Skip to content

Allow Configurable Rate-Limit Key Derivation in RateLimiter Middleware #2896

New issue
New issue
Open
#2991
Open
Allow Configurable Rate-Limit Key Derivation in RateLimiter Middleware#2896
#2991
Assignees
sreenivasivbieb
Labels
ServiceRelated to external http, grpc communciation , middlewares etc.enhancementNew feature or request
@thzgajendra

Description

@thzgajendra
thzgajendra
opened on Jan 30, 2026

Problem Statement

The current RateLimiter middleware in gofr supports request limiting primarily based on IP address (PerIP flag).
While this works well for generic APIs, it is not sufficient for authentication and identity-based use cases such as:

  • Login attempts per email
  • OTP validation per user ID
  • Password reset attempts per account
  • API throttling per API key / tenant / user

At the moment, developers cannot easily apply rate limiting on identifiers other than IP without writing custom middleware or duplicating logic.

Current Limitation

RateLimiterConfig{
    RequestsPerSecond: 5,
    Burst:             10,
    PerIP:             true,
}

Metadata

Metadata

Assignees

Labels

ServiceRelated to external http, grpc communciation , middlewares etc.enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions