Skip to content

feat(server): add rate limiting middleware#17

Merged
jgpruitt merged 1 commit into
mainfrom
feature/server-rate-limit
Apr 7, 2026
Merged

feat(server): add rate limiting middleware#17
jgpruitt merged 1 commit into
mainfrom
feature/server-rate-limit

Conversation

@jgpruitt

@jgpruitt jgpruitt commented Apr 7, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Implement IP-based rate limiting middleware using sliding window algorithm
  • Three limit tiers for different endpoint types
  • In-memory storage suitable for single-instance deployment

Changes

New file: packages/server/middleware/rate-limit.ts

Rate Limit Tiers:

Tier Max Requests Window Endpoints
general 100 60 sec /api/v1/accounts/rpc, /api/v1/engine/rpc
auth 20 60 sec /api/v1/auth/* (except device/token)
devicePoll 10 60 sec /api/v1/auth/device/token

Features:

  • getClientIp() - Extracts IP from proxy headers (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, Fly-Client-IP)
  • getLimitType() - Determines rate limit tier based on path
  • checkLimit() - Core sliding window algorithm
  • checkRateLimit() - Main middleware function
  • cleanupExpiredEntries() - Periodic cleanup to prevent memory growth
  • Health endpoint (/health) exempt from rate limiting

New file: packages/server/middleware/rate-limit.test.ts

29 tests covering:

  • IP extraction from various proxy headers
  • Limit type detection
  • Sliding window algorithm
  • Different limit tiers
  • Store management functions

Updated: packages/server/middleware/index.ts

Added exports for all rate limiting functions and types.

Testing

All 263 tests pass (29 new + 234 existing).

Notes

  • In-memory storage is suitable for single-instance deployment
  • For multi-instance (clustered) deployment, can be upgraded to Redis
  • Limits can be overridden via constructor parameter for testing

@jgpruitt
feat(server): add rate limiting middleware
991c658 
- Implement sliding window rate limiter with in-memory storage
- Three limit tiers: general (100/min), auth (20/min), devicePoll (10/min)
- Extract client IP from X-Forwarded-For, X-Real-IP, CF-Connecting-IP, Fly-Client-IP
- Health endpoint exempt from rate limiting
- Store cleanup function for preventing memory growth
- 29 tests covering all functionality
@jgpruitt jgpruitt merged commit 53c59ac into main Apr 7, 2026
3 checks passed
@jgpruitt jgpruitt deleted the feature/server-rate-limit branch April 7, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jgpruitt