fix(tradein): bypass rate-limit for authenticated pilots + configurable limit (#655) #669
No reviewers
Labels
No labels
admin
analytics
auth
automation
bug
business
chore
ci
compliance
data
data-moat
docs
duplicate
dx
enhancement
Fable 5 ревью
feedback/max
generative
GG-форсайт
needs-discussion
needs-human
observability
pause-bots
performance
priority/p0
priority/p1
priority/p2
priority/p3
scope/backend
scope/db
scope/devops
scope/frontend
scope/qa
scrapers
security
site-finder
stage/1
stage/2
status/blocked
status/done
status/needs-analysis
status/needs-fix
status/qa
status/ready
status/review
status/wip
tech-debt
tradein
ux
week ревью 1
wontfix
вторичка
ИРД
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lekss361/gendesign#669
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/tradein-655-ratelimit"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Results page hits ~8-10 /api/* endpoints per estimate, tripping the per-IP rate-limit (was 90/60s) and 429-ing trusted pilots behind Caddy basic_auth.
Requests carrying X-Authenticated-User (injected by Caddy basic_auth) now bypass the limiter entirely; anonymous traffic stays throttled. Limit/window are env-configurable (RATE_LIMIT default raised 90->300, RATE_LIMIT_WINDOW_S=60).
Milestone 6 (Praktika demo). Closes #655
Auth-bypass for rate limiter (#655). Security trust boundary verified: Caddyfile header_up X-Authenticated-User {http.auth.user.id} uses set-semantics (overwrites client value), so anonymous clients cannot spoof the bypass header through Caddy; empty -> treated anonymous (test_empty_auth_header_does_not_bypass). Reuses existing auth trust model. Env-configurable limit/window, tests cover throttle + bypass + empty-header edge. APPROVE.