icub3d/decentcom
1
0
Fork 0
Code Issues 21 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Feature: API and Gateway Rate Limiting #48

New issue
Open
opened 2026-04-26 16:46:06 +00:00 by icub3d · 0 comments
icub3d commented 2026-04-26 16:46:06 +00:00
Owner
Copy link

Migrated from GitHub issue icub3d/decentcom#67
Original Author: @icub3d
Original Date: 2026-04-17T00:27:46Z

Feature: Rate Limiting Research and Implementation

Overview

Implement rate limiting for the REST API and WebSocket Gateway to protect server resources and prevent abuse from automated scripts and bots.

Background

As we enable first-class bot support and open server membership, the risk of API spam and resource exhaustion increases. The current implementation has no rate limiting, allowing any client to flood the server with requests or messages.

Requirements

  • Research rate limiting strategies (leaky bucket, token bucket, fixed window, etc.).
  • Evaluate in-process vs external (e.g. reverse proxy) rate limiting.
  • Implement rate limiting for auth endpoints (prevent brute-forcing).
  • Implement rate limiting for message creation and other sensitive actions.
  • Different rate limits for human users vs unverified bots vs verified bots.
  • Return standard 429 Too Many Requests responses with Retry-After headers.

Design (Open for Research)

API / Interface Changes

  • 429 Too Many Requests status code implementation.
  • X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset headers.

Data Model Changes

  • Likely an in-memory store (e.g., using the governor crate) for tracking request counts.

Component Changes

  • server/src/auth/middleware.rs: Add rate limiting layer.
  • server/src/gateway/handler.rs: Add rate limiting to WebSocket message handling.

Task List

  • Research existing Rust rate limiting crates (e.g., governor, tower-rate-limit).
  • Create a prototype rate limiting middleware for Axum.
  • Document recommended external rate limiting configurations (Nginx/Caddy) for self-hosters.
  • Implement per-user and per-IP rate limits.

Test List

  • Integration test: sending 100 messages in 1 second returns 429.
  • Integration test: rate limit reset after the specified window.

Open Questions

  • Should we use Redis for rate limiting in clustered setups, or stick to in-memory for simplicity?
  • How do we handle rate limits for the WebSocket gateway specifically?
**Migrated from GitHub issue icub3d/decentcom#67** **Original Author:** @icub3d **Original Date:** 2026-04-17T00:27:46Z --- # Feature: Rate Limiting Research and Implementation ## Overview Implement rate limiting for the REST API and WebSocket Gateway to protect server resources and prevent abuse from automated scripts and bots. ## Background As we enable first-class bot support and open server membership, the risk of API spam and resource exhaustion increases. The current implementation has no rate limiting, allowing any client to flood the server with requests or messages. ## Requirements - [ ] Research rate limiting strategies (leaky bucket, token bucket, fixed window, etc.). - [ ] Evaluate in-process vs external (e.g. reverse proxy) rate limiting. - [ ] Implement rate limiting for auth endpoints (prevent brute-forcing). - [ ] Implement rate limiting for message creation and other sensitive actions. - [ ] Different rate limits for human users vs unverified bots vs verified bots. - [ ] Return standard 429 Too Many Requests responses with `Retry-After` headers. ## Design (Open for Research) ### API / Interface Changes - `429 Too Many Requests` status code implementation. - `X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset` headers. ### Data Model Changes - Likely an in-memory store (e.g., using the `governor` crate) for tracking request counts. ### Component Changes - `server/src/auth/middleware.rs`: Add rate limiting layer. - `server/src/gateway/handler.rs`: Add rate limiting to WebSocket message handling. ## Task List - [ ] Research existing Rust rate limiting crates (e.g., `governor`, `tower-rate-limit`). - [ ] Create a prototype rate limiting middleware for Axum. - [ ] Document recommended external rate limiting configurations (Nginx/Caddy) for self-hosters. - [ ] Implement per-user and per-IP rate limits. ## Test List - [ ] Integration test: sending 100 messages in 1 second returns 429. - [ ] Integration test: rate limit reset after the specified window. ## Open Questions - Should we use Redis for rate limiting in clustered setups, or stick to in-memory for simplicity? - How do we handle rate limits for the WebSocket gateway specifically?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feature/115-chatbot-2
feature/16-dms
gh-pages
No results found.
Labels
Clear labels   
area:api
Backend endpoints, REST, DB, Gateway

  
area:core
Shared Rust logic, crypto, Tauri shell

  
area:docs
Documentation, OpenAPI specs, architecture

  
area:infra
Deployment, Docker, build tools

  
area:ux
Frontend UI, React components, Tailwind

  
dependencies
Pull requests that update a dependency file

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
rust
Pull requests that update rust code

  
status:complete
Feature fully implemented

  
status:partial
Partially implemented (server done, client pending)

  
status:planned
Not yet started

  
type:bug
Bug fixes

  
type:design
Architectural changes, major design decisions

  
type:feature
New features

  
type:infra
Infrastructure and CI/CD changes

  
type:refactor
Code improvements without behavioral changes

  
type:research
Spikes, investigating new tech

  
type:ux
User experience improvements

  
wontfix
This will not be worked on

No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:research
type:ux
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
icub3d/decentcom#48
No description provided.