File: /src/api/middleware.rs
Category: API / Security
Description: The TokenBucket rate limiter in middleware.rs applies a uniform rate limit to all requests regardless of source. It has no awareness of anomalous traffic patterns (e.g., a compromised edge unit sending 10,000 requests/second from a previously quiescent meter). There is no sliding window, no per-IP or per-meter differentiation, and no integration with fraud detection signals.
Parameters:
- Global rate: 10,000 req/s
- Per-meter rate: 100 req/s normal, 10 req/s if flagged
- Fraud signal latency: < 50ms from detection to rate-limit adjustment
Codebase Navigation:
src/api/middleware.rs:6 — TokenBucket — single global bucketsrc/api/middleware.rs:36 — rate_limit_layer — no per-source discrimination
Resolution Blueprint:
- Replace single bucket with a two-tier rate limiter: global tier (10K req/s) + per-source tier (meter_id or IP-based) using a
DashMap<String, TokenBucket>
- Implement a sliding window counter (instead of token bucket) for the fraud detection path — allows detecting spikes within a 1-second granularity
- Integrate with a fraud detection signal bus: when a meter is flagged, dynamically reduce its per-source limit from 100 → 10 req/s
- Add exponential backoff for flagged sources: each subsequent violation doubles the cooldown period
- Expose
GET /api/v1/rate-limiter/status showing top 10 most rate-limited sources
Acceptance Criteria:
File:
/src/api/middleware.rsCategory: API / Security
Description: The
TokenBucketrate limiter inmiddleware.rsapplies a uniform rate limit to all requests regardless of source. It has no awareness of anomalous traffic patterns (e.g., a compromised edge unit sending 10,000 requests/second from a previously quiescent meter). There is no sliding window, no per-IP or per-meter differentiation, and no integration with fraud detection signals.Parameters:
Codebase Navigation:
src/api/middleware.rs:6—TokenBucket— single global bucketsrc/api/middleware.rs:36—rate_limit_layer— no per-source discriminationResolution Blueprint:
DashMap<String, TokenBucket>GET /api/v1/rate-limiter/statusshowing top 10 most rate-limited sourcesAcceptance Criteria: