From f3b6ceb8768616fb155455cceb7a539c13c3da9f Mon Sep 17 00:00:00 2001 From: Elias Schneider Date: Tue, 7 Jul 2026 12:04:36 +0200 Subject: [PATCH] fix: add missing burst to rate limit --- backend/internal/middleware/rate_limit.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/backend/internal/middleware/rate_limit.go b/backend/internal/middleware/rate_limit.go index 8b8def1e..dbfa49ad 100644 --- a/backend/internal/middleware/rate_limit.go +++ b/backend/internal/middleware/rate_limit.go @@ -5,6 +5,7 @@ import ( "errors" "log/slog" "math" + "net" "net/http" "strconv" "time" @@ -46,7 +47,7 @@ type RateLimitPolicy struct { // The slice is built on each call so the policies are not retained at the package level, and the actor host registers one limiter per entry func RateLimitPolicies() []RateLimitPolicy { return []RateLimitPolicy{ - {Name: RateLimitAPI, Rate: 100, Per: time.Second}, + {Name: RateLimitAPI, Rate: 100, Per: time.Second, Burst: 300}, {Name: RateLimitSignup, Rate: 2, Per: time.Minute, Burst: 10}, {Name: RateLimitWebauthnLogin, Rate: 1, Per: 5 * time.Second, Burst: 10}, {Name: RateLimitWebauthnReauthenticate, Rate: 1, Per: 10 * time.Second, Burst: 5}, @@ -88,7 +89,7 @@ func (m *RateLimitMiddleware) Add(policy string) gin.HandlerFunc { // Skip rate limiting for localhost and test environment // If the client ip is localhost the request comes from the frontend - if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv.IsTest() { + if common.EnvConfig.AppEnv == common.AppEnvTest || net.ParseIP(ip).IsLoopback() { c.Next() return }