Open
Conversation
- Global rate limit: 100 requests/min per IP - Per-user rate limit: 200 requests/min per authenticated user - Token bucket algorithm for precise rate limiting - In-memory storage with automatic cleanup - Returns 429 with Retry-After header - Comprehensive documentation and test coverage - Includes IP extraction, JWT user ID parsing - Non-blocking for gateway operations
Contributor
|
please resolve the conflicts |
Contributor
|
@Samaro1 Can you resolve the conflicts? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements REST API rate limiting for the Callora backend using a two-tier model:
Global per-IP limit (100 req/min)
Per-user limit for authenticated routes (200 req/min)
This is independent of the existing gateway per-key limits.
What’s Included
Rate Limiting Logic
Token bucket algorithm for accurate request control
In-memory store with:
Cleanup every 5 minutes
30-minute TTL for inactive entries
Sub-millisecond evaluation time
Middleware
globalRateLimit() → applied to all routes (IP-based)
perUserRateLimit() → applied to authenticated routes (JWT sub claim)
Proper IP resolution:
X-Forwarded-For
X-Real-IP
Fallback to socket address
Headers
All successful responses include:
X-RateLimit-Limit
X-RateLimit-Remaining
Rate-limited responses (429) include:
Retry-After
JSON body:
{
"error": "Too Many Requests",
"message": "Rate limit exceeded. Maximum 100 requests per minute per IP.",
"retryAfter": 45
}
Testing
31 tests (all passing)
Token bucket correctness
Isolation between global and per-user limits
Header validation
Middleware integration coverage
Run:
npm test
Configuration (Defaults)
Global: 100 requests/minute per IP
Per-user: 200 requests/minute per user
Window: 60 seconds
Cleanup: 5 minutes
Entry TTL: 30 minutes
Configurable via:
const rateLimiter = new RateLimiter(
{ windowMs: 60000, maxRequests: 150 },
{ windowMs: 60000, maxRequests: 300 }
);
Closes #60