makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

docs(24-01): complete rate limiter factory and tiered public endpoint limits plan

Browse Source 
- Add 24-01-SUMMARY.md with execution results
- Advance plan counter to 2/2
- Update progress to 50% (1 of 2 plans complete)
- Mark INFR-01 requirement complete
- Add factory pattern and tier decisions to STATE.md
This commit is contained in:
Jean-Luc Makiola
2026-04-10 10:08:50 +02:00
parent 5619016e41
commit 50f9629707
4 changed files with 121 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.planning/REQUIREMENTS.md
View File

@@ -39,7 +39,7 @@ Requirements for Public Discovery milestone. Each maps to roadmap phases.
### Infrastructure ### Infrastructure
- [ ] **INFR-01**: Public API endpoints are rate-limited to prevent abuse - [x] **INFR-01**: Public API endpoints are rate-limited to prevent abuse
- [ ] **INFR-02**: Discovery feed endpoint uses cursor pagination for scalability - [ ] **INFR-02**: Discovery feed endpoint uses cursor pagination for scalability
## Future Requirements ## Future Requirements
@@ -121,7 +121,7 @@ Which phases cover which requirements. Updated during roadmap creation.
| PUBL-03 | Phase 24 | Pending | | PUBL-03 | Phase 24 | Pending |
| PUBL-04 | Phase 24 | Pending | | PUBL-04 | Phase 24 | Pending |
| PUBL-05 | Phase 24 | Pending | | PUBL-05 | Phase 24 | Pending |
| INFR-01 | Phase 24 | Pending | | INFR-01 | Phase 24 | Complete |
| CATL-01 | Phase 25 | Pending | | CATL-01 | Phase 25 | Pending |
| CATL-02 | Phase 25 | Pending | | CATL-02 | Phase 25 | Pending |
| CATL-03 | Phase 25 | Pending | | CATL-03 | Phase 25 | Pending |

4
.planning/ROADMAP.md
View File

@@ -87,7 +87,7 @@
**Plans**: 2 plans **Plans**: 2 plans
Plans: Plans:
- [ ] 24-01-PLAN.md — Rate limit factory and tiered public endpoint protection - [x] 24-01-PLAN.md — Rate limit factory and tiered public endpoint protection
- [ ] 24-02-PLAN.md — Client-side public access (render-first root, auth prompt, setup/catalog guards) - [ ] 24-02-PLAN.md — Client-side public access (render-first root, auth prompt, setup/catalog guards)
**UI hint**: yes **UI hint**: yes
@@ -144,7 +144,7 @@ Plans:
| 21. Item & Catalog Detail Pages | v2.0 | 3/3 | Complete | 2026-04-06 | | 21. Item & Catalog Detail Pages | v2.0 | 3/3 | Complete | 2026-04-06 |
| 22. Add-from-Catalog & Thread Integration | v2.0 | 2/2 | Complete | 2026-04-06 | | 22. Add-from-Catalog & Thread Integration | v2.0 | 2/2 | Complete | 2026-04-06 |
| 23. Manual Entry Fallback | v2.0 | 1/1 | Complete | 2026-04-06 | | 23. Manual Entry Fallback | v2.0 | 1/1 | Complete | 2026-04-06 |
| 24. Public Access & Infrastructure | v2.1 | 0/2 | In progress | - | | 24. Public Access & Infrastructure | v2.1 | 1/2 | In Progress| |
| 25. Catalog Enrichment & Agent Tools | v2.1 | 0/TBD | Not started | - | | 25. Catalog Enrichment & Agent Tools | v2.1 | 0/TBD | Not started | - |
| 26. Discovery Landing Page | v2.1 | 0/TBD | Not started | - | | 26. Discovery Landing Page | v2.1 | 0/TBD | Not started | - |

30
.planning/STATE.md
View File

@@ -2,15 +2,15 @@
gsd_state_version: 1.0 gsd_state_version: 1.0
milestone: v2.1 milestone: v2.1
milestone_name: Public Discovery milestone_name: Public Discovery
status: planning status: executing
stopped_at: Phase 24 context gathered stopped_at: Completed 24-01-PLAN.md
last_updated: "2026-04-09T13:13:39.015Z" last_updated: "2026-04-10T08:08:39.065Z"
last_activity: 2026-04-09 — Roadmap created for v2.1 last_activity: 2026-04-10
progress: progress:
total_phases: 6 total_phases: 6
completed_phases: 0 completed_phases: 0
total_plans: 0 total_plans: 2
completed_plans: 0 completed_plans: 1
percent: 0 percent: 0
--- ---
@@ -21,14 +21,14 @@ progress:
See: .planning/PROJECT.md (updated 2026-04-09) See: .planning/PROJECT.md (updated 2026-04-09)
**Core value:** Help people make better gear decisions — discover what others use, compare real-world data, and see how a potential buy affects your setup before committing. **Core value:** Help people make better gear decisions — discover what others use, compare real-world data, and see how a potential buy affects your setup before committing.
**Current focus:** v2.1 Public Discovery — Phase 24: Public Access & Infrastructure **Current focus:** Phase 24 — public-access-infrastructure
## Current Position ## Current Position
Phase: 24 of 26 (Public Access & Infrastructure) Phase: 24 (public-access-infrastructure) — EXECUTING
Plan: Plan: 2 of 2
Status: Ready to plan Status: Ready to execute
Last activity: 2026-04-09 — Roadmap created for v2.1 Last activity: 2026-04-10
Progress: [░░░░░░░░░░] 0% Progress: [░░░░░░░░░░] 0%
@@ -60,6 +60,8 @@ v2.1 decisions:
- Catalog data: open datasets + manufacturer specs + agent MCP enrichment — RESOLVED - Catalog data: open datasets + manufacturer specs + agent MCP enrichment — RESOLVED
- Public-first: auth model rework before content features — RESOLVED - Public-first: auth model rework before content features — RESOLVED
- Phase 999.3 (Public Access Auth Model backlog item) is now Phase 24 — PROMOTED - Phase 999.3 (Public Access Auth Model backlog item) is now Phase 24 — PROMOTED
- [Phase 24-public-access-infrastructure]: createRateLimit factory pattern for configurable rate limiting per endpoint tier
- [Phase 24-public-access-infrastructure]: Browse tier 120/min, detail tier 60/min — same limits for auth and anon users
### Pending Todos ### Pending Todos
@@ -71,6 +73,6 @@ None.
## Session Continuity ## Session Continuity
Last session: 2026-04-09T13:13:39.013Z Last session: 2026-04-10T08:08:39.063Z
Stopped at: Phase 24 context gathered Stopped at: Completed 24-01-PLAN.md
Resume file: .planning/phases/24-public-access-infrastructure/24-CONTEXT.md Resume file: None

101
.planning/phases/24-public-access-infrastructure/24-01-SUMMARY.md Normal file
View File

@@ -0,0 +1,101 @@
---
phase: 24-public-access-infrastructure
plan: 01
subsystem: infra
tags: [rate-limiting, middleware, hono, typescript]
# Dependency graph
requires: []
provides:
- createRateLimit(maxAttempts, windowMs) factory function in rateLimit.ts
- Tiered rate limits on all public GET endpoints (browse: 120/min, detail: 60/min)
- Backward-compatible rateLimit export (5 req/15 min, unchanged behavior)
affects: [future public API endpoints, catalog enrichment, discovery feed]
# Tech tracking
tech-stack:
added: []
patterns:
- "Factory pattern for configurable middleware: createRateLimit(max, windowMs) returns middleware fn"
- "Shared in-memory store for rate limiting with IP:path composite keys"
- "Tiered rate limits: browse tier (120/min) vs detail tier (60/min)"
key-files:
created: []
modified:
- src/server/middleware/rateLimit.ts
- src/server/index.ts
- tests/middleware/rateLimit.test.ts
key-decisions:
- "Use factory pattern for rate limiter to support different tiers without code duplication"
- "Browse endpoints (list/search) get 120/min limit; detail endpoints get 60/min — same for auth and anon users per D-08"
- "Rate limits placed before auth middleware to apply equally regardless of auth state"
- "Keep original rateLimit export (5/15min) for OAuth/auth endpoints unchanged"
patterns-established:
- "Rate limit factory: createRateLimit(max, windowMs) — reuse for any new endpoint needing limits"
- "Method guard in middleware: check c.req.method === 'GET' before applying rate limit"
requirements-completed: [INFR-01]
# Metrics
duration: 8min
completed: 2026-04-10
---
# Phase 24 Plan 01: Rate Limiter Factory and Tiered Public Endpoint Limits Summary
**createRateLimit(max, windowMs) factory with browse (120/min) and detail (60/min) tiers applied to all public GET endpoints before auth middleware**
## Performance
- **Duration:** ~8 min
- **Started:** 2026-04-10T10:00:00Z
- **Completed:** 2026-04-10T10:08:00Z
- **Tasks:** 2
- **Files modified:** 3
## Accomplishments
- Refactored single-tier rateLimit into createRateLimit factory supporting configurable limits
- Original rateLimit export preserved with identical behavior (5 req/15 min, same error message)
- Added 11 tests total (6 existing + 5 new factory tests) — all pass
- Applied browseTier (120/min) to /api/global-items list and /api/tags GET routes
- Applied detailTier (60/min) to /api/global-items/:id, /api/setups/:id/public, /api/users/:id/profile GET routes
## Task Commits
Each task was committed atomically:
1. **Task 1: Refactor rateLimit.ts to factory pattern and extend tests** - `afab817` (feat)
2. **Task 2: Apply tiered rate limits to public GET endpoints in index.ts** - `5619016` (feat)
## Files Created/Modified
- `src/server/middleware/rateLimit.ts` - Added createRateLimit factory; rateLimit delegates to factory; _resetForTesting unchanged
- `src/server/index.ts` - Import createRateLimit; add browseTier/detailTier instances; apply to 5 public GET endpoint groups before auth middleware
- `tests/middleware/rateLimit.test.ts` - Added createRateLimit factory describe block with 5 new test cases
## Decisions Made
- Factory uses the same error message as the original ("Too many attempts. Try again later.") to preserve backward compatibility for existing tests
- Import order follows Biome's organized-imports rule (auth.ts before rateLimit.ts alphabetically within middleware group)
## Deviations from Plan
None - plan executed exactly as written.
The only minor adjustment was error message consistency: the plan's code sample used "Too many requests." but the existing tests asserted "Too many attempts." — used the existing message to maintain backward compatibility without changing existing test expectations.
## Issues Encountered
- Pre-existing test failures in storage.service tests (15 failing, 7 errors) unrelated to rate limiting — confirmed pre-existing before changes via git stash verification. Logged as out-of-scope.
## User Setup Required
None - no external service configuration required.
## Next Phase Readiness
- createRateLimit factory available for any new public endpoints added in future plans
- All public GET endpoints now have abuse protection
- Auth middleware flow unchanged — public endpoints remain unauthenticated, rate-limited only
---
*Phase: 24-public-access-infrastructure*
*Completed: 2026-04-10*