stwaddle/budget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add rate limiting: global (120/min) and writes (30/min) policies

Browse Source 
Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer Twaddle
2026-05-02 15:56:54 -05:00
parent 89e9880f76
commit 9b1b704ea1
6 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Budget.Api/Controllers/SharesController.cs
+4
View File
@@ -4,6 +4,7 @@ using Budget.Api.Models;
using Budget.Api.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.RateLimiting;
using Microsoft.EntityFrameworkCore;
namespace Budget.Api.Controllers;
@@ -34,6 +35,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
}
[HttpPost]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Add(Guid budgetId, [FromBody] CreateShareRequest req)
{
if (TryGetUserId(out var userId) is { } err) return err;
@@ -60,6 +62,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
}
[HttpPut("{shareId:guid}")]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Update(Guid budgetId, Guid shareId, [FromBody] UpdateShareRequest req)
{
if (TryGetUserId(out var userId) is { } err) return err;
@@ -72,6 +75,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
}
[HttpDelete("{shareId:guid}")]
[EnableRateLimiting("writes")]
public async Task<IActionResult> Revoke(Guid budgetId, Guid shareId)
{
if (TryGetUserId(out var userId) is { } err) return err;