makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity
Files
9336cd80edc18874e5615dd0ba2e1462863388b7
GearBox/.planning/phases/24-public-access-infrastructure/24-01-SUMMARY.md
Jean-Luc Makiola 50f9629707 docs(24-01): complete rate limiter factory and tiered public endpoint limits plan 
- Add 24-01-SUMMARY.md with execution results
- Advance plan counter to 2/2
- Update progress to 50% (1 of 2 plans complete)
- Mark INFR-01 requirement complete
- Add factory pattern and tier decisions to STATE.md
2026-04-10 10:08:50 +02:00

102 lines
4.3 KiB
Markdown
Raw Blame History

---
phase: 24-public-access-infrastructure
plan: 01
subsystem: infra
tags: [rate-limiting, middleware, hono, typescript]
# Dependency graph
requires: []
provides:
- createRateLimit(maxAttempts, windowMs) factory function in rateLimit.ts
- Tiered rate limits on all public GET endpoints (browse: 120/min, detail: 60/min)
- Backward-compatible rateLimit export (5 req/15 min, unchanged behavior)
affects: [future public API endpoints, catalog enrichment, discovery feed]
# Tech tracking
tech-stack:
added: []
patterns:
- "Factory pattern for configurable middleware: createRateLimit(max, windowMs) returns middleware fn"
- "Shared in-memory store for rate limiting with IP:path composite keys"
- "Tiered rate limits: browse tier (120/min) vs detail tier (60/min)"
key-files:
created: []
modified:
- src/server/middleware/rateLimit.ts
- src/server/index.ts
- tests/middleware/rateLimit.test.ts
key-decisions:
- "Use factory pattern for rate limiter to support different tiers without code duplication"
- "Browse endpoints (list/search) get 120/min limit; detail endpoints get 60/min — same for auth and anon users per D-08"
- "Rate limits placed before auth middleware to apply equally regardless of auth state"
- "Keep original rateLimit export (5/15min) for OAuth/auth endpoints unchanged"
patterns-established:
- "Rate limit factory: createRateLimit(max, windowMs) — reuse for any new endpoint needing limits"
- "Method guard in middleware: check c.req.method === 'GET' before applying rate limit"
requirements-completed: [INFR-01]
# Metrics
duration: 8min
completed: 2026-04-10
---
# Phase 24 Plan 01: Rate Limiter Factory and Tiered Public Endpoint Limits Summary
**createRateLimit(max, windowMs) factory with browse (120/min) and detail (60/min) tiers applied to all public GET endpoints before auth middleware**
## Performance
- **Duration:** ~8 min
- **Started:** 2026-04-10T10:00:00Z
- **Completed:** 2026-04-10T10:08:00Z
- **Tasks:** 2
- **Files modified:** 3
## Accomplishments
- Refactored single-tier rateLimit into createRateLimit factory supporting configurable limits
- Original rateLimit export preserved with identical behavior (5 req/15 min, same error message)
- Added 11 tests total (6 existing + 5 new factory tests) — all pass
- Applied browseTier (120/min) to /api/global-items list and /api/tags GET routes
- Applied detailTier (60/min) to /api/global-items/:id, /api/setups/:id/public, /api/users/:id/profile GET routes
## Task Commits
Each task was committed atomically:
1. **Task 1: Refactor rateLimit.ts to factory pattern and extend tests** - `afab817` (feat)
2. **Task 2: Apply tiered rate limits to public GET endpoints in index.ts** - `5619016` (feat)
## Files Created/Modified
- `src/server/middleware/rateLimit.ts` - Added createRateLimit factory; rateLimit delegates to factory; _resetForTesting unchanged
- `src/server/index.ts` - Import createRateLimit; add browseTier/detailTier instances; apply to 5 public GET endpoint groups before auth middleware
- `tests/middleware/rateLimit.test.ts` - Added createRateLimit factory describe block with 5 new test cases
## Decisions Made
- Factory uses the same error message as the original ("Too many attempts. Try again later.") to preserve backward compatibility for existing tests
- Import order follows Biome's organized-imports rule (auth.ts before rateLimit.ts alphabetically within middleware group)
## Deviations from Plan
None - plan executed exactly as written.
The only minor adjustment was error message consistency: the plan's code sample used "Too many requests." but the existing tests asserted "Too many attempts." — used the existing message to maintain backward compatibility without changing existing test expectations.
## Issues Encountered
- Pre-existing test failures in storage.service tests (15 failing, 7 errors) unrelated to rate limiting — confirmed pre-existing before changes via git stash verification. Logged as out-of-scope.
## User Setup Required
None - no external service configuration required.
## Next Phase Readiness
- createRateLimit factory available for any new public endpoints added in future plans
- All public GET endpoints now have abuse protection
- Auth middleware flow unchanged — public endpoints remain unauthenticated, rate-limited only
---
*Phase: 24-public-access-infrastructure*
*Completed: 2026-04-10*
Reference in New Issue View Git Blame Copy Permalink