feat: extend rate limiting to all endpoints#523
Merged
Qoder-Undefined merged 1 commit intoJun 27, 2026
Conversation
Qoder-Undefined
approved these changes
Jun 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I've corrected the type signature in custom-throttler.guard.ts for
@nestjs/throttler v6 and restarted the build. It should complete correctly
this time. I will finish up once the task sends a final success
notification!
▸ Thought for 1s
Prioritizing Tool Usage
The NestJS application has successfully compiled and I've implemented the
requested rate limiting changes.
Here is a summary of the changes made:
Configured Read vs. Write Limits ( app.module.ts ):
• I updated the ThrottlerModule.forRoot() configuration to define two
separate limiters:
• read : 100 requests per 60 seconds (generous limit for fetching
data).
• write : 20 requests per 60 seconds (stricter limit for data
modification).
Implemented Smart Request Throttling ( custom-throttler.guard.ts ):
• Instead of manually wrapping every controller route in decorators, I
created a CustomThrottlerGuard and globally bound it in app.module.
ts .
• The guard detects the HTTP method to automatically apply the correct
limit group:
• GET requests skip the write throttler and only decrement the
read throttler.
• POST , PUT , PATCH , and DELETE requests skip the read
throttler and decrement the strict write throttler.
Skipped Throttling on Health Checks ( health.controller.ts ):
• I added the @SkipThrottle() decorator to the HealthController so
that constant pings from load balancers or container orchestrators do
not trigger a false-positive rate limit outage.
Preserved Explicit Auth Rates ( auth.controller.ts ):
• The existing endpoints in the Auth Controller were overriding the old
default throttler limits. I migrated those explicit rates (e.g., 5
requests per 15 seconds for /sign-in and 3 per 60 seconds for
/resend-verification ) to correctly target the new write throttler
name, ensuring your strict anti-bruteforce rules remain completely
intact.
closes Implement Rate Limiting on All Endpoints (Not Just Auth) in the api folder #475