Add rate limiting to POST /api/generate — 10 requests per minute per subscription #1378

New issue

Open

opened 2026-04-13 16:23:59 -04:00 by pook · 0 comments

pook commented

2026-04-13 16:23:59 -04:00

Owner

Prevent abuse of the document generation endpoint:

Apply rate limiting to POST /api/generate: 10 requests per minute per authenticated user/subscription
If no auth yet, fall back to IP-based limiting
Return 429 with: { error: 'Generation limit reached. Please wait before generating more documents.' }
Include rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining
Write test: 11th request within 60s returns 429

Acceptance: Rate limit enforced at 10/min. Legitimate users unaffected. Abuse blocked. Test passes.

Generated by CEO Planner (priority: 3)

Prevent abuse of the document generation endpoint: 1. Apply rate limiting to POST /api/generate: 10 requests per minute per authenticated user/subscription 2. If no auth yet, fall back to IP-based limiting 3. Return 429 with: `{ error: 'Generation limit reached. Please wait before generating more documents.' }` 4. Include rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining 5. Write test: 11th request within 60s returns 429 Acceptance: Rate limit enforced at 10/min. Legitimate users unaffected. Abuse blocked. Test passes. --- *Generated by CEO Planner (priority: 3)*