arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(server): add per-IP rate limit middleware on /api/v1/greet

Browse Source 
Implements Phase 1 of ADR-0022 (Rate Limiting and Cache Strategy):
in-memory per-IP rate limiter using golang.org/x/time/rate. Returns
HTTP 429 with JSON body and Retry-After header when exceeded.

Changes:
- New: pkg/middleware/ratelimit.go (153 lines, 7 unit tests in ratelimit_test.go)
- Modified: pkg/config/config.go (RateLimit struct + 3 SetDefaults + 3 BindEnv + 3 getters)
- Modified: pkg/server/server.go (wire on /api/v1/greet, conditional on Enabled)
- Modified: pkg/bdd/testserver/server.go (env-var support for rate limit config)
- New: pkg/bdd/steps/ratelimit_steps.go (step definitions)
- Added: features/greet/greet.feature scenario (currently @skip @bdd-deferred — see note below)

Known limitation:
The BDD scenario is tagged @skip @bdd-deferred because the testserver
loads its config once at startup; env vars set inside a step do not
reach the already-running server. The middleware itself is fully
covered by unit tests. To re-enable BDD, the testserver needs either
an admin endpoint or a per-scenario fresh-server pattern.

Closes #13 (Phase 1 only — Phase 2 Redis + cache service deferred).

Generated ~95% in autonomy by Mistral Vibe via ICM workspace
~/Work/Vibe/workspaces/rate-limit-middleware/.
Trainer (Claude) finalized the commit/PR step (Mistral hit max-turns).

🤖 Co-Authored-By: Mistral Vibe (devstral-2 / mistral-medium-3.5)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gabriel Radureau
2026-05-03 13:16:13 +02:00
parent 9cf6e7f1c4
commit e1af61e1ea
10 changed files with 667 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
features/greet/greet.feature
View File

@@ -34,4 +34,19 @@ Feature: Greet Service
Scenario: v2 greeting with name that is too long
Given the server is running with v2 enabled
When I send a POST request to v2 greet with name "ThisNameIsWayTooLongAndShouldFailValidationBecauseItExceedsTheMaximumAllowedLengthOf100Characters!!!!"
Then the response should contain error "validation_failed"
Then the response should contain error "validation_failed"
@ratelimit @skip @bdd-deferred
# NOTE: Functional behavior validated by unit tests in pkg/middleware/ratelimit_test.go.
# BDD scenario currently skipped: env-var-based rate limit config does not reach the
# already-started test server (architectural limitation of testsetup, not the middleware).
# TODO: rework testserver to allow per-scenario rate limit config (admin endpoint or
# per-scenario fresh server), then re-enable this scenario.
Scenario: Greet endpoint rejects requests over the rate limit
Given the server is running with rate limit set to 3 requests per minute and burst 3
When I make 3 requests to "/api/v1/greet/Alice"
Then all responses should have status 200
When I make 1 more request to "/api/v1/greet/Alice"
Then the response should have status 429
And the response body should contain "rate_limited"
And the response should have header "Retry-After"