move some hardcoded ratelimits for the api to env vars#2332
Merged
notAreYouScared merged 3 commits intoMay 19, 2026
Conversation
Contributor
|
All contributors have signed the CLA ✍️ ✅ |
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughRate limit values were moved to env-backed entries in ChangesRate Limit Configuration and Consumption
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
config/http.php (1)
4-13:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUpdate the configuration comment to reflect the expanded scope.
The comment still only mentions "client and internal (application) APIs" but the configuration now includes many additional rate limits (auth, password reset, websocket, backup restore, database create, subuser create, file pull, and default). Additionally, it should mention that these values are configurable via environment variables.
📝 Suggested comment update
/* |-------------------------------------------------------------------------- | API Rate Limits |-------------------------------------------------------------------------- | - | Defines the rate limit for the number of requests per minute that can be - | executed against both the client and internal (application) APIs over the - | defined period (by default, 1 minute). + | Defines rate limits for various API endpoints and resources. Each rate + | limit consists of a period (in minutes) and a maximum number of requests + | allowed within that period. All values can be configured via environment + | variables and include sensible defaults. | */🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@config/http.php` around lines 4 - 13, The comment block above API rate limits in config/http.php is outdated—update the multi-line comment that documents "API Rate Limits" to list the full set of rate-limited categories (auth, password reset, websocket, backup restore, database create, subuser create, file pull, default, client/internal APIs) and note that each limit is configurable via environment variables; change the descriptive text in the existing comment block (the one wrapping the API Rate Limits section) to briefly describe the expanded scope and mention env var configurability so future readers can find and adjust limits for keys like auth, password_reset, websocket, backup_restore, database_create, subuser_create, file_pull and default.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/Providers/RouteServiceProvider.php`:
- Around line 70-76: The default authentication rate limiter defined in
RateLimiter::for('authentication') is missing the per-IP scoping present in the
forgot-password branch; update the default Limit returned from
Limit::perMinutes(config('http.rate_limit.auth_period'),
config('http.rate_limit.auth')) to include ->by($request->ip()) so it is keyed
per client IP (same pattern used when
$request->route()->named('auth.post.forgot-password')).
---
Outside diff comments:
In `@config/http.php`:
- Around line 4-13: The comment block above API rate limits in config/http.php
is outdated—update the multi-line comment that documents "API Rate Limits" to
list the full set of rate-limited categories (auth, password reset, websocket,
backup restore, database create, subuser create, file pull, default,
client/internal APIs) and note that each limit is configurable via environment
variables; change the descriptive text in the existing comment block (the one
wrapping the API Rate Limits section) to briefly describe the expanded scope and
mention env var configurability so future readers can find and adjust limits for
keys like auth, password_reset, websocket, backup_restore, database_create,
subuser_create, file_pull and default.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 8f096904-8b79-4ec7-aebe-cd52ca6cf04b
📒 Files selected for processing (3)
app/Enums/ResourceLimit.phpapp/Providers/RouteServiceProvider.phpconfig/http.php
Contributor
Author
|
adjusted some of the comments based on coderabbitai suggestions |
notAreYouScared
approved these changes
May 19, 2026
Boy132
approved these changes
May 19, 2026
3 tasks
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
while making an app using the api i ran into ratelimits that didn't make sense, turns out there are ratelimits outside of the client and application api rate limits, this moves the ones i found, including the auth and password reset ratelimits to using env vars for configuration .
ideally this would be in admin panel area where the client and application api ratelimits are but i know practically nothing about php, larvel , filament or the other things this project uses. i have programmed a decent amt and it turns combining that with some copy pasting and a linter/syntax checker ends up working out ok.
feel free to suggest better names for the config values, whether for naming conventions or something else
my main concern is that these ratelimits are able to be configured in a docker environment without needing to override the file via docker volume bind