Open
Description
Description
To improve API robustness and security, we need to implement a global rate limiting policy that throttles excessive requests from clients. This helps mitigate abuse, reduce load, and ensure fair usage of resources.
Rate limiting will be applied globally (across all endpoints) with defined limits per IP address or user identifier (if available), using built-in ASP.NET Core middleware.
Proposed Solution
Utilize the built-in RateLimiter middleware introduced in .NET 7 and enhanced in .NET 8. We'll define a named global policy with fixed-window or sliding-window semantics.
Key considerations:
- Limit requests per IP.
- Use middleware so that it applies before the controller execution.
- Provide standard
429 Too Many Requestsresponses with headers likeRetry-After.
Suggested Approach
1. Update Program.cs to Add Rate Limiting Services
builder.Services.AddRateLimiter(options =>
{
options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
{
var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
return RateLimitPartition.GetFixedWindowLimiter(
partitionKey: ip,
factory: _ => new FixedWindowRateLimiterOptions
{
PermitLimit = 1,
Window = TimeSpan.FromSeconds(1),
QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
QueueLimit = 0
});
});
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
});2. Use Middleware in the Pipeline
var app = builder.Build();
app.UseRateLimiter();
app.RunAsyc();Acceptance Criteria
- Use ASP.NET Core’s built-in rate limiting
- Configure a
FixedWindowLimiter(e.g., 1 request/second) - Apply policy to
PlayersControllerendpoints - Test with curl/Postman to verify
HTTP 429responses