Add rate limiting: global (120/min) and writes (30/min) policies

Both policies partition by sub claim with IP fallback. Global limiter applies to all requests; writes policy is applied via [EnableRateLimiting("writes")] on every POST, PUT, and DELETE action across all five controllers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 15:56:54 -05:00
parent 89e9880f76
commit 9b1b704ea1
6 changed files with 57 additions and 0 deletions
@@ -1,8 +1,10 @@
+using System.Threading.RateLimiting;
 using Budget.Api.Data;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.Extensions.Options;
@@ -49,6 +51,39 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        };
    });

+builder.Services.AddRateLimiter(options =>
+{
+    options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+
+    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(ctx =>
+    {
+        var key = ctx.User.FindFirst("sub")?.Value
+            ?? ctx.Connection.RemoteIpAddress?.ToString()
+            ?? "unknown";
+        return RateLimitPartition.GetFixedWindowLimiter(key, _ => new FixedWindowRateLimiterOptions
+        {
+            PermitLimit = 120,
+            Window = TimeSpan.FromMinutes(1),
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+            QueueLimit = 0,
+        });
+    });
+
+    options.AddPolicy("writes", ctx =>
+    {
+        var key = ctx.User.FindFirst("sub")?.Value
+            ?? ctx.Connection.RemoteIpAddress?.ToString()
+            ?? "unknown";
+        return RateLimitPartition.GetFixedWindowLimiter("writes:" + key, _ => new FixedWindowRateLimiterOptions
+        {
+            PermitLimit = 30,
+            Window = TimeSpan.FromMinutes(1),
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+            QueueLimit = 0,
+        });
+    });
+});
+
 builder.Services.AddAuthorization();
 builder.Services.AddScoped<BudgetAuthorizationService>();
 builder.Services.AddControllers();
@@ -99,6 +134,8 @@ app.UseAuthentication();
 app.UseMiddleware<KnownUserMiddleware>();
 app.UseAuthorization();

+app.UseRateLimiter();
+
 app.MapControllers();
 app.MapHealthChecks("/healthz", new HealthCheckOptions
 {