General API rate limiting absent — only x402 free tier is limited

[crtahlin]

Summary

The gateway has no general API rate limiting. 30+ rapid requests to any endpoint complete without a single 429 Too Many Requests response. Previously reported in #101 (closed Feb 27).

The x402 free tier does enforce a 3 req/60s limit (which triggers 429 with rate limit headers per #162), but this only applies to payment-gated endpoints in free mode. Health checks, stamp listing, wallet queries, and other read endpoints have no rate limiting at all.

Evidence

# 30 rapid GET / requests
for i in range(30):
    resp = await client.get("/")
    # All return 200 — no 429 ever

Additional tests confirm:

• GET /api/v1/stamps/ — no rate limiting (100 rapid requests all succeed)
• GET /api/v1/wallet — no rate limiting
• POST /api/v1/stamps/ — returns 402 (x402) but no 429
• POST /api/v1/data/ — returns 402 (x402) but no 429

Rate limiting tests in test_security.py are all skipped because the 429 response is never triggered.

Impact

• DoS vulnerability: Any client can exhaust gateway resources with rapid requests
• Bee node overload: Gateway proxies every request to the Bee node without throttling
• Cost amplification: Stamp purchases hit the blockchain — unthrottled purchases could drain the wallet

Suggested fix

Add rate limiting middleware (e.g., slowapi or custom):

from slowapi import Limiter
from slowapi.util import get_remote_address

limiter = Limiter(key_func=get_remote_address)

# Different limits per endpoint category:
# Read endpoints: 60/min
# Write endpoints: 10/min  
# Stamp purchase: 3/min

Ensure rate limiting applies to all endpoints, not just x402 payment paths.

Related

• Previously No rate limiting on any endpoint — DoS risk #101 (closed)
• Add Retry-After header to 429 rate limit responses #162 tracks missing Retry-After header (for when rate limiting does respond)
• Feature roadmap: auth, rate limits, x402 payments, accounting #3 (roadmap) includes rate limiting

Test references

• gateway/test_security.py::TestRateLimiting (9 tests, all skip)
• gateway/test_security.py::TestRateLimitBypass (4 tests, all skip)
• regression/test_regressions.py::test_101_rate_limit_exists

[crtahlin]

Status: Partially Resolved

What's done:
Global rate limiting middleware exists (app/middleware/rate_limit.py) with sliding window counter, configurable RATE_LIMIT_PER_MINUTE (default 60) and RATE_LIMIT_BURST (default 10). Returns proper 429 with Retry-After header.

What's still open:
When x402 is enabled (X402_ENABLED=true), the general rate limiter is disabled — only x402's payment-based rate limiting applies. This means non-x402 endpoints (health, wallet, stamps GET) have no rate limiting when x402 is active.

Key commits:

• fd05a55 — Add security hardening: rate limiting, input validation, error sanitization, upload size limits
• b1fd35e — Implement x402 rate limiting (x402: Rate Limiting (Issue 7) #35)

Remaining work: Make general rate limiting apply alongside x402, or at minimum protect non-payment endpoints when x402 is enabled.