Remove previously added rate limit for anon api

warwickschroeder · jasontaylordev · commit c33330283c76 · 2025-12-05T11:41:28.000+10:00
diff --git a/src/ServiceControl/Authentication/AuthenticationController.cs b/src/ServiceControl/Authentication/AuthenticationController.cs
@@ -2,17 +2,14 @@
 {
     using Microsoft.AspNetCore.Authorization;
     using Microsoft.AspNetCore.Mvc;
-    using Microsoft.AspNetCore.RateLimiting;
     using ServiceBus.Management.Infrastructure.Settings;
-    using ServiceControl.Infrastructure.WebApi;
 
     [ApiController]
     [Route("api/authentication")]
     public class AuthenticationController(Settings settings) : ControllerBase
     {
         [HttpGet]
         [AllowAnonymous]
-        [EnableRateLimiting(HostApplicationBuilderExtensions.AuthConfigRateLimitPolicy)]
         [Route("configuration")]
         public ActionResult<AuthConfig> Configuration()
         {
diff --git a/src/ServiceControl/Infrastructure/WebApi/HostApplicationBuilderExtensions.cs b/src/ServiceControl/Infrastructure/WebApi/HostApplicationBuilderExtensions.cs
@@ -1,12 +1,9 @@
 ﻿namespace ServiceControl.Infrastructure.WebApi
 {
-    using System;
     using System.Linq;
     using System.Reflection;
-    using System.Threading.RateLimiting;
     using CompositeViews.Messages;
     using Microsoft.AspNetCore.Builder;
-    using Microsoft.AspNetCore.RateLimiting;
     using Microsoft.Extensions.DependencyInjection;
     using Microsoft.Extensions.DependencyInjection.Extensions;
     using Microsoft.Extensions.Hosting;
@@ -15,8 +12,6 @@
 
     static class HostApplicationBuilderExtensions
     {
-        public const string AuthConfigRateLimitPolicy = "AuthConfigRateLimit";
-
         public static void AddServiceControlApi(this IHostApplicationBuilder builder, CorsSettings corsSettings)
         {
             // This registers concrete classes that implement IApi. Currently it is hard to find out to what
@@ -27,19 +22,6 @@ public static void AddServiceControlApi(this IHostApplicationBuilder builder, Co
 
             builder.Services.AddCors(options => options.AddDefaultPolicy(Cors.GetDefaultPolicy(corsSettings)));
 
-            // Rate limiting for sensitive endpoints to prevent enumeration attacks
-            builder.Services.AddRateLimiter(options =>
-            {
-                options.AddFixedWindowLimiter(AuthConfigRateLimitPolicy, limiterOptions =>
-                {
-                    limiterOptions.PermitLimit = 10;
-                    limiterOptions.Window = TimeSpan.FromMinutes(1);
-                    limiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
-                    limiterOptions.QueueLimit = 2;
-                });
-                options.RejectionStatusCode = 429;
-            });
-
             // We're not explicitly adding Gzip here because it's already in the default list of supported compressors
             builder.Services.AddResponseCompression();
             var controllers = builder.Services.AddControllers(options =>

Original file line number	Diff line number	Diff line change
`@@ -2,17 +2,14 @@`
`2`	`2`	`{`
`3`	`3`	`using Microsoft.AspNetCore.Authorization;`
`4`	`4`	`using Microsoft.AspNetCore.Mvc;`
`5`		`- using Microsoft.AspNetCore.RateLimiting;`
`6`	`5`	`using ServiceBus.Management.Infrastructure.Settings;`
`7`		`- using ServiceControl.Infrastructure.WebApi;`
`8`	`6`
`9`	`7`	`[ApiController]`
`10`	`8`	`[Route("api/authentication")]`
`11`	`9`	`public class AuthenticationController(Settings settings) : ControllerBase`
`12`	`10`	`{`
`13`	`11`	`[HttpGet]`
`14`	`12`	`[AllowAnonymous]`
`15`		`- [EnableRateLimiting(HostApplicationBuilderExtensions.AuthConfigRateLimitPolicy)]`
`16`	`13`	`[Route("configuration")]`
`17`	`14`	`public ActionResult<AuthConfig> Configuration()`
`18`	`15`	`{`