Skip to content

feat(router): add rate limiting middleware #1947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tresor-Kasenda wants to merge 3 commits into from
Closed

feat(router): add rate limiting middleware #1947

Tresor-Kasenda wants to merge 3 commits into from

Conversation

@Tresor-Kasenda
Copy link

@Tresor-Kasenda Tresor-Kasenda commented Feb 6, 2026

Add rate limiting support for API routes using the #[RateLimit] attribute.

Features:

  • New #[RateLimit] attribute as RouteDecorator for configuring rate limits
  • Support for rate limiting by IP address, authenticated user, or session
  • Cache-based sliding window algorithm via CacheRateLimiter
  • Standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
  • HTTP 429 TooManyRequests response with Retry-After header
  • TestingRateLimiter for isolated test execution

Usage:
#[Get('/api/resource')] #[RateLimit(maxAttempts: 60, decaySeconds: 60, by: 'ip')] public function resource(): Response { ... }

Files added:

  • packages/http/src/Responses/TooManyRequests.php
  • packages/router/src/RateLimit.php
  • packages/router/src/RateLimitMiddleware.php
  • packages/router/src/RateLimiting/RateLimiter.php
  • packages/router/src/RateLimiting/RateLimitResult.php
  • packages/router/src/RateLimiting/CacheRateLimiter.php
  • packages/router/s Add rate limiting support for API routes using the #[Ratter Features:
  • New #[RateLimit] attribute as RouteDecorator for configuringfor- New #[it- Support for rate limiting by IP address, authenticated user, orddleware

@Tresor-Kasenda
feat(router): add rate limiting middleware
121f00d 
Add rate limiting support for API routes using the #[RateLimit] attribute.

Features:
- New #[RateLimit] attribute as RouteDecorator for configuring rate limits
- Support for rate limiting by IP address, authenticated user, or session
- Cache-based sliding window algorithm via CacheRateLimiter
- Standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
- HTTP 429 TooManyRequests response with Retry-After header
- TestingRateLimiter for isolated test execution

Usage:
  #[Get('/api/resource')]
  #[RateLimit(maxAttempts: 60, decaySeconds: 60, by: 'ip')]
  public function resource(): Response { ... }

Files added:
- packages/http/src/Responses/TooManyRequests.php
- packages/router/src/RateLimit.php
- packages/router/src/RateLimitMiddleware.php
- packages/router/src/RateLimiting/RateLimiter.php
- packages/router/src/RateLimiting/RateLimitResult.php
- packages/router/src/RateLimiting/CacheRateLimiter.php
- packages/router/s
Add rate limiting support for API routes using the #[Ratter
Features:
- New #[RateLimit] attribute as RouteDecorator for configuringfor- New #[it- Support for rate limiting by IP address, authenticated user, orddleware
Copilot AI review requested due to automatic review settings February 6, 2026 12:48
@Tresor-Kasenda Tresor-Kasenda mentioned this pull request Feb 6, 2026
Closed
Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds comprehensive rate limiting middleware support to the Tempest framework. The implementation provides a flexible, attribute-based approach to protecting API routes from abuse by limiting request frequency based on IP address, authenticated user, or session.

Changes:

  • New #[RateLimit] attribute for declarative rate limiting configuration on routes and controllers
  • Cache-based sliding window rate limiting algorithm with standard HTTP headers (X-RateLimit-*)
  • Support for multiple rate limiting strategies (IP, user, session) with customizable keys

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
packages/http/src/Responses/TooManyRequests.php HTTP 429 response with Retry-After and rate limit headers
packages/router/src/RateLimit.php Route decorator attribute for configuring rate limits
packages/router/src/RateLimitMiddleware.php Middleware implementation handling rate limit enforcement and identifier resolution
packages/router/src/RateLimiting/RateLimiter.php Interface defining rate limiter contract
packages/router/src/RateLimiting/RateLimitResult.php DTO for rate limit check results
packages/router/src/RateLimiting/CacheRateLimiter.php Production cache-based rate limiter implementation
packages/router/src/RateLimiting/RateLimiterInitializer.php Dependency injection initializer
packages/router/src/RateLimiting/Testing/TestingRateLimiter.php In-memory rate limiter for testing
tests/Integration/Route/RateLimitMiddlewareTest.php Integration tests covering middleware behavior
tests/Integration/Route/Fixtures/RateLimitedController.php Test controller fixtures
packages/router/tests/RateLimiting/RateLimitResultTest.php Unit tests for RateLimitResult
packages/router/tests/RateLimiting/CacheRateLimiterTest.php Unit tests for CacheRateLimiter

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

innocenzi
innocenzi requested changes Feb 6, 2026
View reviewed changes
Tresor-Kasenda and others added 2 commits February 6, 2026 15:38
@Tresor-Kasenda @innocenzi
Update packages/router/src/RateLimitMiddleware.php
acb3066 
Co-authored-by: Enzo Innocenzi <enzo@innocenzi.dev>
@Tresor-Kasenda
Implement cache-based rate limiting and enhance testing utilities
9067ebc 
- Introduced CacheRateLimiter for managing rate limits using cache.
- Created RateLimitResult class to encapsulate results of rate limit checks.
- Added RateLimiter interface for consistent rate limiting behavior.
- Developed RateLimitBy enum to specify client identification methods for rate limiting.
- Implemented RateLimitIdentifierResolver interface for custom client identification logic.
- Enhanced TestingRateLimiter with assertion methods for better test validation.
- Updated RateLimiterInitializer to integrate new cache-based rate limiting.
- Removed obsolete tests related to previous rate limiting implementations.
- Updated integration tests to utilize new rate limiting features and ensure proper functionality.
@innocenzi innocenzi marked this pull request as draft February 7, 2026 14:04
@brendt
Copy link
Member

brendt commented Feb 9, 2026

Hi, I appreciate your enthusiasm! I noticed a couple more pretty large PRs from you and I assume they were in large parts created by AI, please let me know if that's not the case.

While I'm sure there's a lot of value to these contributions, we're unable to review such vast amounts of changes by contributors that we haven't interacted with before. Keep in mind that I, together with a small team of regular contributors, are the ones who'll have to take ownership of this code after it's been merged, and we don't feel comfortable doing that.

You're still very welcome to contribute to Tempest, but I'd like to ask the following:

  • Please disclose if you're relying heavily on AI
  • Make your PRs smaller and more focussed on one specific feature

@brendt brendt closed this Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@innocenzi innocenzi innocenzi requested changes

@brendt brendt Awaiting requested review from brendt brendt is a code owner

@aidan-casey aidan-casey Awaiting requested review from aidan-casey aidan-casey is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Tresor-Kasenda @brendt @innocenzi