Overview

We have implemented a configurable rate limiting system to protect the API from:
  1. DDoS Attacks: Using a global rate limiter.
  2. Brute Force Attacks: Using a stricter rate limiter on authentication endpoints.

Configuration

Rate limits are configured in pkg/config/config.go and can be overridden via environment variables.
VariableDefaultDescription
RATE_LIMIT_GLOBAL_RPS20Requests per second allowed globally per IP.
RATE_LIMIT_GLOBAL_BURST50Maximum burst size allowed globally.
RATE_LIMIT_AUTH_RPS2Requests per second allowed for Login/Register per IP.
RATE_LIMIT_AUTH_BURST5Maximum burst size for auth endpoints.

Implementation Details

1. Global Rate Limiter

Applied to all routes via e.Use() in main.go.
  • Purpose: Prevent a single IP from flooding the server.
  • Limit: Moderate (20 RPS / 50 Burst).
  • Identifier: Real IP Address.

2. Auth Rate Limiter

Applied specifically to /api/v1/auth/* routes (/login, /register).
  • Purpose: Prevent credential stuffing and brute force attacks.
  • Limit: Strict (2 RPS / 5 Burst).
  • Identifier: Real IP Address.

Middleware

Implementation located in: internal/api/http/middleware/rate_limit_middleware.go Uses golang.org/x/time/rate via Echo’s middleware.RateLimiter with an in-memory store.

Response Headers

When a request is rate limited, the server responds with:
  • Status Code: 429 Too Many Requests
  • Body: {"error": "Too Many Requests"}

Future Improvements

For a production environment with multiple replicas (Kubernetes), replace the Memory Store with a Redis Store so rate limits are shared across all instances. 
// Future Redis Implementation
store := middleware.NewRateLimiterRedisStore(redisClient)