is: Rate limit device creation by application ID instead of device ID

Previously, CreateEndDeviceRequest was rate-limited per device ID,
which was ineffective since each new device has a unique ID. This
allowed unlimited device creation attempts per application.

Now rate limiting is applied per application ID, properly restricting
the rate of device creation requests at the application level.

Author: nicholaspcr

pkg/ttnpb/end_device.go

@@ -2990,6 +2990,18 @@ func (m *EndDevice) IDString() string {
 	return m.GetIds().IDString()
 }
 
+// RateLimitKey is the Implementation of the RateLimitKeyer interface
+func (m *CreateEndDeviceRequest) RateLimitKey() string {
+	if dev := m.GetEndDevice(); dev != nil {
+		if ids := dev.GetIds(); ids != nil {
+			if appIDs := ids.GetApplicationIds(); appIDs != nil {
+				return appIDs.IDString()
+			}
+		}
+	}
+	return ""
+}
+
 // All ExtractRequestFields methods are used by github.com/grpc-ecosystem/go-grpc-middleware/tags.
 
 func (m *ResetAndGetEndDeviceRequest) ExtractRequestFields(dst map[string]interface{}) {

pkg/ttnpb/end_device_ratelimit_test.go

@@ -0,0 +1,72 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ttnpb_test
+
+import (
+	"testing"
+
+	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
+)
+
+func TestCreateEndDeviceRequest_RateLimitKey(t *testing.T) {
+	tests := []struct {
+		name     string
+		req      *ttnpb.CreateEndDeviceRequest
+		expected string
+	}{
+		{
+			name: "valid request",
+			req: &ttnpb.CreateEndDeviceRequest{
+				EndDevice: &ttnpb.EndDevice{
+					Ids: &ttnpb.EndDeviceIdentifiers{
+						ApplicationIds: &ttnpb.ApplicationIdentifiers{
+							ApplicationId: "test-app",
+						},
+						DeviceId: "test-device-1",
+					},
+				},
+			},
+			expected: "test-app",
+		},
+		{
+			name: "different device same app",
+			req: &ttnpb.CreateEndDeviceRequest{
+				EndDevice: &ttnpb.EndDevice{
+					Ids: &ttnpb.EndDeviceIdentifiers{
+						ApplicationIds: &ttnpb.ApplicationIdentifiers{
+							ApplicationId: "test-app",
+						},
+						DeviceId: "test-device-2",
+					},
+				},
+			},
+			expected: "test-app",
+		},
+		{
+			name:     "nil request",
+			req:      &ttnpb.CreateEndDeviceRequest{},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.req.RateLimitKey()
+			if got != tt.expected {
+				t.Errorf("RateLimitKey() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}