Skip to content

[identity] Add per-property partitioning to rate limiter#963

Open
travlos wants to merge 7 commits intodevelopfrom
feature/identity/rate-limit
Open

[identity] Add per-property partitioning to rate limiter#963
travlos wants to merge 7 commits intodevelopfrom
feature/identity/rate-limit

Conversation

@travlos
Copy link
Copy Markdown
Contributor

@travlos travlos commented Mar 17, 2026

Introduce PartitionByProperty to RateLimiterEndpointRule, enabling rate limiting based on a specific request body property (e.g., email) instead of just user or IP. Update partition key logic to extract values from user claims, form data, or JSON payloads, with fallback to IP/host. This enhances flexibility, supporting scenarios like per-email rate limiting for unauthenticated users.

travlos added 2 commits March 17, 2026 13:56
@travlos
[identity] Add per-property partitioning to rate limiter
d345ebb 
Introduce PartitionByProperty to RateLimiterEndpointRule, enabling rate limiting based on a specific request body property (e.g., email) instead of just user or IP. Update partition key logic to extract values from user claims, form data, or JSON payloads, with fallback to IP/host. This enhances flexibility, supporting scenarios like per-email rate limiting for unauthenticated users.
@travlos
Merge branch 'develop' into feature/identity/rate-limit
a26e754
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2026
View reviewed changes
@travlos travlos marked this pull request as ready for review March 17, 2026 12:59
Copilot AI review requested due to automatic review settings March 17, 2026 12:59
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for configuring rate-limit partitions based on a request-body property (in addition to the existing user-claim / IP / host fallback), enabling scenarios like per-email throttling for unauthenticated endpoints.

Changes:

  • Adds PartitionByProperty to RateLimiterEndpointRule to drive per-property partitioning.
  • Updates rate limiter policy setup to compute a partition key via a new helper that inspects claims, form fields, or JSON bodies, falling back to IP/host.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File Description
src/Indice.AspNetCore/Extensions/RateLimiterExtensions.cs Replaces the partition key expression with a helper that can extract a configured body property (form/JSON) with fallback behavior.
src/Indice.AspNetCore/Configuration/RateLimiterOptions.cs Adds PartitionByProperty configuration option to endpoint rule model with XML documentation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2026
View reviewed changes
@travlos
Enhance rate limiter with flexible partition strategies
8792948 
Added PartitionStrategy to RateLimiterEndpointRule, enabling rate limiting by IP, user, or request property. Updated CustomPolicyFactory and related methods to support multiple rules per policy. Refactored partition key extraction logic for improved efficiency and configurability. Service registration updated to handle new rule structure.
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 19, 2026
View reviewed changes
@travlos travlos requested a review from Copilot March 19, 2026 15:35
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for rate limiting partitioned by a request-body property (e.g., email) in addition to the existing user/IP-based partitioning, to enable more flexible throttling for unauthenticated scenarios in the Identity stack.

Changes:

  • Extend RateLimiterEndpointRule with PartitionByProperty and PartitionStrategy (plus new RateLimiterPartitionStrategy enum).
  • Update rate limiter partition-key selection to optionally extract a value from form data or JSON payloads (with IP/host fallback).
  • Change CustomPolicyFactory to return a list of endpoint rules and update Identity’s default policy factory accordingly.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File Description
src/Indice.Features.Identity.Server/Extensions/ServiceCollectionExtensions.cs Updates Identity rate limiter policy factory to return a list of rules per policy.
src/Indice.AspNetCore/Extensions/RateLimiterExtensions.cs Implements partition key selection strategy and request property extraction logic (form/JSON).
src/Indice.AspNetCore/Configuration/RateLimiterOptions.cs Adds new rule properties + enum and changes custom policy factory to return multiple rules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

travlos and others added 2 commits March 19, 2026 17:47
@travlos
Apply suggestions from code review
db375a9 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@travlos
Potential fix for pull request finding
581effa 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@travlos