Add rate limiting: global (120/min) and writes (30/min) policies

Both policies partition by sub claim with IP fallback. Global limiter applies to all requests; writes policy is applied via [EnableRateLimiting("writes")] on every POST, PUT, and DELETE action across all five controllers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 15:56:54 -05:00
parent 89e9880f76
commit 9b1b704ea1
6 changed files with 57 additions and 0 deletions
@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;

 namespace Budget.Api.Controllers;
@@ -34,6 +35,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPost]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Create([FromBody] CreateBudgetRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -62,6 +64,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPut("{id:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Update(Guid id, [FromBody] UpdateBudgetRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -75,6 +78,7 @@ public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpDelete("{id:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Delete(Guid id)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;

 namespace Budget.Api.Controllers;
@@ -40,6 +41,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPost]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Create(Guid budgetId, [FromBody] CreateIncomeRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -60,6 +62,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPut("{incomeId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Update(Guid budgetId, Guid incomeId, [FromBody] UpdateIncomeRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -74,6 +77,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpDelete("{incomeId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Delete(Guid budgetId, Guid incomeId)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -86,6 +90,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPut("order")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Reorder(Guid budgetId, [FromBody] ReorderIncomesRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;

 namespace Budget.Api.Controllers;
@@ -48,6 +49,7 @@ public class OutgosController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpPost]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Create(Guid budgetId, [FromBody] CreateOutgoRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -73,6 +75,7 @@ public class OutgosController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpPut("{outgoId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Update(Guid budgetId, Guid outgoId, [FromBody] UpdateOutgoRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -92,6 +95,7 @@ public class OutgosController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpDelete("{outgoId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Delete(Guid budgetId, Guid outgoId)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -104,6 +108,7 @@ public class OutgosController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpPut("order")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Reorder(Guid budgetId, [FromBody] ReorderOutgosRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;

 namespace Budget.Api.Controllers;
@@ -34,6 +35,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpPost]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Add(Guid budgetId, [FromBody] CreateShareRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -60,6 +62,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpPut("{shareId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Update(Guid budgetId, Guid shareId, [FromBody] UpdateShareRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -72,6 +75,7 @@ public class SharesController(AppDbContext db, BudgetAuthorizationService authz)
    }

    [HttpDelete("{shareId:guid}")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> Revoke(Guid budgetId, Guid shareId)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;

 namespace Budget.Api.Controllers;
@@ -75,6 +76,7 @@ public class SummaryController(AppDbContext db, BudgetAuthorizationService authz
    }

    [HttpPut("tax-rate")]
+    [EnableRateLimiting("writes")]
    public async Task<IActionResult> UpdateTaxRate(Guid budgetId, [FromBody] UpdateTaxRateRequest req)
    {
        if (TryGetUserId(out var userId) is { } err) return err;
@@ -1,8 +1,10 @@
+using System.Threading.RateLimiting;
 using Budget.Api.Data;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.Extensions.Options;
@@ -49,6 +51,39 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        };
    });

+builder.Services.AddRateLimiter(options =>
+{
+    options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+
+    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(ctx =>
+    {
+        var key = ctx.User.FindFirst("sub")?.Value
+            ?? ctx.Connection.RemoteIpAddress?.ToString()
+            ?? "unknown";
+        return RateLimitPartition.GetFixedWindowLimiter(key, _ => new FixedWindowRateLimiterOptions
+        {
+            PermitLimit = 120,
+            Window = TimeSpan.FromMinutes(1),
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+            QueueLimit = 0,
+        });
+    });
+
+    options.AddPolicy("writes", ctx =>
+    {
+        var key = ctx.User.FindFirst("sub")?.Value
+            ?? ctx.Connection.RemoteIpAddress?.ToString()
+            ?? "unknown";
+        return RateLimitPartition.GetFixedWindowLimiter("writes:" + key, _ => new FixedWindowRateLimiterOptions
+        {
+            PermitLimit = 30,
+            Window = TimeSpan.FromMinutes(1),
+            QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+            QueueLimit = 0,
+        });
+    });
+});
+
 builder.Services.AddAuthorization();
 builder.Services.AddScoped<BudgetAuthorizationService>();
 builder.Services.AddControllers();
@@ -99,6 +134,8 @@ app.UseAuthentication();
 app.UseMiddleware<KnownUserMiddleware>();
 app.UseAuthorization();

+app.UseRateLimiter();
+
 app.MapControllers();
 app.MapHealthChecks("/healthz", new HealthCheckOptions
 {