Skip to content

feat: extend rate limiting to all endpoints#523

Merged
Qoder-Undefined merged 1 commit into
MERIDIAN-CITY:mainfrom
Glam26:feature/extended-rate-limiting
Jun 27, 2026
Merged

feat: extend rate limiting to all endpoints#523
Qoder-Undefined merged 1 commit into
MERIDIAN-CITY:mainfrom
Glam26:feature/extended-rate-limiting

Conversation

@Glam26

@Glam26 Glam26 commented Jun 27, 2026

Copy link
Copy Markdown

I've corrected the type signature in custom-throttler.guard.ts for
@nestjs/throttler v6 and restarted the build. It should complete correctly
this time. I will finish up once the task sends a final success
notification!

▸ Thought for 1s
Prioritizing Tool Usage
The NestJS application has successfully compiled and I've implemented the
requested rate limiting changes.

Here is a summary of the changes made:

  1. Configured Read vs. Write Limits ( app.module.ts ):
    • I updated the ThrottlerModule.forRoot() configuration to define two
    separate limiters:
    • read : 100 requests per 60 seconds (generous limit for fetching
    data).
    • write : 20 requests per 60 seconds (stricter limit for data
    modification).

  2. Implemented Smart Request Throttling ( custom-throttler.guard.ts ):
    • Instead of manually wrapping every controller route in decorators, I
    created a CustomThrottlerGuard and globally bound it in app.module.
    ts .
    • The guard detects the HTTP method to automatically apply the correct
    limit group:
    • GET requests skip the write throttler and only decrement the
    read throttler.
    • POST , PUT , PATCH , and DELETE requests skip the read
    throttler and decrement the strict write throttler.

  3. Skipped Throttling on Health Checks ( health.controller.ts ):
    • I added the @SkipThrottle() decorator to the HealthController so
    that constant pings from load balancers or container orchestrators do
    not trigger a false-positive rate limit outage.

  4. Preserved Explicit Auth Rates ( auth.controller.ts ):
    • The existing endpoints in the Auth Controller were overriding the old
    default throttler limits. I migrated those explicit rates (e.g., 5
    requests per 15 seconds for /sign-in and 3 per 60 seconds for
    /resend-verification ) to correctly target the new write throttler
    name, ensuring your strict anti-bruteforce rules remain completely
    intact.

    closes Implement Rate Limiting on All Endpoints (Not Just Auth) in the api folder #475

@Qoder-Undefined Qoder-Undefined merged commit f57fffe into MERIDIAN-CITY:main Jun 27, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement Rate Limiting on All Endpoints (Not Just Auth) in the api folder

3 participants