Skip to content

[WIP] Implement rate limiting and throttling controls #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] Implement rate limiting and throttling controls #79

Copilot wants to merge 1 commit into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 25, 2025

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Phase 1] Rate Limiting & Throttling Controls</issue_title>
<issue_description>## Priority: P0 (Critical)
Phase: 1 - E-Commerce Core
Estimate: 2 days
Type: Story

Context

Introduce per-organization and per-IP rate limiting to guard against abuse, preserve performance, and protect payment/idempotency layers.

Scope

  • Basic in-memory dev limiter (sliding window or token bucket)
  • Interface abstraction for future Redis store
  • Limits (initial suggested):
    • Auth endpoints: 10/min/IP
    • Order create: 60/min/org
    • Payment attempt: 30/min/org
    • Webhook endpoint create: 20/hour/org
  • Response: 429 with Retry-After header
  • Metrics: rate.limit.hit.count, rate.limit.block.count

Acceptance Criteria

  • Exceeding configured limit returns 429 with correct Retry-After
  • Limits configurable via env for each category
  • Rate limiting integrates with Idempotency (still single side effect) without double counting
  • Structured log on block includes route, orgId, ip, limit key
  • Minimal overhead (< 1ms avg per check dev)

Data Model (Future Redis)

Key pattern: rl:{scope}:{id} storing counters & timestamps

Dependencies

Metrics Targets

  • Correct block detection for simulated abuse scenario (100 rapid requests) > 95% blocked

Testing Checklist

  • Exceed auth endpoint limit
  • Exceed order create limit concurrently
  • Ensure legitimate spaced requests pass

Risk

Resource exhaustion & financial abuse if absent (score: 16). Critical protective layer.

References

  • docs/GITHUB_ISSUES_COMPARISON_ANALYSIS.md (rate limiting gap)
    </issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI self-assigned this Nov 25, 2025
@github-project-automation github-project-automation bot moved this to Backlog in StormCom Nov 25, 2025
@vercel
Copy link

vercel bot commented Nov 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
stormcomui Ready Ready Preview Comment Nov 25, 2025 2:45am

Copilot AI mentioned this pull request Nov 25, 2025
Draft
24 tasks
Copilot AI requested a review from syed-reza98 November 25, 2025 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@syed-reza98 syed-reza98 Awaiting requested review from syed-reza98

Assignees

@syed-reza98 syed-reza98

Copilot code review Copilot

Labels

None yet

Projects

StormCom
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Phase 1] Rate Limiting & Throttling Controls

2 participants

@syed-reza98