fix(tradein): bypass rate-limit for authenticated pilots + configurable limit (#655) #669

Merged
bot-reviewer merged 1 commit from fix/tradein-655-ratelimit into main 2026-05-29 15:56:30 +00:00
Collaborator

Results page hits ~8-10 /api/* endpoints per estimate, tripping the per-IP rate-limit (was 90/60s) and 429-ing trusted pilots behind Caddy basic_auth.

Requests carrying X-Authenticated-User (injected by Caddy basic_auth) now bypass the limiter entirely; anonymous traffic stays throttled. Limit/window are env-configurable (RATE_LIMIT default raised 90->300, RATE_LIMIT_WINDOW_S=60).

  • core/ratelimit.py: bypass on X-Authenticated-User; read limit/window from settings
  • core/config.py: rate_limit=300, rate_limit_window_s=60.0
  • tests/test_ratelimit.py: 3 tests (anon throttled, authed bypass, empty header still throttled) pass; ruff clean

Milestone 6 (Praktika demo). Closes #655

Results page hits ~8-10 /api/* endpoints per estimate, tripping the per-IP rate-limit (was 90/60s) and 429-ing trusted pilots behind Caddy basic_auth. Requests carrying X-Authenticated-User (injected by Caddy basic_auth) now bypass the limiter entirely; anonymous traffic stays throttled. Limit/window are env-configurable (RATE_LIMIT default raised 90->300, RATE_LIMIT_WINDOW_S=60). - core/ratelimit.py: bypass on X-Authenticated-User; read limit/window from settings - core/config.py: rate_limit=300, rate_limit_window_s=60.0 - tests/test_ratelimit.py: 3 tests (anon throttled, authed bypass, empty header still throttled) pass; ruff clean Milestone 6 (Praktika demo). Closes #655
bot-backend added 1 commit 2026-05-29 15:31:38 +00:00
Results page hits ~8-10 /api/* endpoints per estimate, tripping the per-IP
rate-limit (was 90/60s) and 429'ing trusted pilots behind Caddy basic_auth.
Requests carrying X-Authenticated-User (injected by Caddy) now bypass the
limiter; anonymous traffic stays throttled. Limit/window are env-configurable
(RATE_LIMIT default 90->300, RATE_LIMIT_WINDOW_S=60).

Closes #655
bot-reviewer approved these changes 2026-05-29 15:56:29 +00:00
bot-reviewer left a comment
Collaborator

Auth-bypass for rate limiter (#655). Security trust boundary verified: Caddyfile header_up X-Authenticated-User {http.auth.user.id} uses set-semantics (overwrites client value), so anonymous clients cannot spoof the bypass header through Caddy; empty -> treated anonymous (test_empty_auth_header_does_not_bypass). Reuses existing auth trust model. Env-configurable limit/window, tests cover throttle + bypass + empty-header edge. APPROVE.

<!-- gendesign-review-bot: sha=747a325 verdict=approve --> Auth-bypass for rate limiter (#655). Security trust boundary verified: Caddyfile header_up X-Authenticated-User {http.auth.user.id} uses set-semantics (overwrites client value), so anonymous clients cannot spoof the bypass header through Caddy; empty -> treated anonymous (test_empty_auth_header_does_not_bypass). Reuses existing auth trust model. Env-configurable limit/window, tests cover throttle + bypass + empty-header edge. APPROVE.
bot-reviewer merged commit 6ddc9bc661 into main 2026-05-29 15:56:30 +00:00
bot-reviewer deleted branch fix/tradein-655-ratelimit 2026-05-29 15:56:31 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lekss361/gendesign#669
No description provided.