viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add API rate limiting, metrics guard, and audit middleware

Browse source 
Per-user rate limits via Redis sliding window, IP-restricted /metrics
endpoint, audit logging of all requests, CORS tightening, and export
caps on listing/geojson endpoints.
This commit is contained in:
Viktor Barzin 2026-02-08 00:45:43 +00:00
parent 08ac72bbfc
commit 87b5bd8676
No known key found for this signature in database
GPG key ID: 0EB088298288D958
8 changed files with 756 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.env.sample
View file

@ -41,3 +41,25 @@ JWT_SECRET=change-me-in-production # HMAC secret for HS256 signing
JWT_ALGORITHM=HS256 # JWT signing algorithm
JWT_EXPIRATION_HOURS=24 # Token expiry in hours
JWT_ISSUER=wrongmove # JWT issuer claim
# API rate limiting (format: max_requests/window_seconds)
# RATE_LIMIT_LISTING=30/60 # /api/listing: 30 req per 60s
# RATE_LIMIT_GEOJSON=10/60 # /api/listing_geojson: 10 req per 60s
# RATE_LIMIT_GEOJSON_STREAM=10/60 # /api/listing_geojson/stream: 10 req per 60s
# RATE_LIMIT_REFRESH=3/300 # /api/refresh_listings: 3 req per 5min
# RATE_LIMIT_TASK_STATUS=60/60 # /api/task_status: 60 req per 60s
# RATE_LIMIT_TASKS_FOR_USER=30/60 # /api/tasks_for_user: 30 req per 60s
# RATE_LIMIT_CANCEL_TASK=10/60 # /api/cancel_task: 10 req per 60s
# RATE_LIMIT_CLEAR_TASKS=5/60 # /api/clear_all_tasks: 5 req per 60s
# RATE_LIMIT_DISTRICTS=20/60 # /api/get_districts: 20 req per 60s
# RATE_LIMIT_PASSKEY=10/60 # /api/passkey/*: 10 req per 60s
RATE_LIMIT_REDIS_DB=3 # Redis DB for rate limit counters
# Bulk export caps
EXPORT_LISTING_LIMIT_CAP=100 # Max listings per /api/listing request
EXPORT_GEOJSON_LIMIT_CAP=5000 # Max features per /api/listing_geojson request
EXPORT_GEOJSON_STREAM_LIMIT_CAP=10000 # Max features per /api/listing_geojson/stream
EXPORT_GEOJSON_STREAM_BATCH_CAP=200 # Max batch size for streaming
# Metrics endpoint access control (comma-separated IPs/CIDRs)
METRICS_ALLOWED_IPS=127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1