stwaddle/budget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add rate limiting: global (120/min) and writes (30/min) policies

Browse Source 
Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer Twaddle
2026-05-02 15:56:54 -05:00
parent 89e9880f76
commit 9b1b704ea1
6 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Budget.Api/Controllers/BudgetsController.cs
+4
View File
@@ -4,6 +4,7 @@ using Budget.Api.Models;
using Budget.Api.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.RateLimiting;
using Microsoft.EntityFrameworkCore;
namespace Budget.Api.Controllers;
@@ -34,6 +35,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
}
[HttpPost]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Create([FromBody] CreateBudgetRequest req)
{
if (TryGetUserId(out var userId) is { } err) return err;
@@ -62,6 +64,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
}
[HttpPut("{id:guid}")]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateBudgetRequest req)
{
if (TryGetUserId(out var userId) is { } err) return err;
@@ -75,6 +78,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
}
[HttpDelete("{id:guid}")]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Delete(Guid id)
{
if (TryGetUserId(out var userId) is { } err) return err;