fix: add missing burst to rate limit

This commit is contained in:
Elias Schneider
2026-07-07 12:04:36 +02:00
parent fa2d08cb6d
commit f3b6ceb876

View File

@@ -5,6 +5,7 @@ import (
"errors"
"log/slog"
"math"
"net"
"net/http"
"strconv"
"time"
@@ -46,7 +47,7 @@ type RateLimitPolicy struct {
// The slice is built on each call so the policies are not retained at the package level, and the actor host registers one limiter per entry
func RateLimitPolicies() []RateLimitPolicy {
return []RateLimitPolicy{
{Name: RateLimitAPI, Rate: 100, Per: time.Second},
{Name: RateLimitAPI, Rate: 100, Per: time.Second, Burst: 300},
{Name: RateLimitSignup, Rate: 2, Per: time.Minute, Burst: 10},
{Name: RateLimitWebauthnLogin, Rate: 1, Per: 5 * time.Second, Burst: 10},
{Name: RateLimitWebauthnReauthenticate, Rate: 1, Per: 10 * time.Second, Burst: 5},
@@ -88,7 +89,7 @@ func (m *RateLimitMiddleware) Add(policy string) gin.HandlerFunc {
// Skip rate limiting for localhost and test environment
// If the client ip is localhost the request comes from the frontend
if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv.IsTest() {
if common.EnvConfig.AppEnv == common.AppEnvTest || net.ParseIP(ip).IsLoopback() {
c.Next()
return
}