Skip to content

Add rate limiting per user (not just per IP) #573

Open
Open
Add rate limiting per user (not just per IP)#573
Labels
enhancementNew feature or request
@Mystery-CLI

Description

@Mystery-CLI
Mystery-CLI
opened on May 25, 2026

🔧 Title: Add rate limiting per user (not just per IP)

📘 Description
The current rate limiter is IP-based. Authenticated users behind a shared IP (corporate NAT, VPN) share the same rate limit bucket. High-volume legitimate users can be blocked by a single bad actor on the same IP. Per-user rate limiting is more accurate.

Acceptance Criteria

  • Add a per-user rate limiter that uses req.user.id as the key for authenticated routes
  • Apply stricter per-user limits to payment endpoints (10 payments/minute)
  • Keep IP-based limiting for unauthenticated routes
  • Add tests for per-user rate limiting

🔧 Context: backend/src/middleware/rateLimiter.js.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions