Skip to content

[jjb9707] Fix tiered rate limiting for authenticated vs anonymous (#200)#4890

Closed
jjb9707 wants to merge 1 commit into
ClankerNation:mainfrom
jjb9707:fix/ratelimit-tiered
Closed

[jjb9707] Fix tiered rate limiting for authenticated vs anonymous (#200)#4890
jjb9707 wants to merge 1 commit into
ClankerNation:mainfrom
jjb9707:fix/ratelimit-tiered

Conversation

@jjb9707
Copy link
Copy Markdown

@jjb9707 jjb9707 commented May 28, 2026

Summary

Implements three-tier rate limiting that differentiates anonymous, authenticated, and premium users.

Changes (api/middleware/ratelimit.py)

Three-tier limits:

Tier Limit Window
Anonymous 60 req/min 60s
Authenticated 300 req/min 60s
Premium 1000 req/min 60s

Key improvements over original:

  • Sliding window (replaces buggy fixed-window that allowed 2x burst at boundaries)
  • Tier determined from JWT payload roles — valid token = authenticated, premium role = premium
  • Expired/invalid tokens fall back to anonymous
  • X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset headers on every response
  • 429 includes Retry-After header
  • Health endpoint exempted from rate limiting

Tests (test/test_ratelimit.py)

14 comprehensive tests covering:

  • Each tier allows requests within limit
  • Each tier returns 429 when exceeded
  • Correct X-RateLimit-Limit header per tier
  • X-RateLimit-Reset is valid timestamp
  • Health endpoint bypasses rate limiting
  • Separate counters per user/tier
  • No token = anonymous fallback

/claim #200

fix: tiered rate limiting for authenticated vs anonymous users
85cd49c 
- Three tiers: anonymous (60/min), authenticated (300/min), premium (1000/min)
- Sliding window algorithm (replaces buggy fixed window)
- Auth determined from JWT payload roles
- Response headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
- 429 response with Retry-After header
- Health endpoint exempt from rate limiting
- Comprehensive tests for all tiers, headers, and edge cases

Closes ClankerNation#200
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request within 2 hours.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting.

@github-actions github-actions Bot closed this May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bounty-claim $2k

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jjb9707