Implement global rate limiter and refactor auth middleware

- Add global rate limiter utility with configurable limits and cleanup - Move rate limiting logic to middleware for consistent application - Update auth routes to use new rate limiter - Add comprehensive tests for rate limiter functionality - Update documentation with backend development guidelines and tasks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-30 21:26:31 +02:00
parent d1316ca66e
commit 3bd9848a08
9 changed files with 511 additions and 61 deletions
--- a/backend/app/tasks/rate_limiter_cleanup.py
+++ b/backend/app/tasks/rate_limiter_cleanup.py
@@ -33,18 +33,29 @@ JOB_ID: str = "rate_limiter_cleanup"
 def _run_cleanup(app: FastAPI) -> None:
    """Trigger cleanup of expired rate-limiter entries.

+    Cleans up both the login-specific rate limiter (exponential backoff)
+    and the global request rate limiter.
+
    Args:
-        app: The FastAPI application instance (holds the rate limiter).
+        app: The FastAPI application instance (holds the rate limiters).
    """
-    rate_limiter = getattr(app.state, "login_rate_limiter", None)
-    if rate_limiter is None:
+    login_limiter = getattr(app.state, "login_rate_limiter", None)
+    if login_limiter is None:
        log.warning(
            "rate_limiter_cleanup_skipped",
-            reason="rate_limiter not found on app.state",
+            reason="login_rate_limiter not found on app.state",
        )
-        return
+    else:
+        login_limiter.cleanup_expired()

-    rate_limiter.cleanup_expired()
+    global_limiter = getattr(app.state, "global_rate_limiter", None)
+    if global_limiter is None:
+        log.warning(
+            "rate_limiter_cleanup_skipped",
+            reason="global_rate_limiter not found on app.state",
+        )
+    else:
+        global_limiter.cleanup_expired()


 def register(app: FastAPI) -> None: