Skip to content

feat(rate-limiting): add IP whitelist and admin bypass to quota guard#785

Merged
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
Nimatstar:feat/510-rate-limiting
Jun 24, 2026
Merged

feat(rate-limiting): add IP whitelist and admin bypass to quota guard#785
RUKAYAT-CODER merged 1 commit into
rinafcode:mainfrom
Nimatstar:feat/510-rate-limiting

Conversation

@Nimatstar

Copy link
Copy Markdown
Contributor

Summary

Extends the existing QuotaGuard with the two missing bypass mechanisms from the acceptance criteria: a trusted-IP whitelist for internal services and automatic admin role exemption.

What's changed

**
ate-limiting.constants.ts**

  • getTrustedIps() - reads RATE_LIMIT_TRUSTED_IPS env var (comma-separated IPs) once at guard construction time
  • INTERNAL_SERVICE_HEADER - constant for the X-Internal-Service-Key header
  • ADMIN_ROLES - set of role strings that bypass quota unconditionally

quota.guard.ts

  • isWhitelisted(req) - returns true if request IP is in the trusted list or the X-Internal-Service-Key header matches INTERNAL_SERVICE_KEY env var
  • isAdminUser(user) - returns true if the JWT payload carries an admin role (flat
    ole string,
    oles[] array, or Auth0 namespaced claim)
  • Both checks run before quota is incremented, so whitelisted/admin requests consume no quota window

Env vars added

Var Purpose
RATE_LIMIT_TRUSTED_IPS Comma-separated IPs exempt from rate limiting (e.g. load balancer, health-check agent)
INTERNAL_SERVICE_KEY Shared secret; internal services send it via X-Internal-Service-Key header

closes #510

- Add RATE_LIMIT_TRUSTED_IPS env var support (comma-separated IPs that
  bypass quota checks entirely — intended for internal load balancers
  and health-check agents)
- Add INTERNAL_SERVICE_KEY env var + X-Internal-Service-Key header for
  service-to-service calls that should not consume user quotas
- Add automatic admin role bypass — users with role 'admin' skip quota
  enforcement; supports both flat role string and roles array (Auth0
  namespaced claim and local roles[] array)
- Extract resolveRawIp() helper to keep IP parsing DRY
- getTrustedIps() parsed once at guard construction to avoid per-request
  env reads

closes rinafcode#510
@drips-wave

drips-wave Bot commented Jun 24, 2026

Copy link
Copy Markdown

@Nimatstar Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Thank you for contributing to the project

@RUKAYAT-CODER RUKAYAT-CODER merged commit 30782a6 into rinafcode:main Jun 24, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement rate limiting per user and globally

2 participants