Enhanced Rate Limiting Implementation

[TomasDmArg]

Description

As a system administrator, I want to implement endpoint-specific rate limits to protect the API against abuse and potential denial of service attacks.

Context

• Current implementation (Add request rate limit verification #46) has a global limit of 50 requests per IP per minute
• Need to enhance with endpoint-specific limits

Implementation Checklist

• Extend current rate limiting implementation to support different limits per route
• Configure rate limits:
  • Authentication endpoints: 5 requests per IP per minute
  • Public endpoints: 30 requests per IP per minute
  • Authenticated endpoints: 50 requests per IP per minute
• Add rate limit headers to responses:
  • X-RateLimit-Limit
  • X-RateLimit-Remaining
  • X-RateLimit-Reset
• Implement 429 Too Many Requests responses when limits are exceeded
• Set up efficient storage for rate limit counters
• Add proper error messages in responses

Testing Checklist

• Verify authentication endpoints block after 5 attempts/minute
• Verify public endpoints allow 30 requests/minute
• Verify authenticated endpoints allow 50 requests/minute
• Test rate limit headers are present and accurate
• Confirm counters reset after the time window
• Verify different IPs have independent counters
• Load test to ensure performance impact is minimal