Skip to content

Feature rate limiting #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 21 commits into from
Jul 29, 2025
Merged

Feature rate limiting #30

merged 21 commits into from
Jul 29, 2025

Conversation

fulleni
Copy link
Member

@fulleni fulleni commented Jul 29, 2025

Status

READY/IN DEVELOPMENT/HOLD

Description

Type of Change

  • ✨ New feature (non-breaking change which adds functionality)
  • 🛠️ Bug fix (non-breaking change which fixes an issue)
  • ❌ Breaking change (fix or feature that would cause existing functionality to change)
  • 🧹 Code refactor
  • ✅ Build configuration change
  • 📝 Documentation
  • 🗑️ Chore

fulleni added 21 commits July 29, 2025 17:52
@fulleni
feat(auth): introduce rate limit service interface
adcc0eb 
- Define RateLimitService abstract class with checkRequest and dispose methods
- Implement rate limiting logic to prevent abuse of sensitive or expensive endpoints
- Use unique key (e.g., IP address) to track and limit requests
- Throw ForbiddenException when rate limit is exceeded
- Provide flexibility for different rate limiting strategies in implementations
@fulleni
feat(rate-limit): implement MongoDB-backed rate limit service
484d7db 
- Add MongoDbRateLimitService class implementing RateLimitService interface
- Use MongoDB TTL index for efficient automatic purging of old records
- Implement checkRequest method with counting and limiting logic
- Add error handling and logging
@fulleni
feat(rate-limiting): implement rate limiting service
6efac46 
- Add RateLimitService interface
- Implement MongoDbRateLimitService
- Integrate RateLimitService into AppDependencies
- Update dependency initialization and disposal
@fulleni
feat(database): add rate limit attempts TTL and key indexes
2f82e09 
- Add TTL index for automatic document expiration in rate limit attempts collection
- Add key index for faster lookups in rate limit attempts collection
- Implement indexing in the DatabaseSeedingService
@fulleni
feat(middlewares): implement rate limiter middleware
167af20 
- Add rateLimiter middleware function to enforce rate limiting on routes
- Include ipKeyExtractor for IP-based rate limiting
- Implement _getIpAddress to extract client's IP address from request
- Add RateLimitService for tracking and limiting requests
@fulleni
fix(error_handler): map rate limiting errors to 429 status code
b7e6faa 
- Add special case for ForbiddenException containing 'too many requests'
- Map to 429 Too Many Requests status code for rate limiting errors
@fulleni
feat(routes): add rate limit service to middleware
c889ba4 
- Import RateLimitService from services package
- Add RateLimitService to the middleware chain using provider
@fulleni
feat(auth): add rate limiting to request-code endpoint
d2c8e7e 
- Implement rate limiting middleware for the /request-code endpoint
- Allow up to 3 requests per IP address every 24 hours
- Use ipKeyExtractor for rate limiting key generation
- Refactor handler logic to include rate limiting
@fulleni
lint: misc
c19ec59
@fulleni
chore(env): add rate limiting configuration variables
f09468f 
- Add new environment variables for rate limiting configuration
- Include settings for /auth/request-code and /data API endpoints
- Specify limit and time window for each endpoint
@fulleni
feat(config): add rate limit configuration parameters
9453122 
- Introduce new environment variables for request-code and data API rate limiting
- Implement getters for rate limit parameters with default values
- Add documentation for new configuration options
@fulleni
refactor(auth): move request-code handler to index.dart and apply rat…
65f76a2 
…e limiting

- Rename request-code.dart to index.dart for better modularity
- Implement rate limiting middleware directly in the handler
- Improve code structure and prepare for additional endpoint implementations
@fulleni
feat(auth): add rate limiting middleware to request code endpoint
9fd3a44 
- Implement rate limiting specifically for the `/api/v1/auth/request-code` endpoint
- Use custom rate limit configuration from EnvironmentConfig
- Apply rateLimiter middleware with ipKeyExtractor for key generation
@fulleni
style(auth): remove extra whitespace in request-code handler
17df05c 
- Reduced the whitespace between blocks in the `onRequest` function
- Improved code readability and formatting without changing functionality
@fulleni
feat(rbac): add rate limiting bypass permission
6134a81 
- Add new permission 'rate_limiting.bypass' to permissions.dart
- Grant this new permission to dashboard publisher and admin roles in role_permissions.dart
@fulleni
feat(api): implement rate limiting for data routes
baec763 
- Add rate limiting middleware for /api/v1/data routes
- Implement bypass permission for rate limiting
- Configure rate limit using environment variables
- Update middleware documentation and comments
@fulleni
refactor(routes): remove redundant middleware documentation
8f7a85a 
- Removed detailed documentation from _middleware.dart file
- Kept existing middleware functions intact
@fulleni
docs(env): clarify rate limiting configuration in .env.example
cd5e29b 
- Add explanation for optional rate limiting configuration
- Provide default values and units for rate limit settings
- Improve clarity on purpose and usage of rate limiting options
@fulleni
docs(README): add built-in API rate limiting features
0377190 
- Add information about built-in API rate limiting to README.md
- Highlight protection against abuse and denial-of-service attacks
- Mention configurable, user-aware limits and trusted role bypass
- Emphasize stability and cost prevention benefits
@fulleni
fix(config): update default JWT expiry hours to 1 month
17fc972 
- Change default JWT expiry hours from 1 hour to 720 hours (1 month)
- Modify the fallback value in int.tryParse from '1' to '720'
- This change affects the jwtExpiryDuration getter in EnvironmentConfig class
@fulleni
docs(env): update JWT expiry default and admin configuration
0bab60d 
- Change JWT_EXPIRY_HOURS default from 1 hour to 720 hours (1 month)
- Update ADMIN OVERRIDE to REQUIRED for the single administrator account setting
- Clarify optional rate limit configuration for API endpoints
@fulleni fulleni merged commit fa72373 into main Jul 29, 2025
1 check failed
@fulleni fulleni deleted the feature_rate_limiting branch July 29, 2025 17:55
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 29, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @fulleni, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive API rate limiting feature to enhance the security and stability of the application. It provides a flexible, configurable mechanism to prevent abuse of key endpoints, integrating seamlessly with existing middleware and role-based access controls.

Highlights

  • Core Feature: API Rate Limiting: Implemented a robust, configurable API rate limiting system to protect critical endpoints from abuse. This includes a new RateLimitService interface and a MongoDB-backed implementation (MongoDbRateLimitService) that leverages TTL indexes for efficient record management.
  • Configurable Limits: Introduced new environment variables (RATE_LIMIT_REQUEST_CODE_LIMIT, RATE_LIMIT_REQUEST_CODE_WINDOW_HOURS, RATE_LIMIT_DATA_API_LIMIT, RATE_LIMIT_DATA_API_WINDOW_MINUTES) to allow administrators to easily configure rate limits for the /auth/request-code and generic /data API endpoints.
  • Middleware Integration: Developed a generic rateLimiter middleware that can be applied to any route. This middleware is specifically integrated into the /auth/request-code endpoint (IP-based limiting) and the /api/v1/data endpoints (user-ID based limiting for authenticated users).
  • Role-Based Bypass: Added a new rate_limiting.bypass permission, which is granted to admin and publisher roles. This ensures that dashboard users with these roles are not subjected to rate limits, preventing disruption to their administrative tasks.
  • Improved Error Handling: Enhanced the global error handler to correctly map rate limit exceeded errors (specifically ForbiddenException with a 'too many requests' message) to an HTTP 429 (Too Many Requests) status code, providing clearer feedback to clients.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 29, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a robust, configurable rate-limiting feature for the API, which is a great addition for security and stability. The implementation is clean, leveraging middleware and a dedicated service. My review focuses on a few key areas to enhance the new functionality:

  • Improving the robustness of error handling by using type-safe custom exceptions instead of string matching.
  • Correcting a logic bug in an environment variable fallback value.
  • Increasing code clarity by removing a redundant permission entry.

These changes will make the new feature more reliable and easier to maintain. Overall, this is a well-executed feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fulleni