WIP: add support for ESI floating window rate limits

[joaomlneto]

This pull request introduces a new ESI (EVE Swagger Interface) status indicator and rate limit dashboard to the web app, along with the underlying hooks and schema logic to support real-time ESI rate limit and endpoint status monitoring. It also updates the ESI client code generation to use the latest OpenAPI specification and exposes additional hooks for infinite queries. The most important changes are grouped below.

ESI Client Code Generation and Exports:

• Updated the ESI client OpenAPI input to use the /meta/openapi.json endpoint with a compatibility date, ensuring up-to-date schema and rate limit metadata.
• Exposed additional generated hooks for infinite queries and the main client from the ESI client package entrypoint.

ESI Status Indicator and Dashboard Integration:

• Added a new EsiStatusIndicator component that displays ESI health status and opens a modal with the RateLimitDashboard on click, and integrated it into the main header (HeaderWithMegaMenus). [1] [2] [3] [4]
• Added a /rate-limits route and page which renders the RateLimitDashboard within the main layout. [1] [2]
• Added a button to the /status page to open the RateLimitDashboard in a modal for quick access. [1] [2] [3] [4]

ESI Rate Limit Monitoring Hooks and Schema:

• Implemented useEsiRateLimitSchema to fetch and parse ESI rate limit information from the OpenAPI spec, and register it with the client for use in dashboards and monitoring.
• Implemented useEsiRateLimitState hook to provide a real-time snapshot of current ESI rate limit state, using a subscription and polling mechanism for up-to-date UI.

• Update to use new OpenAPI schema (old Swagger schema url discontinued since 2025-07-07).
• ESI client: support request throttling.
• Integrate ESI client with client generation.
• React hooks to introspect client status
• Client: ESI client dashboard component (for observability)
• Indicator: ESI client 'health'
• ESI client parameterization (base url, user agent)
• Publish as package(s) to NPM

Closes #468

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
jitaspace	Error		Feb 2, 2026 0:41am

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

In general, the fix is to stop treating the URL as a plain string for trust decisions and instead parse it with URL, then compare the parsed origin (protocol + hostname + port) against a set of allowed ESI origins. We want to preserve existing behavior (normalizing ESI URLs to the “latest” base and ensuring trailing slashes) while making sure that only URLs genuinely targeting the configured ESI host are normalized.

Concretely, we should:

1. Parse value in normalizeEsiUrl using the URL constructor.
2. Similarly parse ESI_BASE_URL and ESI_LATEST_BASE_URL once and derive their origin values.
3. Replace the startsWith(ESI_BASE_URL) / startsWith(ESI_LATEST_BASE_URL) string checks with origin comparisons using the parsed URL objects.
4. When we rebuild the normalized URL, use the original pathname/query/search, but force the host/protocol from the trusted ESI base.

This preserves functionality: any URL whose origin matches the trusted ESI origin gets normalized to the latest base and trailing slash; all other URLs are left untouched. We only need modifications in packages/esi-client/src/client.ts around the helper functions and without adding new external dependencies; the standard URL class is already being used (parseUrlPath), so no new imports are needed.

---

In general, the fix is to stop using string prefix checks (startsWith) to decide whether a URL belongs to the trusted ESI endpoint and instead parse the URL and compare its origin/hostname against a trusted value. This avoids cases where an attacker can prepend a trusted prefix to an untrusted hostname (e.g., https://esi.evetech.net.evil.com) and still pass the check.

Concretely in packages/esi-client/src/client.ts, the problematic checks are:

• normalizeEsiUrl: if (!value.startsWith(ESI_BASE_URL)) return value;
• normalizeEsiRequestConfig: if (config.baseURL && config.baseURL.startsWith(ESI_BASE_URL)) { ... }

We should introduce a small helper that, given a URL string, parses it with the standard URL class and verifies that its origin (or at least protocol + hostname) exactly matches the expected ESI base origin. Then:

• In normalizeEsiUrl, replace the startsWith test with a call to this helper, and compute ESI_LATEST_BASE_URL conversion based on the parsed path instead of substring slicing against ESI_BASE_URL. This prevents a malicious URL that merely starts with the same characters from being handled as an ESI URL.
• In normalizeEsiRequestConfig, similarly replace the config.baseURL.startsWith(ESI_BASE_URL) condition with the helper so only URLs whose actual origin matches ESI are treated as ESI URLs.

We can implement this entirely within client.ts using the built‑in URL class (available in modern Node and browser environments) without new external libraries or changes to existing imports. The new helper will be defined near the existing URL utility functions (isAbsoluteUrl, ensureTrailingSlash, etc.) to keep the code cohesive. The rest of the logic—ensuring trailing slashes, preserving query strings, and handling ESI version prefixes—will remain the same for valid ESI URLs.

[Copilot]

Pull request overview

This pull request adds comprehensive ESI (EVE Swagger Interface) rate limiting support to the codebase, including a floating window rate limit implementation, real-time monitoring dashboard, and status indicators. The changes update the ESI client to use the new OpenAPI endpoint with compatibility date handling, implement client-side request throttling with token bucket algorithm, and provide UI components for observability.

Changes:

• Updated ESI client code generation to use the new /meta/openapi.json endpoint with compatibility date parameter
• Implemented comprehensive rate limiting logic with floating window algorithm, token reservation, and bucket management
• Added React hooks for monitoring rate limit state and schema
• Created a detailed rate limit dashboard UI component with live metrics and configuration display
• Integrated ESI status indicator in the main header with modal dashboard access

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
packages/esi-client/kubb.config.ts	Updated OpenAPI input URL to use new meta endpoint with compatibility date
packages/esi-client/src/client.ts	Added comprehensive rate limiting implementation with token buckets, reservation system, and request throttling
packages/esi-client/src/index.ts	Exported client and infinite query hooks for external use
apps/web/lib/useEsiRateLimitState.ts	Created React hook for subscribing to real-time rate limit state with polling
apps/web/lib/useEsiRateLimitSchema.ts	Created React hook for fetching and registering rate limit schema from OpenAPI spec
apps/web/components/RateLimits/RateLimitDashboard.tsx	Built comprehensive dashboard UI for monitoring rate limits, buckets, and schema configuration
apps/web/components/EsiStatus/EsiStatusIndicator.tsx	Created status indicator component that displays ESI health and opens dashboard modal
apps/web/components/EsiStatus/index.ts	Added barrel export for ESI status components
apps/web/pages/status.tsx	Added rate limits button to open dashboard modal on status page
apps/web/app/rate-limits/page.tsx	Created dedicated rate limits page
apps/web/app/rate-limits/layout.tsx	Added layout for rate limits route
apps/web/layouts/MainLayout/HeaderWithMegaMenus/HeaderWithMegaMenus.tsx	Integrated ESI status indicator in main header

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ESI compatibility date "2025-12-16" is duplicated between packages/esi-client/kubb.config.ts (line 8) and apps/web/lib/useEsiRateLimitSchema.ts (line 8). This creates a maintenance issue where the two values could diverge. Consider extracting this constant to a shared location or configuration file that both files can import, or at minimum, add comments indicating that these values must be kept in sync.

Suggested change

	// NOTE: This compatibility date must be kept in sync with the value in
	// packages/esi-client/kubb.config.ts (see CodeQL rule about duplicated ESI compatibility date).

[Copilot]

The function pruneBucket removes expired entries based on entry.timestamp <= cutoff. This condition uses less-than-or-equal-to, which means entries exactly at the cutoff boundary (timestamp equals now - windowMs) are removed. Since the window should typically include entries from (now - windowMs, now] (exclusive on the left, inclusive on the right), the condition should be strictly less-than (<) instead of less-than-or-equal-to (<=) to avoid prematurely removing entries that are still within the window.

Suggested change

	while (bucket.entries.length > 0 && bucket.entries[0].timestamp <= cutoff) {
	while (bucket.entries.length > 0 && bucket.entries[0].timestamp < cutoff) {

[Copilot]

The hook useEsiRateLimitState uses both useSyncExternalStore for subscription-based updates and a separate setInterval for polling (lines 41-48). However, the polling mechanism only calls refreshSnapshot() and setTick(), which doesn't trigger the external store's subscribers. The setTick state update forces a re-render, but this creates an inconsistent pattern. The snapshot returned from useSyncExternalStore (line 34-38) won't be updated by the polling interval - only by the subscription. Either the polling should be removed (relying only on subscriptions), or the polling should call the subscribers via notifyRateLimitSubscribers() instead of using a separate state update mechanism.

[Copilot]

The useEsiRateLimitSchema hook returns useMemo(() => state, [state]) on line 191. Since state is already a stable object from useState, wrapping it in useMemo with state as a dependency doesn't provide any benefit - it will return a new memoized value every time state changes anyway. This line should just return state directly, or if memoization of derived values is needed, it should memoize specific computed properties rather than the entire state object.

[Copilot]

The rate limiting logic uses global shared state (rateLimitBuckets, rateLimitGroups, rateLimitRoutes) without any concurrency control mechanism. In a concurrent environment (e.g., when multiple requests are made simultaneously), this can lead to race conditions. For example, two requests could both call reserveTokens at nearly the same time, both see available tokens, and both reserve tokens, potentially exceeding the effective limit. Similarly, the pruneBucket and token adjustment operations could have race conditions. Consider using a locking mechanism or restructuring the code to handle concurrent access safely, or document that this implementation is only safe for single-threaded JavaScript environments.

[Copilot]

The token cost function getTokenCostForStatus returns hardcoded values (2 for 2xx, 1 for 3xx, 5 for 4xx except 429, 0 for 5xx and 429). These values appear to be assumptions about ESI's rate limiting cost per status code. However, there's no documentation or comment explaining why these specific values are used, and whether they are based on ESI's actual behavior or are estimates. If ESI provides actual token cost information in response headers, that should be used instead of these hardcoded values. If these are intentional defaults, they should be documented with a comment explaining the rationale.

[Copilot]

The useEsiRateLimitSchema hook is called with an empty object {} as an argument on line 66, but looking at the hook definition, it doesn't accept any parameters (it's defined as useEsiRateLimitSchema(): RateLimitSchemaState). This empty object argument is unnecessary and should be removed.

Suggested change

	const schema = useEsiRateLimitSchema({});
	const schema = useEsiRateLimitSchema();

[Copilot]

The EsiStatusIndicator component is wrapped in memo() but doesn't have a display name set. This makes debugging more difficult as React DevTools will show it as Memo(Component) instead of a meaningful name. Consider adding EsiStatusIndicator.displayName = 'EsiStatusIndicator' after the component definition.

Suggested change

	});
	});
	EsiStatusIndicator.displayName = "EsiStatusIndicator";

[Copilot]

The ensureTrailingSlash function splits on ? to separate path and query string, but doesn't handle URLs with hash fragments (#). If a URL contains a hash fragment (e.g., /path#fragment or /path?query#fragment), the fragment will be included in the query variable or lost. While this might not be an issue for ESI API calls (which typically don't use fragments), it could lead to unexpected behavior if used with such URLs. Consider handling hash fragments explicitly or documenting that this function doesn't support them.

Suggested change

	const [path, query] = value.split("?");
	if (path.endsWith("/")) return value;
	const withSlash = `${path}/`;
	return query ? `${withSlash}?${query}` : withSlash;
	const hashIndex = value.indexOf("#");
	const hash = hashIndex >= 0 ? value.slice(hashIndex) : "";
	const withoutHash = hashIndex >= 0 ? value.slice(0, hashIndex) : value;
	const [path, query] = withoutHash.split("?");
	if (path.endsWith("/")) return value;
	const withSlash = `${path}/`;
	const withSlashAndQuery = query ? `${withSlash}?${query}` : withSlash;
	return `${withSlashAndQuery}${hash}`;

[Copilot]

In applyRateLimitResponse, lines 959-965 check if response.status === 429 and the bucket group matches to apply server retry-after. However, this code is redundant because the same check is already performed on lines 954-956 when the reservation bucket matches the resolved group. The condition on line 962 (context.reservation.bucket.group === resolvedGroup) was already true in the if-block at line 911-924, so this additional check will never execute any new logic. This redundant code should be removed.

Suggested change

	if (
	response.status === 429 &&
	context.reservation &&
	context.reservation.bucket.group === resolvedGroup
	) {
	applyServerRetryAfter(context.reservation.bucket, response.headers, now);
	}