Skip to content

feat(api): add configurable per-IP rate limiting#12

Merged
skylenet merged 1 commit into
masterfrom
api-rate-limit
Jan 12, 2026
Merged

feat(api): add configurable per-IP rate limiting#12
skylenet merged 1 commit into
masterfrom
api-rate-limit

Conversation

@skylenet
Copy link
Copy Markdown
Member

@skylenet skylenet commented Jan 12, 2026
edited
Loading

Summary

  • Add IP-based rate limiting middleware with configurable limits per endpoint tier
  • Rate limiting is disabled by default and opt-in via configuration
  • Updates OpenAPI documentation with rate limit info and 429 responses

Rate Limit Tiers

Tier Endpoints Default Limit Purpose
Auth /auth/login, /auth/github, /auth/exchange 10 req/min Brute force protection
Public /health, /metrics, /openapi.json 60 req/min Moderate protection
Authenticated All /api/v1/* protected routes 120 req/min Relaxed for trusted users

Configuration

server:
  rate_limit:
    enabled: true
    auth:
      requests_per_minute: 10
    public:
      requests_per_minute: 60
    authenticated:
      requests_per_minute: 120

Implementation Details

  • Uses golang.org/x/time/rate token bucket algorithm
  • Per-IP tracking with automatic cleanup of stale entries (every 10 minutes)
  • Returns HTTP 429 with Retry-After header when limit exceeded
  • Chi's RealIP middleware extracts client IP from X-Forwarded-For/X-Real-IP headers

Test plan

  • Build passes
  • Test with rate limiting disabled (default) - no rate limiting applied
  • Test auth endpoint rate limit: for i in {1..15}; do curl -X POST localhost:9090/api/v1/auth/login; done
  • Test public endpoint rate limit: for i in {1..65}; do curl localhost:9090/health; done
  • Verify 429 response includes Retry-After header
  • Verify OpenAPI docs show rate limit info and 429 responses

@skylenet
feat(api): add configurable per-IP rate limiting
0e126cc 
Add IP-based rate limiting with configurable limits for three tiers:
- Auth endpoints (/auth/*): 10 req/min default (brute force protection)
- Public endpoints (/health, /metrics): 60 req/min default
- Authenticated endpoints (/api/v1/*): 120 req/min default

Rate limiting is disabled by default and can be enabled via config:

  server:
    rate_limit:
      enabled: true
      auth:
        requests_per_minute: 10
      public:
        requests_per_minute: 60
      authenticated:
        requests_per_minute: 120

Also updates OpenAPI documentation with rate limit info and 429 responses.
@skylenet skylenet merged commit d6f26a3 into master Jan 12, 2026
5 of 7 checks passed
@skylenet skylenet deleted the api-rate-limit branch January 12, 2026 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@skylenet