nhcarrigan/library
9
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests 54 Actions Releases 3 Activity

feat: implement tiered rate limiting with admin bypass

Browse Source 
Update rate limiting to be more lenient for authenticated users and bypass limits entirely for admin users:

- Unauthenticated users: 100 requests/minute (original limit)
- Authenticated users: 500 requests/minute (5x increase)
- Admin users: No rate limits (completely bypassed via allowList)

This allows the admin to interact with the library without restrictions whilst still protecting against abuse from unauthenticated users. Authenticated users get a much more generous limit for better user experience.

Uses @fastify/rate-limit's allowList and dynamic max options to implement the tiered system.
This commit is contained in:
Hikari
2026-02-20 18:35:21 -08:00
committed by Naomi Carrigan
parent 1fd2086afe
commit f40f917bc5
1 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/src/app/plugins/rate-limit.ts
+20 -1
View File
@@ -12,8 +12,27 @@ import { AuditAction, AuditCategory } from "@library/shared-types";
const rateLimitPlugin: FastifyPluginAsync = async (app) => {
await app.register(fastifyRateLimit, {
max: 100,
max: async (request) => {
// Try to get user from JWT
try {
await request.jwtVerify();
// Authenticated users get higher limits
return 500;
} catch {
// Unauthenticated users get lower limits
return 100;
}
},
timeWindow: "1 minute",
allowList: async (request) => {
// Bypass rate limiting entirely for admin users
try {
await request.jwtVerify();
return request.user?.isAdmin === true;
} catch {
return false;
}
},
errorResponseBuilder: (request) => {
// Log rate limit exceeded event
AuditService.log({