Feat/rate limiting

[coodos]

Description of change

Issue Number

Type of change

• Breaking (any change that would cause existing functionality to not work as expected)
• New (a change which implements a new feature)
• Update (a change which updates existing functionality)
• Fix (a change which fixes an issue)
• Docs (changes to the documentation)
• Chore (refactoring, build scripts or anything else that isn't user-facing)

How the change has been tested

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• New Features

  • Implemented HTTP rate limiting with configurable per-platform and per-IP request limits (default: 250 requests per platform, 500 per IP per minute). Requests exceeding limits receive 429 responses with retry information.

• Performance & Stability

  • Optimized database query execution with improved session management.
  • Enhanced Neo4j connection pool configuration for better resource utilization.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4079cb66-e388-4ab4-a95a-40091f0a425f

📥 Commits

Reviewing files that changed from the base of the PR and between 9a85592 and 4540054.

📒 Files selected for processing (5)

• .env.example
• infrastructure/evault-core/src/core/db/db.service.ts
• infrastructure/evault-core/src/core/db/retry-neo4j.ts
• infrastructure/evault-core/src/core/http/global-rate-limiter.ts
• infrastructure/evault-core/src/index.ts

---

📝 Walkthrough

Walkthrough

This PR adds an in-memory global HTTP rate limiter (per-platform and per-IP), integrates it into Fastify request handling, adds rate-limit entries to .env.example, batches two Neo4j queries into a single session in one DB method, and tunes Neo4j driver connection/pool settings.

Changes

Cohort / File(s)	Summary
Configuration \.env.example	Added RATE_LIMIT_PER_PLATFORM=250 and RATE_LIMIT_PER_IP=500 environment variables (requests per minute).
Rate Limiting infrastructure/evault-core/src/core/http/global-rate-limiter.ts, infrastructure/evault-core/src/index.ts	New in-memory global rate limiter enforcing per-platform and per-IP 1-minute windows; exported checkGlobalRateLimit(token, ip); Fastify onRequest hook calls it and returns HTTP 429 with Retry-After when limits exceeded.
Database infrastructure/evault-core/src/core/db/db.service.ts	findMetaEnvelopesPaginated now runs count and main queries within a single explicitly created Neo4j session and closes it in finally, instead of opening separate sessions per query.
Driver Tuning infrastructure/evault-core/src/core/db/retry-neo4j.ts	Neo4j driver init preserved encrypted: "ENCRYPTION_OFF" and added connection/pool options: maxConnectionPoolSize, connectionAcquisitionTimeout, maxConnectionLifetime, connectionTimeout.

Sequence Diagram

sequenceDiagram
    participant Client
    participant FastifyHook as Fastify Hook
    participant RateLimiter as Rate Limiter
    participant JWTDecoder as JWT Decoder
    participant Server as Request Handler

    Client->>FastifyHook: HTTP Request (with/without Bearer token)
    FastifyHook->>FastifyHook: Extract token from Authorization header
    FastifyHook->>RateLimiter: checkGlobalRateLimit(token, ip)
    
    alt Token provided
        RateLimiter->>JWTDecoder: Decode JWT & extract platform claim
        JWTDecoder-->>RateLimiter: platform or null
        alt Platform extracted
            RateLimiter->>RateLimiter: Check platform request count
            alt Platform limit exceeded
                RateLimiter-->>FastifyHook: { allowed: false, retryAfterSeconds }
            else Platform limit OK
                RateLimiter->>RateLimiter: Check IP request count
                alt IP limit exceeded
                    RateLimiter-->>FastifyHook: { allowed: false, retryAfterSeconds }
                else Both limits OK
                    RateLimiter-->>FastifyHook: { allowed: true, retryAfterSeconds: 0 }
                end
            end
        else Decoding failed
            RateLimiter->>RateLimiter: Fall back to IP-only limiting
            RateLimiter-->>FastifyHook: { allowed: boolean, retryAfterSeconds }
        end
    else No token
        RateLimiter->>RateLimiter: Check IP request count
        RateLimiter-->>FastifyHook: { allowed: boolean, retryAfterSeconds }
    end
    
    alt Allowed
        FastifyHook->>Server: Continue request
        Server-->>Client: Response
    else Rate limit exceeded
        FastifyHook-->>Client: HTTP 429 + Retry-After header
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Feat/rate limiting #950 — Modifies the same files and codepaths: .env.example rate-limit entries, the same global-rate-limiter module and export, Fastify onRequest hook, and Neo4j session/driver changes.

Suggested reviewers

• xPathin
• sosweetham

Poem

🐰 I counted hops in minute-long ticks,

Platforms and IPs kept neat in my mix,
Tokens decoded, small guards at the gate,
Sessions joined queries — neat and sedate,
Hooray! The server hums, and I celebrate. 🥕

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/rate-limiting

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}