feat(security): add per-IP rate limiting to account API endpoints #57

Open
Janis wants to merge 2 commits from feat/NCS-65-rate-limit-api-endpoints into main
Member

Adds a fixed-window rate limiter (default 60 req/60s per IP) to all
public account endpoints (AccountResource, ChallengeResource,
OfficialChallengeResource). Implemented as a JAX-RS @NameBinding
ContainerRequestFilter in the shared security module.

IP is resolved from X-Forwarded-For > X-Real-IP > "unknown".
Load-test traffic can bypass via X-Gatling-Secret header matched
against the optional nowchess.rate-limit.gatling-secret config.
Exceeded requests receive HTTP 429 with a warn-level log.

Closes NCS-65
https://knockoutwhist.youtrack.cloud/issue/NCS-65

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Adds a fixed-window rate limiter (default 60 req/60s per IP) to all public account endpoints (AccountResource, ChallengeResource, OfficialChallengeResource). Implemented as a JAX-RS @NameBinding ContainerRequestFilter in the shared security module. IP is resolved from X-Forwarded-For > X-Real-IP > "unknown". Load-test traffic can bypass via X-Gatling-Secret header matched against the optional nowchess.rate-limit.gatling-secret config. Exceeded requests receive HTTP 429 with a warn-level log. Closes NCS-65 https://knockoutwhist.youtrack.cloud/issue/NCS-65 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Janis added 1 commit 2026-06-02 15:06:19 +02:00
feat(security): add per-IP rate limiting to account API endpoints
Build & Test (NowChessSystems) TeamCity build failed
1ae455eb99
Adds a fixed-window rate limiter (default 60 req/60s per IP) to all
public account endpoints (AccountResource, ChallengeResource,
OfficialChallengeResource). Implemented as a JAX-RS @NameBinding
ContainerRequestFilter in the shared security module.

IP is resolved from X-Forwarded-For > X-Real-IP > "unknown".
Load-test traffic can bypass via X-Gatling-Secret header matched
against the optional nowchess.rate-limit.gatling-secret config.
Exceeded requests receive HTTP 429 with a warn-level log.

Closes NCS-65
https://knockoutwhist.youtrack.cloud/issue/NCS-65

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Janis added 1 commit 2026-06-05 10:34:29 +02:00
fix(security): guard against null UriInfo in rate limit log
Build & Test (NowChessSystems) TeamCity build finished
a20bee3b93
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Author
Member

This also requires Kubernetes Secrets to be added and modifications to K8S Performance Tests

This also requires Kubernetes Secrets to be added and modifications to K8S Performance Tests
Some checks are pending
Build & Test (NowChessSystems) TeamCity build finished
Checking for merge conflicts…
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/NCS-65-rate-limit-api-endpoints:feat/NCS-65-rate-limit-api-endpoints
git checkout feat/NCS-65-rate-limit-api-endpoints
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NowChess/NowChessSystems#57