Add configurable rate limiting for HTTP endpoints#1
Merged
Conversation
- Update all dependencies, adapting code to breaking changes - Move config logic and structures to config.rs module
Changes include adding lints for: - disallowing unsafe code - warns when using unwrap() The lint warning for `unwrap` is enabled to prevent runtime panics and encourage safer error handling.
This commit simplifies handlers and centralizes rate limiting logic and replaces per-handler rate limit checks with a global Actix middleware. The new middleware: - Applies rate limiting consistently across all routes - Uses (client IP, route path) as the limiter key - Supports X-Forwarded-For and Forwarded headers for proxied deployments - Normalizes IPv6-mapped IPv4 addresses - Includes unit and integration tests for correctness
This commit also normalizes route-based IP keys.
This refactors the logic that extracts the real client IP from HTTP `Forwarded` and `X-Forwarded-For` headers. It now handles case-insensitive parameter names per RFC 7239, reduces nested logic, and clarifies the middleware structure. Summary of changes: - Add `extract_for_param` helper for parsing `for=...` values - Prioritize direct peer IP when `trust_proxy_headers` is false - Flatten nested `.split` and `.map` chains in `extract_client_ip` - Update doc comments for Forwarded header behavior - Clean up imports and type aliases for readability - Refactor `RateLimitMiddlewareService` for clarity
Introduce a configurable limit on the number of unique clients the rate limiter tracks simultaneously. This prevents memory exhaustion attacks by bounding the in-memory state and evicting least recently used entries when the limit is reached. Summary of changes: - Add max_tracked_clients to RateLimitConfig and example config - Implement BoundedStateStore with LRU eviction for rate limiter - Update RateLimitMiddleware to use BoundedStateStore - Mark entries inactive after request completes - Update tests to cover bounded client tracking behavior - Refactor imports and type aliases for clarity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces:
governorcrate;base.rate_limitconfiguration inconfig.tomlto enable/disable limits, set maximum requests, and define the time window;Requests exceeding the limit return
429 Too Many Requests. The implementation is middleware-based, applied to link creation, deletion, info retrieval, and redirection endpoints.