Skip to content

Add rate limiting middleware (#1916)#1931

Merged
bpamiri merged 2 commits intodevelopfrom
peter/rate-limiting-1916
Mar 10, 2026
Merged

Add rate limiting middleware (#1916)#1931
bpamiri merged 2 commits intodevelopfrom
peter/rate-limiting-1916

Conversation

@bpamiri
Copy link
Copy Markdown
Collaborator

@bpamiri bpamiri commented Mar 9, 2026

Summary

  • Adds wheels.middleware.RateLimiter with three strategies: fixed window, sliding window, and token bucket
  • Supports in-memory (ConcurrentHashMap) and database-backed storage
  • Configurable key functions, header prefixes, proxy trust, and per-route scoping
  • Sets standard X-RateLimit-* headers and returns 429 Too Many Requests with Retry-After

Files

File Action
vendor/wheels/middleware/RateLimiter.cfc Created — core implementation (551 lines)
tests/specs/middleware/RateLimiterSpec.cfc Created — 22 TestBox BDD specs
docs/src/handling-requests-with-controllers/rate-limiting.md Created — framework docs
.ai/wheels/middleware/rate-limiting.md Created — AI reference
docs/src/SUMMARY.md Edited — added nav entry
CHANGELOG.md Edited — added unreleased entry
CLAUDE.md Edited — updated middleware quick reference

Design Decisions

  • Fail-open: Lock timeouts allow the request through rather than blocking — prevents the rate limiter from becoming a bottleneck under extreme load
  • Per-key locking: cflock names include the client key, so different clients never contend with each other
  • ConcurrentHashMap: Thread-safe reads without locking; cflock only needed for compound read-modify-write
  • Throttled cleanup: Memory cleanup runs at most once per minute to avoid overhead
  • DB auto-create: $ensureTable() creates wheels_rate_limits on first use — no migration needed

Test plan

  • Unit tests cover all three strategies (fixed window, sliding window, token bucket)
  • Tests verify init validation, rate blocking, client isolation, pipeline integration
  • Tests use Pipeline.run() — same approach as MiddlewarePipelineSpec.cfc
  • Run full test suite on CI

Closes #1916

🤖 Generated with Claude Code

bpamiri and others added 2 commits March 9, 2026 16:45
@bpamiri @claude
Add rate limiting middleware with fixed window, sliding window, and t…
af68249 
…oken bucket strategies

Implements #1916. Adds wheels.middleware.RateLimiter with configurable strategies
(fixedWindow, slidingWindow, tokenBucket), storage backends (memory, database),
custom key functions, and standard rate limit response headers. Includes TestBox
BDD tests, framework docs, and AI reference docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bpamiri
Merge branch 'develop' into peter/rate-limiting-1916
ff4bb69
@bpamiri bpamiri merged commit 402afca into develop Mar 10, 2026
45 checks passed
@bpamiri bpamiri deleted the peter/rate-limiting-1916 branch March 10, 2026 04:57
@bpamiri bpamiri added this to the v3.1 milestone Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs enhancement

Projects

None yet

Milestone

v3.1

Development

Successfully merging this pull request may close these issues.

Rate limiting middleware

1 participant

@bpamiri