Skip to content

feat: add rate limiting for request line endpoints #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jakebromberg merged 2 commits into from
Jan 31, 2026
Merged

feat: add rate limiting for request line endpoints #138

jakebromberg merged 2 commits into from
Jan 31, 2026

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Jan 22, 2026
edited
Loading

Summary

Add rate limiting to request line endpoints to prevent abuse.

  • Registration rate limit: 5 per hour per IP
  • Song request rate limit: 10 per 15 minutes per device
  • Configurable via environment variables for testing
  • Automatically disabled in test environment

Environment Variables

# Enable rate limiting in tests (default: disabled)
TEST_RATE_LIMITING=true

# Configure limits
RATE_LIMIT_REGISTRATION_WINDOW_MS=3600000
RATE_LIMIT_REGISTRATION_MAX=5
RATE_LIMIT_REQUEST_WINDOW_MS=900000
RATE_LIMIT_REQUEST_MAX=10

Changes

  • apps/backend/middleware/rateLimiting.ts - Rate limiting middleware
  • apps/backend/routes/requestLine.route.ts - Apply rate limits to routes
  • tests/integration/rateLimiting.spec.js - Integration tests
  • tests/utils/anonymous_auth.js - Test utility for authenticated requests

Test plan

  • Verify rate limit headers in responses
  • Verify 429 when limits exceeded
  • Verify limits reset after window expires
  • Verify per-device isolation for request limits

Depends on

This was referenced Jan 22, 2026
Merged
Merged
feat: add rate limiting for request line endpoints
3fef192 
- Add express-rate-limit middleware for registration (5/hour by IP)
  and song requests (10/15min per device)
- Configurable via environment variables for testing
- Automatically disabled in test environment unless TEST_RATE_LIMITING=true
- Add integration tests for rate limiting behavior
- Add anonymous_auth test utility for authenticated testing
@jakebromberg jakebromberg force-pushed the feature/rate-limiting-only branch from 4e22618 to 3fef192 Compare January 22, 2026 19:53
@jakebromberg jakebromberg changed the base branch from feature/anonymous-device-auth to refactor/shared-discogs-client January 22, 2026 19:53
@jakebromberg
feat: add enhanced request line with AI parsing and library search
40d36fa 
- Add AI-powered parsing for song requests (artist/album/song extraction)
- Add multi-strategy library search pipeline
- Add artwork fetching from Discogs
- Add improved Slack message builder with rich blocks
- Add /parse endpoint for debugging AI parser

Search strategies:
- Artist + Album matching
- Song as artist fallback
- Swapped interpretation (artist/song confusion)
- Track on compilation search

Depends on:
- Discogs service (from PR #125 after rebase)
@jakebromberg jakebromberg merged commit 988a9c5 into refactor/shared-discogs-client Jan 31, 2026
@jakebromberg jakebromberg deleted the feature/rate-limiting-only branch January 31, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg