oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
d24e1100dec3ec540b4edfab2191b7bdd8420ff1
aitbc/docs/RATE_LIMITING_GUIDE.md
aitbc 40cee6d791
Some checks failed
Cross-Node Transaction Testing / transaction-test (push) Has been cancelled
Details
Deploy to Testnet / deploy-testnet (push) Has been cancelled
Details
Documentation Validation / validate-docs (push) Has been cancelled
Details
Documentation Validation / validate-policies-strict (push) Has been cancelled
Details
Integration Tests / test-service-integration (push) Has been cancelled
Details
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Details
Python Tests / test-python (push) Has been cancelled
Details
Security Scanning / security-scan (push) Has been cancelled
Details
API Endpoint Tests / test-api-endpoints (push) Successful in 20s
Details
CLI Tests / test-cli (push) Failing after 3s
Details
Package Tests / Python package - aitbc-agent-sdk (push) Successful in 33s
Details
Package Tests / Python package - aitbc-core (push) Failing after 1s
Details
Package Tests / Python package - aitbc-crypto (push) Successful in 10s
Details
Package Tests / Python package - aitbc-sdk (push) Successful in 9s
Details
Package Tests / JavaScript package - aitbc-sdk-js (push) Successful in 10s
Details
Package Tests / JavaScript package - aitbc-token (push) Successful in 17s
Details
Production Tests / Production Integration Tests (push) Failing after 6s
Details
refactor: enhance configuration with security validation, database pooling, and rate limiting 
- Added List import and field_validator to config.py
- Added database connection pooling settings (max_overflow, pool_recycle, pool_pre_ping, echo)
- Added rate limiting settings (rate_limit_requests, rate_limit_window_seconds)
- Added CORS allow_origins field with default empty list
- Added validate_secrets() method to check required secrets in production
- Added validate_secret_length() validator for secret_key and jwt_secret (minimum
2026-05-12 21:17:54 +02:00

144 lines
3.7 KiB
Markdown
Raw Blame History

# Rate Limiting Implementation Guide
## Overview
Rate limiting has been implemented for AITBC API endpoints to prevent abuse and ensure fair resource allocation. This guide explains how to apply rate limiting to FastAPI routers.
## Infrastructure
### Rate Limiting Module
Location: `/opt/aitbc/aitbc/rate_limiting.py`
The module provides:
- `@rate_limit()` decorator for endpoint-level rate limiting
- `RateLimitMiddleware` for global middleware-based rate limiting
- Helper functions for managing rate limiters
### Rate Limiter Implementation
The underlying `RateLimiter` class in `aitbc/security_hardening.py` implements a token bucket algorithm.
## Applying Rate Limiting to Routers
### Step 1: Import the decorator
```python
from fastapi import Request
from aitbc.rate_limiting import rate_limit
```
### Step 2: Add Request parameter
Add `request: Request` as the first parameter (after any path parameters) to each endpoint:
```python
@router.post("/workflows")
async def create_workflow(
request: Request, # Add this
workflow_data: AgentWorkflowCreate,
session: Session = Depends(...),
current_user: str = Depends(...),
):
...
```
### Step 3: Apply the decorator
Add the `@rate_limit` decorator before the endpoint:
```python
@router.post("/workflows")
@rate_limit(rate=100, per=60) # 100 requests per minute
async def create_workflow(
request: Request,
workflow_data: AgentWorkflowCreate,
session: Session = Depends(...),
current_user: str = Depends(...),
):
...
```
### Rate Limit Guidelines
Recommended rate limits by endpoint type:
- **Write operations** (POST, PUT, DELETE): 50-100 requests per minute
- **Read operations** (GET): 200-500 requests per minute
- **Health/test endpoints**: 1000 requests per minute
- **Execution/long-running operations**: 50 requests per minute
### Example: Complete Router
See `/opt/aitbc/apps/coordinator-api/src/app/routers/agent_router.py` for a complete example.
## Custom Rate Limiting
### Custom Key Function
To rate limit by something other than IP address (e.g., API key, user ID):
```python
def custom_key(request: Request) -> str:
return request.headers.get("X-API-Key", "unknown")
@router.post("/endpoint")
@rate_limit(rate=100, per=60, key_func=custom_key)
async def endpoint(request: Request, ...):
...
```
### Custom Error Message
```python
@router.post("/endpoint")
@rate_limit(rate=100, per=60, error_message="Custom limit message")
async def endpoint(request: Request, ...):
...
```
## Global Middleware
For global rate limiting across all endpoints, use the middleware:
```python
from aitbc.rate_limiting import RateLimitMiddleware
app.add_middleware(
RateLimitMiddleware,
rate=100,
per=60
)
```
## Testing
Rate limiting tests are in `/opt/aitbc/tests/test_rate_limiting.py`.
Run tests:
```bash
python3 -m pytest -c /dev/null --rootdir "$PWD" --import-mode=importlib tests/test_rate_limiting.py -v
```
## Remaining Work
There are 70+ router files across the codebase. The following routers need rate limiting applied:
### Coordinator-API (50+ routers)
- `/opt/aitbc/apps/coordinator-api/src/app/routers/*.py`
- `/opt/aitbc/apps/coordinator-api/src/app/contexts/*/routers/*.py`
### Other Services
- `/opt/aitbc/apps/agent-coordinator/src/app/routers/*.py`
- `/opt/aitbc/apps/pool-hub/src/app/routers/*.py`
- `/opt/aitbc/apps/agent-management/src/app/routers/*.py`
- `/opt/aitbc/apps/blockchain-node/src/aitbc_chain/rpc/router.py`
- `/opt/aitbc/apps/exchange/*.py`
- `/opt/aitbc/apps/wallet/src/app/api_rest.py`
## Priority Order
1. **High Priority**: Public-facing APIs (coordinator-api, exchange, wallet)
2. **Medium Priority**: Internal service APIs (agent-coordinator, pool-hub)
3. **Low Priority**: Admin/management APIs
Reference in New Issue View Git Blame Copy Permalink