forgejo-lila/lila
1
0
Fork 0
Code Issues 50 Pull requests Projects 1 Releases Packages Wiki Activity Actions

Rate limiting on API endpoints #25

New issue
Open
opened 2026-04-19 07:23:34 +00:00 by forgejo-lila · 0 comments
forgejo-lila commented 2026-04-19 07:23:34 +00:00
Owner
Copy link

Context

The API has no rate limiting. Vulnerable to brute force attacks on auth endpoints and spam on game endpoints.

What to do

Add rate limiting middleware to the Express API.

Files to change

  • apps/api/package.json — add express-rate-limit (or similar)
  • apps/api/src/app.ts — apply rate limiter middleware. Different limits for:
    • Auth endpoints (/api/auth/*): strict (e.g. 10 req/min per IP)
    • Game endpoints (/api/v1/game/*): moderate (e.g. 60 req/min per IP)
    • Health endpoint (/api/v1/health): relaxed or exempt
  • Alternatively, rate limiting can be done at the Caddy level — evaluate both.

Acceptance criteria

  • Excessive requests from a single IP receive 429 Too Many Requests
  • Normal usage is not affected
  • Rate limit headers in responses (X-RateLimit-Limit, X-RateLimit-Remaining)
  • Auth endpoints have stricter limits than game endpoints
  • Document the chosen limits in documentation/decisions.md

Notes

The API runs behind Caddy reverse proxy. req.ip will show Caddy's internal IP unless trust proxy is configured in Express. The app currently sets up Express in apps/api/src/app.ts via createApp() factory function.

## Context The API has no rate limiting. Vulnerable to brute force attacks on auth endpoints and spam on game endpoints. ## What to do Add rate limiting middleware to the Express API. ## Files to change - `apps/api/package.json` — add `express-rate-limit` (or similar) - `apps/api/src/app.ts` — apply rate limiter middleware. Different limits for: - Auth endpoints (`/api/auth/*`): strict (e.g. 10 req/min per IP) - Game endpoints (`/api/v1/game/*`): moderate (e.g. 60 req/min per IP) - Health endpoint (`/api/v1/health`): relaxed or exempt - Alternatively, rate limiting can be done at the Caddy level — evaluate both. ## Acceptance criteria - Excessive requests from a single IP receive 429 Too Many Requests - Normal usage is not affected - Rate limit headers in responses (`X-RateLimit-Limit`, `X-RateLimit-Remaining`) - Auth endpoints have stricter limits than game endpoints - Document the chosen limits in `documentation/decisions.md` ## Notes The API runs behind Caddy reverse proxy. `req.ip` will show Caddy's internal IP unless `trust proxy` is configured in Express. The app currently sets up Express in `apps/api/src/app.ts` via `createApp()` factory function.
forgejo-lila added the
security
 label 2026-04-19 07:23:34 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/adding-spanish
feat/data-feeding
feat/landing-page
feat/navbar
dev
feat/multiplayer-mode
No results found.
Labels
Clear labels   
debt

Technical cleanup, refactoring

  
feature

   
feature

New user-facing functionality

  
infra

Infrastructure, deployment, DevOps

  
multiplayer

   
multiplayer

Multiplayer lobby and game features

  
security

Security improvements

  
ux

User experience, accessibility, polish

No labels
debt
feature
feature
infra
multiplayer
multiplayer
security
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo-lila/lila#25
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?