Skip to content

feat: add rate limiting for song requests #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jakebromberg merged 4 commits into from
Jan 31, 2026
Merged

feat: add rate limiting for song requests #123

jakebromberg merged 4 commits into from
Jan 31, 2026

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Jan 19, 2026
edited
Loading

⚠️ Superseded

This PR has been split into smaller, focused PRs for easier review:

PR Description Lines Base
#125 Discogs API client ~1,100 #122
#138 Rate limiting ~500 #125
#139 Enhanced request line + AI + Artwork + Slack ~3,000 #138

Merge order

main
└── #62:  Request line endpoint
    └── #122: Anonymous device auth
        └── #125: Discogs client
            └── #138: Rate limiting
                └── #139: Enhanced request line

Merge in order: #62#122#125#138#139

Original description

Summary

  • Registration rate limit: 5 per hour per IP
  • Song request rate limit: 10 per 15 minutes per device
  • Configurable via environment variables for testing
  • Automatically disabled in test environment

@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from 446eab8 to 24ebdff Compare January 19, 2026 05:43
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from d1368c8 to f9b1db1 Compare January 19, 2026 05:43
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from 24ebdff to 6fb97c2 Compare January 19, 2026 06:00
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from f9b1db1 to b96ccde Compare January 19, 2026 06:00
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from 6fb97c2 to a5f2135 Compare January 19, 2026 06:38
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from b96ccde to fe391e6 Compare January 19, 2026 06:38
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from a5f2135 to 4379d91 Compare January 19, 2026 07:42
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from fe391e6 to 51427d5 Compare January 19, 2026 07:42
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from 4379d91 to 3980166 Compare January 19, 2026 16:35
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch 5 times, most recently from 59f8670 to 2435bb8 Compare January 19, 2026 23:03
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from 3980166 to 79b5b02 Compare January 19, 2026 23:04
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch 2 times, most recently from 4a875eb to c7eee30 Compare January 20, 2026 06:27
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch 2 times, most recently from 664b5dc to eec36a6 Compare January 20, 2026 15:42
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from c7eee30 to f7c36aa Compare January 20, 2026 19:41
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch from eec36a6 to b20c80b Compare January 22, 2026 06:15
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from f7c36aa to 5a5f014 Compare January 22, 2026 06:16
This was referenced Jan 22, 2026
Merged
Merged
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch 4 times, most recently from 18ef450 to 7a7b825 Compare January 31, 2026 09:35
@jakebromberg jakebromberg force-pushed the feature/anonymous-device-auth branch 3 times, most recently from 09ce16d to 8aa3a00 Compare January 31, 2026 10:46
Base automatically changed from feature/anonymous-device-auth to main January 31, 2026 11:19
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from 5a5f014 to 32953a2 Compare January 31, 2026 12:48
Jake Bromberg added 2 commits January 31, 2026 04:51
feat: add rate limiting and migrate anonymous auth to better-auth
eabfc41 
- Add rate limiting for device registration and song requests
- Extract shared Discogs API client with built-in rate limiting
- Migrate anonymous auth from custom JWT to better-auth anonymous plugin
- Add activity tracking service for user request counts
- Add AI parsing, library search, and artwork to request line
- Add test utilities for anonymous auth and Slack webhook simulation

Key changes:
- Anonymous users now authenticate via /auth/sign-in/anonymous
- Rate limiting keys by userId instead of deviceId
- Legacy /request/register endpoint returns 301 redirect
- User banning uses better-auth admin plugin
fix: remove duplicate table definitions from migration 0025
996b219 
Migration 0025 duplicated CREATE TABLE statements for album_metadata
and artist_metadata that were already created in migration 0023,
causing migrations to fail with "relation already exists" error.
@jakebromberg jakebromberg force-pushed the feature/rate-limiting branch from 32953a2 to 996b219 Compare January 31, 2026 12:52
@jakebromberg jakebromberg merged commit e5c8d68 into main Jan 31, 2026
4 checks passed
@jakebromberg jakebromberg deleted the feature/rate-limiting branch January 31, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacksonMeade JacksonMeade Awaiting requested review from JacksonMeade

@AyBruno AyBruno Awaiting requested review from AyBruno

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg