Skip to content

[SECURITY] Implement Rate Limiting #163

Closed
Closed
[SECURITY] Implement Rate Limiting#163
Labels
P1agent:builderAgent 2 - Buildercomponent:backendBackend API (Go)needs:security-reviewRequires security reviewsecuritysize:m4-8 hours
Milestone
v2.1.0
@JoshuaAFerguson

Description

@JoshuaAFerguson
JoshuaAFerguson
opened on Nov 23, 2025

Objective

Add rate limiting to prevent abuse and DDoS attacks.

Rate Limits

// Per-user authenticated endpoints
- API requests: 1000 req/min
- Session creation: 10 req/min
- File uploads: 5 req/min

// Per-IP unauthenticated endpoints
- Login attempts: 5 req/min
- Registration: 3 req/hour

Implementation

Use Redis for distributed rate limiting across API replicas.

import "golang.org/x/time/rate"

// Middleware
func RateLimitMiddleware() gin.HandlerFunc {
    limiters := make(map[string]*rate.Limiter)
    // ...
}

Acceptance Criteria

  • Rate limiting active on all endpoints
  • 429 Too Many Requests returned
  • Redis-based for multi-pod support
  • Configurable limits
  • Monitoring/alerting added

Files

  • api/internal/middleware/ratelimit.go (NEW)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1agent:builderAgent 2 - Buildercomponent:backendBackend API (Go)needs:security-reviewRequires security reviewsecuritysize:m4-8 hours

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions