feat(security): add per-IP rate limiting to account API endpoints #57

Open
Janis wants to merge 2 commits from feat/NCS-65-rate-limit-api-endpoints into main

2 Commits

Author SHA1 Message Date
Janis a20bee3b93 fix(security): guard against null UriInfo in rate limit log
Build & Test (NowChessSystems) TeamCity build finished
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-05 10:33:40 +02:00
Janis 1ae455eb99 feat(security): add per-IP rate limiting to account API endpoints
Build & Test (NowChessSystems) TeamCity build failed
Adds a fixed-window rate limiter (default 60 req/60s per IP) to all
public account endpoints (AccountResource, ChallengeResource,
OfficialChallengeResource). Implemented as a JAX-RS @NameBinding
ContainerRequestFilter in the shared security module.

IP is resolved from X-Forwarded-For > X-Real-IP > "unknown".
Load-test traffic can bypass via X-Gatling-Secret header matched
against the optional nowchess.rate-limit.gatling-secret config.
Exceeded requests receive HTTP 429 with a warn-level log.

Closes NCS-65
https://knockoutwhist.youtrack.cloud/issue/NCS-65

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-02 15:03:16 +02:00