixed Window — allows N requests per time window, resets at the end of each window
  • Sliding Window — same as fixed, but the window rolls with time to smooth out edge-case bursts
  • Token Bucket — requests consume tokens; tokens refill at a set rate, allowing short bursts
  • Concurrency Limiter — caps how many requests can be in-flight at once, regardless of time
  • Distributed Fixed Window (Redis + Lua) — same as fixed window but the counter lives in Redis, so it works correctly across multiple API instances

The Redis strategy uses a Lua script to atomically increment and check the counter in a single Redis call, which avoids race conditions that would occur if you did a separate read and write.

Identity resolution

The middleware checks whether the incoming request is authenticated:

  • Authenticated users — keyed by the NameIdentifier claim (or Identity.Name as fallback)
  • Anonymous users — keyed by remote IP address

Rate limit keys are scoped to {userType}:{identity}:{path}, so limits are per-endpoint, not global.

Running locally

Requires Docker.

docker-compose up --build -d

This starts:

  • The API on http://localhost:8080
  • Redis on port 6379
  • RedisInsight (Redis GUI) on http://localhost:8001

Health check UI is at http://localhost:8080/health-ui.

Test endpoints

All endpoints are under /test:

Endpoint Strategy Limit
GET /test/fixedwindow Fixed Window 5 req / 5s
GET /test/slidingwindow Sliding Window 5 req / 10s
GET /test/concurrency Concurrency 7 concurrent
GET /test/bucket Token Bucket 5 tokens, 3/5s refill
GET /test/limited Redis (distributed) 2 req / 10s
GET /test/unlimited None

Using the Redis attribute

Apply [RedisRateLimit] to any controller action:

[HttpGet("example")]
[RedisRateLimit(maxRequests: 10, windowSeconds: 60)]
public IActionResult Get() => Ok("rate limited");

The middleware picks this up automatically. No other configuration needed.

Tests

dotnet test

The test project covers middleware identity resolution and key generation logic.

Tech

  • .NET 10
  • StackExchange.Redis
  • AspNetCore.HealthChecks
  • xUnit

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages