Skip to content

feat(backend): add endpoint-specific API rate limits#212

Open
rishab11250 wants to merge 1 commit into
nensii21:mainfrom
rishab11250:feat/api-rate-limits-per-endpoint
Open

feat(backend): add endpoint-specific API rate limits#212
rishab11250 wants to merge 1 commit into
nensii21:mainfrom
rishab11250:feat/api-rate-limits-per-endpoint

Conversation

@rishab11250

@rishab11250 rishab11250 commented Jul 8, 2026

Copy link
Copy Markdown

Pull Request

Summary

Add endpoint-specific API rate limits across all major backend routes. The existing SlowAPI rate-limit middleware was set up globally but no per-endpoint limits were applied. This change makes all limits configurable via environment variables and applies them to every security-sensitive and high-traffic endpoint.


Related Issue

Closes #200


Type of Change

  • Bug fix
  • New feature
  • Documentation update
  • Performance improvement
  • Refactoring
  • UI/UX enhancement
  • Tests
  • Other

Changes Made

  • config.py: Added 4 new settings (MESSAGE_RATE_LIMIT, SEARCH_RATE_LIMIT, PROJECT_RATE_LIMIT, PASSWORD_RESET_RATE_LIMIT); Changed REGISTER_RATE_LIMIT from 3/minute to 3/hour per issue spec
  • rate_limit.py: All limits now sourced from config settings instead of hardcoded values; removed unused UPLOAD_LIMIT and FLARE_LIMIT constants
  • auth.py: Applied @limiter.limit() to all 10 endpoints — register (3/hr), login (5/min), forgot/reset-password (3/15min), change-password (5/min), verify-email (5/min), resend-verification (3/hr), refresh/logout (10/min), me (30/min)
  • messages.py: Send message (30/min), search (60/min), update (20/min), restore/delete (10/min)
  • projects.py: Create (100/min), update/star/unstar (30/min), archive/restore/feature/delete (20/min)
  • users.py, skills.py, organizations.py: Search/list endpoints limited to 60/min
  • .env / .env.example: Added all new rate limit environment variables

Screenshots (if applicable)

N/A — backend configuration change


Testing

  • Tested locally
  • Existing tests pass
  • Added new tests
  • UI verified
  • Cross-browser tested (if applicable)

Additional testing notes: All 8 modified Python files pass py_compile syntax validation. Full dependency installation (pydantic-core, ruff) requires Rust toolchain on Windows build environment.


Checklist

Before submitting this pull request, confirm the following:

  • My code follows the project's coding standards.
  • I have tested my changes locally.
  • I have updated the documentation where necessary.
  • My changes do not introduce new warnings or errors.
  • I have reviewed my own code.
  • This pull request focuses on a single feature or fix.
  • I have linked the related issue.

Additional Notes

  • All rate limits are configurable via environment variables — no code changes needed to adjust limits in production
  • Follows project security best practices: sensitive auth endpoints have the strictest limits
  • Search endpoints share a unified SEARCH_LIMIT (60/min) for consistent UX
  • Existing default global limit (100/minute) remains as a catch-all for unlisted endpoints

Configure per-endpoint rate limits across all major API routes:

- Auth: login (5/min), register (3/hour), password reset (3/15min)
- Messages: send (30/min), search (60/min)
- Projects: create (100/min), mutations (20-30/min)
- Search/list endpoints (60/min) across users, skills, orgs

All limits are configurable via environment variables.
Rate limit constants now sourced from settings instead of hardcoded.

Closes nensii21#200

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Thank you for your first Pull Request to DevLink!

We appreciate your contribution to our open-source community.

Before your PR is reviewed, please ensure:

  • ✅ The project builds successfully.
  • ✅ Your code follows the project's coding standards.
  • ✅ You have tested your changes.
  • ✅ Related documentation has been updated if necessary.

Our maintainers will review your PR as soon as possible.

Thank you for helping improve DevLink! 💙

@nensii21

nensii21 commented Jul 8, 2026

Copy link
Copy Markdown
Owner

attached videos and screenshots showing what changes have been made also some CI jobs are failing update it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add API Rate Limits Per Endpoint

2 participants