feat(api): add per-API-key rate limiting

chapterjason · claude · chapterjason · commit f5c63a6d9159 · 2026-03-08T22:30:19.000+01:00
Fixed-window in-memory limiter keyed by project slug. Returns HTTP 429
with Retry-After header when exceeded. Configurable via env vars:
  BACKLOG_RATE_LIMIT_MAX    (default: 200 requests)
  BACKLOG_RATE_LIMIT_WINDOW (default: 60 seconds)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/api/src/api-server.js b/packages/api/src/api-server.js
@@ -4,6 +4,7 @@ import { NotFoundError, VersionConflictError } from "@sourecode/agent-backlog-co
 import { logger } from "@sourecode/agent-backlog-core/logger.js";
 import { json } from "@sourecode/agent-backlog-core/http/helpers.js";
 import { authenticate } from "./auth/auth.js";
+import { checkRateLimit } from "./auth/rate-limit.js";
 import { getStoreForSlug } from "./store/store.js";
 import { sse } from "./sse/broadcaster.js";
 import { Router } from "./router.js";
@@ -67,6 +68,13 @@ async function handleRequest(req, res) {
       return;
     }
 
+    const limited = checkRateLimit(projectSlug);
+    if (limited) {
+      res.setHeader("Retry-After", String(limited.retryAfter));
+      json(res, 429, { error: "Too many requests. Try again later.", retryAfter: limited.retryAfter });
+      return;
+    }
+
     const store = getStoreForSlug(projectSlug);
     if (await apiRouter.dispatch(req, res, url.pathname, { store, projectSlug, url })) return;
 
diff --git a/packages/api/src/auth/rate-limit.js b/packages/api/src/auth/rate-limit.js
@@ -0,0 +1,36 @@
+/**
+ * Simple in-memory fixed-window rate limiter keyed by project slug.
+ *
+ * Configurable via env vars:
+ *   BACKLOG_RATE_LIMIT_MAX     — max requests per window (default: 200)
+ *   BACKLOG_RATE_LIMIT_WINDOW  — window size in seconds (default: 60)
+ */
+
+const MAX = parseInt(process.env.BACKLOG_RATE_LIMIT_MAX ?? "200", 10);
+const WINDOW_MS = parseInt(process.env.BACKLOG_RATE_LIMIT_WINDOW ?? "60", 10) * 1000;
+
+// Map<slug, { count, windowStart }>
+const counters = new Map();
+
+/**
+ * Check whether the given slug is within the rate limit.
+ * Returns null if allowed, or { retryAfter } (seconds) if exceeded.
+ */
+export function checkRateLimit(slug) {
+  const now = Date.now();
+  let entry = counters.get(slug);
+
+  if (!entry || now - entry.windowStart >= WINDOW_MS) {
+    entry = { count: 0, windowStart: now };
+    counters.set(slug, entry);
+  }
+
+  entry.count++;
+
+  if (entry.count > MAX) {
+    const retryAfter = Math.ceil((entry.windowStart + WINDOW_MS - now) / 1000);
+    return { retryAfter };
+  }
+
+  return null;
+}
