feat(router): add rate limiting middleware #1947
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add rate limiting support for API routes using the #[RateLimit] attribute.
Features:
- New #[RateLimit] attribute as RouteDecorator for configuring rate limits
- Support for rate limiting by IP address, authenticated user, or session
- Cache-based sliding window algorithm via CacheRateLimiter
- Standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
- HTTP 429 TooManyRequests response with Retry-After header
- TestingRateLimiter for isolated test execution
Usage:
#[Get('/api/resource')]
#[RateLimit(maxAttempts: 60, decaySeconds: 60, by: 'ip')]
public function resource(): Response { ... }
Files added:
- packages/http/src/Responses/TooManyRequests.php
- packages/router/src/RateLimit.php
- packages/router/src/RateLimitMiddleware.php
- packages/router/src/RateLimiting/RateLimiter.php
- packages/router/src/RateLimiting/RateLimitResult.php
- packages/router/src/RateLimiting/CacheRateLimiter.php
- packages/router/s
Add rate limiting support for API routes using the #[Ratter
Features:
- New #[RateLimit] attribute as RouteDecorator for configuringfor- New #[it- Support for rate limiting by IP address, authenticated user, orddleware
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive rate limiting middleware support to the Tempest framework. The implementation provides a flexible, attribute-based approach to protecting API routes from abuse by limiting request frequency based on IP address, authenticated user, or session.
Changes:
- New
#[RateLimit]attribute for declarative rate limiting configuration on routes and controllers - Cache-based sliding window rate limiting algorithm with standard HTTP headers (X-RateLimit-*)
- Support for multiple rate limiting strategies (IP, user, session) with customizable keys
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
packages/http/src/Responses/TooManyRequests.php |
HTTP 429 response with Retry-After and rate limit headers |
packages/router/src/RateLimit.php |
Route decorator attribute for configuring rate limits |
packages/router/src/RateLimitMiddleware.php |
Middleware implementation handling rate limit enforcement and identifier resolution |
packages/router/src/RateLimiting/RateLimiter.php |
Interface defining rate limiter contract |
packages/router/src/RateLimiting/RateLimitResult.php |
DTO for rate limit check results |
packages/router/src/RateLimiting/CacheRateLimiter.php |
Production cache-based rate limiter implementation |
packages/router/src/RateLimiting/RateLimiterInitializer.php |
Dependency injection initializer |
packages/router/src/RateLimiting/Testing/TestingRateLimiter.php |
In-memory rate limiter for testing |
tests/Integration/Route/RateLimitMiddlewareTest.php |
Integration tests covering middleware behavior |
tests/Integration/Route/Fixtures/RateLimitedController.php |
Test controller fixtures |
packages/router/tests/RateLimiting/RateLimitResultTest.php |
Unit tests for RateLimitResult |
packages/router/tests/RateLimiting/CacheRateLimiterTest.php |
Unit tests for CacheRateLimiter |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
innocenzi
requested changes
Feb 6, 2026
Co-authored-by: Enzo Innocenzi <enzo@innocenzi.dev>
- Introduced CacheRateLimiter for managing rate limits using cache. - Created RateLimitResult class to encapsulate results of rate limit checks. - Added RateLimiter interface for consistent rate limiting behavior. - Developed RateLimitBy enum to specify client identification methods for rate limiting. - Implemented RateLimitIdentifierResolver interface for custom client identification logic. - Enhanced TestingRateLimiter with assertion methods for better test validation. - Updated RateLimiterInitializer to integrate new cache-based rate limiting. - Removed obsolete tests related to previous rate limiting implementations. - Updated integration tests to utilize new rate limiting features and ensure proper functionality.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add rate limiting support for API routes using the #[RateLimit] attribute.
Features:
Usage:
#[Get('/api/resource')] #[RateLimit(maxAttempts: 60, decaySeconds: 60, by: 'ip')] public function resource(): Response { ... }
Files added: