Skip to content
M
Merq

Rate Limiting

Rate Limiting

Section titled “Rate Limiting”

Rate limiting has been implemented for the Merq API to protect against abuse and ensure fair usage.

Implementation Status

Section titled “Implementation Status”

COMPLETED: Rate limiting is now active in the merq-backend.

Features Implemented

Section titled “Features Implemented”

1. Rate Limiting Middleware

Section titled “1. Rate Limiting Middleware”

Location: internal/middleware/rate_limiter.go

  • Library: Uses github.com/ulule/limiter/v3 with in-memory store
  • Storage: Currently using memory store (Redis integration planned for future)
  • Headers: Returns X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
  • Response: HTTP 429 with RATE_LIMIT_EXCEEDED error when limit exceeded

2. Rate Limit Rules

Section titled “2. Rate Limit Rules”
Endpoint TypeLimitWindowKey By
Login / Forget Password10 req1 minuteIP address
Authenticated endpoints300 req1 minuteUser ID
Search (?keyword=)60 req1 minuteUser ID
Export endpoints5 req1 minuteUser ID
Reindex (admin)1 req5 minutesUser ID

3. Configuration

Section titled “3. Configuration”

Environment variables:

Terminal window
# Rate Limiting Configuration
RATE_LIMIT_LOGIN_LIMIT=10
RATE_LIMIT_AUTH_LIMIT=300
RATE_LIMIT_SEARCH_LIMIT=60
RATE_LIMIT_EXPORT_LIMIT=5
RATE_LIMIT_REINDEX_LIMIT=1
RATE_LIMIT_REDIS_PREFIX=merq:ratelimit

4. Integration

Section titled “4. Integration”

The rate limiter is automatically registered in cmd/server/main.go:

// rate limiting middleware
rateLimitConfig := middleware.DefaultRateLimitConfig()
router.Use(middleware.RateLimiterMiddleware(redisClient, rateLimitConfig, logger))

Response Headers

Section titled “Response Headers”

When rate limiting is active, the following headers are returned:

X-RateLimit-Limit: 300
X-RateLimit-Remaining: 299
X-RateLimit-Reset: 1706198400

Error Response

Section titled “Error Response”

When rate limit is exceeded:

{
  "status": 429,
  "message": "Too many requests",
  "code": "RATE_LIMIT_EXCEEDED",
  "data": {
    "limit": 300,
    "remaining": 0,
    "reset": 1706198400
  }
}

Testing

Section titled “Testing”

To test rate limiting:

  1. Login endpoints: Make 10+ POST requests to /api/office/v1/auth/signin (and /api/office/v1/auth/forget-password, if applicable) from same IP
  2. Search endpoints: Make 60+ GET requests with ?keyword= parameter
  3. Export endpoints: Make 5+ requests to export endpoints
  4. General endpoints: Make 300+ authenticated requests

Future Enhancements

Section titled “Future Enhancements”
  • Redis Store: Migrate from memory store to Redis for distributed rate limiting
  • Dynamic Configuration: Allow runtime configuration updates
  • Per-Workspace Limits: Implement workspace-specific rate limits
  • Monitoring Dashboard: Add rate limit usage statistics to admin dashboard

Security Considerations

Section titled “Security Considerations”
  • Rate limiting is applied before authentication for login endpoints (IP-based)
  • Rate limiting is applied after authentication for other endpoints (user-based)
  • Health check and Swagger endpoints are excluded from rate limiting
  • If the rate limiter fails to initialize, server startup must fail (fail-closed) or, at minimum, the failure must be logged and alerted and rate limiting explicitly disabled only in controlled environments