Skip to content

rate-limiting: custom user-id RateIssuer for write endpoints #55

Description

@disconsented

Add a custom RateIssuer that keys authenticated requests by user id instead of IP, for the write/vote (and optionally login) buckets.

Scope

  • Implement a RateIssuer that reads the authenticated user from the Depot (populated by validate_biscuit_token; see auth::get_user_from_depot, used at src/web/item.rs:370).
  • Fall back to IP keying when no user is present.
  • Wire it into the write/vote buckets so vote-stuffing and property spam are limited per account, not per shared NAT/proxy IP.

Depends on

Parent: #50

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions