Rate limiting

Configure backend rate limiting (global, auth, and OAuth endpoints) for Openquok.

1 min read

Overview

The backend uses express-rate-limit to apply per-IP request limits:

global — applied to all routes under API_PREFIX (default /api/v1)
auth — applied to /auth endpoints (sign-in / sign-up / reset flows)
oauth — applied to /auth/oauth/* endpoints (Google OAuth start + callback)

Implementation lives in backend/middlewares/rateLimit.ts and reads values from backend/config/GlobalConfig.ts.

OAuth is intentionally stricter

OAuth routes involve redirects and third-party flows, so they get a dedicated limiter to reduce abuse. The general /auth limiter skips /oauth/* paths to avoid double-counting.

Environment variables

All rate limiting can be disabled by setting RATE_LIMIT_ENABLED to false.

Global (all API routes)

RATE_LIMIT_WINDOW_MS — window size in ms
RATE_LIMIT_MAX — max requests per window per IP

Auth (most `/auth/*` routes)

AUTH_RATE_LIMIT_WINDOW_MS
AUTH_RATE_LIMIT_MAX

OAuth (Google start + callback)

OAUTH_RATE_LIMIT_WINDOW_MS
OAUTH_RATE_LIMIT_MAX

Example (development)

Copy backend/.env.development.example to backend/.env.development.local and adjust:

RATE_LIMIT_ENABLED=true

# Global (all API routes)
RATE_LIMIT_WINDOW_MS=3600000
RATE_LIMIT_MAX=60

# Auth
AUTH_RATE_LIMIT_WINDOW_MS=900000
AUTH_RATE_LIMIT_MAX=50

# OAuth (Google)
OAUTH_RATE_LIMIT_WINDOW_MS=300000
OAUTH_RATE_LIMIT_MAX=20