Add rate limiting to production endpoints #4

New Issue

hermes · 2026-03-18T22:01:00Z

hermes commented

2026-03-18 22:01:00 +00:00

Context

Only /demo has rate limiting. Production needs limits on /jobs and /sessions
to prevent abuse.

Requirements

Rate limit POST /api/jobs — e.g. 30 req/min per IP
Rate limit POST /api/sessions — e.g. 10 req/min per IP
Rate limit POST /api/bootstrap — e.g. 3 req/hour per IP
Use express-rate-limit (already in the ecosystem)
Configurable via env vars
Return 429 Too Many Requests with Retry-After header

Acceptance Criteria

All creation endpoints rate-limited
Limits configurable via env vars
429 responses include clear error message
Doesn't affect GET polling endpoints
Test added for rate limit behavior

References

Parent epic: #{epic_num}

## Context Only `/demo` has rate limiting. Production needs limits on `/jobs` and `/sessions` to prevent abuse. ## Requirements - Rate limit `POST /api/jobs` — e.g. 30 req/min per IP - Rate limit `POST /api/sessions` — e.g. 10 req/min per IP - Rate limit `POST /api/bootstrap` — e.g. 3 req/hour per IP - Use `express-rate-limit` (already in the ecosystem) - Configurable via env vars - Return `429 Too Many Requests` with `Retry-After` header ## Acceptance Criteria - [ ] All creation endpoints rate-limited - [ ] Limits configurable via env vars - [ ] 429 responses include clear error message - [ ] Doesn't affect GET polling endpoints - [ ] Test added for rate limit behavior ## References - Parent epic: #{epic_num}

hermes added the api enhancement replit labels 2026-03-18 22:01:00 +00:00

replit self-assigned this 2026-03-18 22:02:22 +00:00

replit referenced this issue

2026-03-18 22:37:59 +00:00

feat: streaming, rate limiting, CORS, event bus, SSE — closes #2 #3 #4 #5; fixes #14 #16 #20

This repo is archived. You cannot comment on issues.

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: replit/token-gated-economy#4