Problem
The current quota system only limits per-integration invocations via the broker. There is no global rate limiting at the HTTP layer, meaning:
- No protection against burst traffic from any endpoint
- No
Retry-After headers to guide clients on backoff
- No per-IP or per-user request rate limiting
- Health check and public endpoints have no protection
Proposed Solution
Add a Redis-backed sliding window rate limiter as FastAPI middleware:
- Use Redis sorted sets or token bucket algorithm
- Return
429 Too Many Requests with Retry-After header
- Configurable per-route or global limits via settings
- Graceful degradation when Redis is unavailable (allow all)
- Consider using
slowapi library or building on existing Redis infrastructure
Add settings: RATE_LIMIT_ENABLED, RATE_LIMIT_REQUESTS_PER_MINUTE, RATE_LIMIT_BURST.
Files
- New:
src/core/rate_limit.py
src/main.py (add middleware)src/core/settings.py (add settings)
Problem
The current quota system only limits per-integration invocations via the broker. There is no global rate limiting at the HTTP layer, meaning:
Retry-Afterheaders to guide clients on backoffProposed Solution
Add a Redis-backed sliding window rate limiter as FastAPI middleware:
429 Too Many RequestswithRetry-Afterheaderslowapilibrary or building on existing Redis infrastructureAdd settings:
RATE_LIMIT_ENABLED,RATE_LIMIT_REQUESTS_PER_MINUTE,RATE_LIMIT_BURST.Files
src/core/rate_limit.pysrc/main.py(add middleware)src/core/settings.py(add settings)