feat: add per-user REST rate limiting middleware#341
Merged
greatest0fallt1me merged 2 commits intoMay 27, 2026
Merged
Conversation
|
@David-patrick-chuks Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds a per-user global REST rate limiting middleware for the authenticated API surface, separate from the existing gateway token-bucket limiter. It limits authenticated requests by user id, falls back to IP-based limiting for unauthenticated traffic, and returns
429responses withRetry-Afterheaders to reduce abuse on/api/billing,/api/usage,/api/developers,/api/vault, and/api/keys.Related Issue
Closes #316
Changes
⚙️ REST Rate Limiting Middleware
[ADD]
src/middleware/restRateLimit.tsAdded a dedicated in-memory REST rate limiter separate from the gateway limiter.
Limits requests per authenticated user id.
Falls back to client IP when no authenticated user id can be resolved.
Returns
429 Too Many RequestswithRetry-After.Uses
TooManyRequestsErrorfromsrc/errors/index.ts.[MODIFY]
src/middleware/requireAuth.tsExtracted shared request identity resolution logic so rate limiting and auth use the same user-id derivation rules.
Preserves existing JWT and
x-user-idauth behavior while enabling secure pre-auth rate-limit keying.🌐 API Surface Wiring
[MODIFY]
src/app.tsMounted the REST rate limiter on authenticated REST areas:
/api/usage/api/developers/api/vault/api/keysInjected the same limiter into
/api/billing.[MODIFY]
src/routes/index.tsAdded router factory support so the billing router can receive the REST rate limiter without affecting public routes like
/api/healthand/api/apis.🧪 Tests
[ADD]
src/middleware/restRateLimit.test.tsAdded coverage for:
429responses withRetry-After[MODIFY]
src/config/env.test.tsAdded env-schema coverage for REST rate-limit defaults and validation.
[MODIFY]
src/config/index.test.tsAdded config export coverage for REST rate-limit settings.
🔧 Configuration
[MODIFY]
src/config/env.tsAdded:
REST_RATE_LIMIT_WINDOW_MSREST_RATE_LIMIT_MAX_REQUESTS[MODIFY]
src/config/index.tsExposed parsed REST rate-limit config to application code.
[MODIFY]
.env.exampleDocumented the new REST rate-limit environment variables.
📘 Documentation
README.mdVerification Results
429withRetry-AfterHow to Test
Screenshots
✅ Middleware tests pass
A screenshot of:
npm test -- src/middleware✅ Focused REST rate limiter test passes
A screenshot of:
✅ Typecheck passes
A screenshot of: