feat: support live reloading of individual rate limits (#2469)

Move API limiter setup out of internal/api and into a dedicated
internal/api/apilimiter package, then wire it into serve-time config
reloads so rate limit changes are picked up without restarting the
service.

This change replaces the old LimiterOptions type with an
apilimiter.Limiter instance passed through api.WithLimiter(...). API
construction now defaults to apilimiter.New(...) when no limiter is
injected, and tests are updated to use the new option-based wiring.

The new apilimiter package centralizes:
- construction of all ratelimit and tollbooth limiters
- mapping between config/env vars and limiter fields
- copy/update logic for reusing existing limiter state where possible
- structured logging for limiter changes during config reload

On config reload in serve():
- keep track of the previously active limiter set
- call previousLim.Update(...) against the latest config
- build the new API with the updated limiter set
- store the new API, reload apiworker config, and retain the latest
limiter for the next reload cycle

This fixes the prior behavior where hot config reload rebuilt the API
but kept stale limiter settings, meaning rate-limit changes were not
applied until process restart.

Additional ratelimit changes:
- persist the original parsed conf.Rate value in conf.Rate via val
- add GetRateValue() for logging/comparison purposes
- extend ratelimit.Limiter with Config() so limiters can expose their
backing configuration
- add ratelimit.Equal(...) helper to compare limiters, configs, and rate
strings consistently
- store conf.Rate on BurstLimiter and IntervalLimiter and expose
Config()
- add String() methods to identify limiter type in tests/debug output
- rename IntervalLimiter.limit to events for clarity

Behavioral note:
- BurstLimiter documentation now matches implementation for non-positive
event counts: burst size becomes 0, so no events are allowed

Tests:
- update API tests to inject limiters through api.WithLimiter
- update options tests to validate apilimiter.New
- expand ratelimit tests to cover type identification and equality
semantics
- add dedicated apilimiter tests that verify only the expected fields
change when each config/env-backed limiter value is modified

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
Co-authored-by: fadymak <dev@fadymak.com>

Author: 3 people

cmd/serve_cmd.go

@@ -14,6 +14,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/supabase/auth/internal/api"
+	"github.com/supabase/auth/internal/api/apilimiter"
 	"github.com/supabase/auth/internal/api/apiworker"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/mailer/templatemailer"
@@ -63,10 +64,10 @@ func serve(ctx context.Context) {
 	defer wg.Wait() // Do not return to caller until this goroutine is done.
 
 	mrCache := templatemailer.NewCache()
-	limiterOpts := api.NewLimiterOptions(config)
+	initialLim := apilimiter.New(config)
 	initialAPI := api.NewAPIWithVersion(
 		config, db, utilities.Version,
-		limiterOpts,
+		api.WithLimiter(initialLim),
 		api.WithMailer(templatemailer.FromConfig(config, mrCache)),
 	)
 
@@ -130,11 +131,12 @@ func serve(ctx context.Context) {
 				exitFn("config reloader is exiting")
 			}()
 
+			previousLim := initialLim
 			fn := func(latestCfg *conf.GlobalConfiguration) {
 				le.Info("reloading api with new configuration")
 
-				// When config is updated we notify the apiworker.
-				wrk.ReloadConfig(latestCfg)
+				// Update the previous limiter with the latest config
+				latestLim := previousLim.Update(le, latestCfg)
 
 				// Create a new API version with the updated config.
 				latestAPI := api.NewAPIWithVersion(
@@ -146,13 +148,17 @@ func serve(ctx context.Context) {
 					),
 
 					// Persist existing rate limiters.
-					//
-					// TODO(cstockton): we should consider updating these, if we
-					// rely on hot config reloads 100% then rate limiter changes
-					// won't be picked up.
-					limiterOpts,
+					api.WithLimiter(latestLim),
 				)
+
+				// Assign this config as the latest configuration
 				ah.Store(latestAPI)
+
+				// When config is updated we notify the apiworker.
+				wrk.ReloadConfig(latestCfg)
+
+				// Update previous limiter
+				previousLim = latestLim
 			}
 
 			rl := reloader.NewReloader(rc, watchDir)

internal/api/api.go

@@ -9,6 +9,7 @@ import (
 	"github.com/sebest/xff"
 	"github.com/sirupsen/logrus"
 	"github.com/supabase/auth/internal/api/apierrors"
+	"github.com/supabase/auth/internal/api/apilimiter"
 	"github.com/supabase/auth/internal/api/apitask"
 	"github.com/supabase/auth/internal/api/oauthserver"
 	"github.com/supabase/auth/internal/api/provider"
@@ -54,7 +55,7 @@ type API struct {
 	// overrideTime can be used to override the clock used by handlers. Should only be used in tests!
 	overrideTime func() time.Time
 
-	limiterOpts *LimiterOptions
+	limiterOpts *apilimiter.Limiter
 }
 
 func (a *API) GetConfig() *conf.GlobalConfiguration { return a.config }
@@ -110,7 +111,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		api.captchaVerifier = security.NewCaptchaVerifier(&globalConfig.Security.Captcha)
 	}
 	if api.limiterOpts == nil {
-		api.limiterOpts = NewLimiterOptions(globalConfig)
+		api.limiterOpts = apilimiter.New(globalConfig)
 	}
 	if api.hooksMgr == nil {
 		httpDr := hookshttp.New()

internal/api/api_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"github.com/supabase/auth/internal/api/apilimiter"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/storage"
@@ -60,8 +61,8 @@ func setupAPIForTestWithCallback(cb func(*conf.GlobalConfiguration, *storage.Con
 		cb(nil, conn)
 	}
 
-	limiterOpts := NewLimiterOptions(config)
-	return NewAPIWithVersion(config, conn, apiTestVersion, limiterOpts), config, nil
+	limiterOpts := apilimiter.New(config)
+	return NewAPIWithVersion(config, conn, apiTestVersion, WithLimiter(limiterOpts)), config, nil
 }
 
 func TestEmailEnabledByDefault(t *testing.T) {