Project Brief
In this module, you will implement a robust rate limiting mechanism to protect web applications from abuse and ensure fair usage of resources. You will learn how to choose and apply different rate limiting strategies, integrate them into the middleware layer, and configure them for different endpoints.
Overview
What is Rate Limiting?
Rate limiting is a critical security and reliability mechanism that controls how many requests a client can make to your application within a given time period. This guide covers the theory behind rate limiting, why it's essential for production applications, and best practices for implementation.
Why Rate Limiting Matters
Protecting Against Abuse
Without rate limiting, your application is vulnerable to:
| Threat | Description | Impact |
|---|---|---|
| Denial of Service (DoS) | Attackers flood your server with requests | Service becomes unavailable for legitimate users |
| Brute Force Attacks | Automated attempts to guess passwords or OTPs | Account compromise, security breaches |
| Credential Stuffing | Using leaked credentials to attempt logins | Unauthorized access to user accounts |
| API Abuse | Excessive API calls to scrape data or exhaust resources | Increased infrastructure costs, degraded performance |
| Email Spam | Triggering excessive OTP/notification emails | Provider blacklisting, user harassment, cost overruns |
Real-World Consequences
Consider an email OTP authentication system without rate limiting:
- An attacker writes a script to request OTPs for
victim@example.comrepeatedly - The victim's inbox is flooded with hundreds of OTP emails
- Your email provider flags your domain for suspicious activity
- Legitimate users can no longer receive emails from your application
- Your organization's reputation suffers
Rate limiting prevents this by capping how many OTP requests can be made per user, per IP, or globally within a time window.
Implementation requirements
We will be implementing rate limiting functionalities on the same application as the one in the previous lab on CRUD. The rate limiting will help protect the application from abuse and ensure fair usage of resources.
The rate limiting implementation should meet the following requirements:
- Apply rate limiting at the middleware layer before business logic is executed
- Use composite keys (user ID for authenticated users, IP address for unauthenticated users)
- Implement dual-bucket rate limiting (sustained and burst limits)
- Use Redis for distributed coordination with in-memory fallback
- Return appropriate error responses (HTTP 429) with retry information
- Support per-endpoint configuration via tRPC metadata