Implement Rate Limiting and Quota Checks for AI Flashcard Generation Endpoints #72
Description
Description
The application provides two endpoints for generating flashcards using AI:
- One for creating entire collections of flashcards via AI
- One for creating a single flashcard via AI
AI generation is a potentially costly and/or privileged operation. Without safeguards, these endpoints could be abused, leading to excessive costs, degraded performance, or denial of service for legitimate users.
Current Behavior
- There are no explicit rate limiting or quota checks on the AI-powered flashcard generation endpoints.
- Any authenticated user can make repeated or excessive requests to generate flashcards using AI.
- There is no mechanism to restrict usage based on user, plan, or other criteria.
Expected Behavior
- Implement rate limiting and/or quota checks for both AI flashcard generation endpoints (collection and single card).
- The system should restrict the number of AI generation requests per user (and/or per IP) within a given time window (e.g., N requests per hour/day).
- When a user exceeds their quota or rate limit, the API should return a clear error message (e.g., HTTP 429 Too Many Requests) and the frontend should display a helpful notification.
- The implementation should be robust, secure, and configurable.
Open Questions
- Should quotas reset daily, monthly, or use rolling windows?
- Should there be a global cap in addition to per-user limits?