adding rate limit to the API

OpenCand.API/Config/RateLimitingConfig.cs

@@ -0,0 +1,91 @@
+using Microsoft.AspNetCore.RateLimiting;
+using System.Threading.RateLimiting;
+
+namespace OpenCand.API.Config
+{
+    public static class RateLimitingConfig
+    {
+        public const string DefaultPolicy = "DefaultPolicy";
+        public const string CandidatoSearchPolicy = "CandidatoSearchPolicy";
+        public const string CpfRevealPolicy = "CpfRevealPolicy";
+
+        public static void ConfigureRateLimiting(this IServiceCollection services)
+        {
+            services.AddRateLimiter(options =>
+            {
+                options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
+                    RateLimitPartition.GetFixedWindowLimiter(
+                        partitionKey: GetClientIdentifier(httpContext),
+                        factory: partition => new FixedWindowRateLimiterOptions
+                        {
+                            AutoReplenishment = true,
+                            PermitLimit = 2000, // Global limit per minute
+                            Window = TimeSpan.FromMinutes(1)
+                        }));
+
+                // Default policy: 200 requests per minute with burst of 100
+                options.AddFixedWindowLimiter(policyName: DefaultPolicy, options =>
+                {
+                    options.PermitLimit = 200;
+                    options.Window = TimeSpan.FromMinutes(1);
+                    options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+                    options.QueueLimit = 100; // Burst capacity
+                });
+
+                // Candidato Search policy: 300 requests per minute with burst of 200
+                options.AddFixedWindowLimiter(policyName: CandidatoSearchPolicy, options =>
+                {
+                    options.PermitLimit = 300;
+                    options.Window = TimeSpan.FromMinutes(1);
+                    options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+                    options.QueueLimit = 200; // Burst capacity
+                });
+
+                // CPF Reveal policy: 15 requests per minute without burst
+                options.AddFixedWindowLimiter(policyName: CpfRevealPolicy, options =>
+                {
+                    options.PermitLimit = 15;
+                    options.Window = TimeSpan.FromMinutes(1);
+                    options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+                    options.QueueLimit = 0; // No burst
+                });
+
+                options.OnRejected = async (context, token) =>
+                {
+                    context.HttpContext.Response.StatusCode = 429;
+                    
+                    var retryAfter = GetRetryAfter(context);
+                    if (retryAfter.HasValue)
+                    {
+                        context.HttpContext.Response.Headers.Add("Retry-After", retryAfter.Value.ToString());
+                    }
+
+                    await context.HttpContext.Response.WriteAsync(
+                        "Rate limit exceeded. Please try again later.", cancellationToken: token);
+                };
+            });
+        }
+
+        private static string GetClientIdentifier(HttpContext httpContext)
+        {
+            // Get client IP address for partitioning
+            var clientIp = httpContext.Connection.RemoteIpAddress?.ToString() 
+                ?? httpContext.Request.Headers["X-Forwarded-For"].FirstOrDefault() 
+                ?? "unknown";
+            
+            // Include the endpoint in the partition key for endpoint-specific limits
+            var endpoint = httpContext.Request.Path.ToString();
+            
+            return $"{clientIp}:{endpoint}";
+        }
+
+        private static int? GetRetryAfter(OnRejectedContext context)
+        {
+            if (context.Lease.TryGetMetadata(MetadataName.RetryAfter, out var retryAfter))
+            {
+                return (int)retryAfter.TotalSeconds;
+            }
+            return null;
+        }
+    }
+}

OpenCand.API/Controllers/CandidatoController.cs

@@ -1,11 +1,14 @@
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.VisualBasic;
+using OpenCand.API.Config;
 using OpenCand.API.Model;
 using OpenCand.API.Services;
 using OpenCand.Core.Models;
 
 namespace OpenCand.API.Controllers
 {
+    [EnableRateLimiting(RateLimitingConfig.DefaultPolicy)]
     public class CandidatoController : BaseController
     {
         private readonly OpenCandService openCandService;
@@ -16,6 +19,7 @@ namespace OpenCand.API.Controllers
         }
 
         [HttpGet("search")]
+        [EnableRateLimiting(RateLimitingConfig.CandidatoSearchPolicy)]
         public async Task<CandidatoSearchResult> CandidatoSearch([FromQuery] string q)
         {
             return await openCandService.SearchCandidatosAsync(q);
@@ -40,6 +44,7 @@ namespace OpenCand.API.Controllers
         }
 
         [HttpGet("{id}/reveal-cpf")]
+        [EnableRateLimiting(RateLimitingConfig.CpfRevealPolicy)]
         public async Task<CpfRevealResult> GetCandidatoCpfById([FromRoute] Guid id)
         {
             var rnd = new Random();

OpenCand.API/Controllers/StatsController.cs

@@ -1,9 +1,12 @@
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
+using OpenCand.API.Config;
 using OpenCand.API.Services;
 using OpenCand.Core.Models;
 
 namespace OpenCand.API.Controllers
 {
+    [EnableRateLimiting(RateLimitingConfig.DefaultPolicy)]
     public class StatsController : BaseController
     {
         private readonly OpenCandService openCandService;

OpenCand.API/OpenCand.API.csproj

@@ -5,10 +5,9 @@
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
-
   <ItemGroup>
-    <PackageReference Include="Npgsql" Version="8.0.2" />
+    <PackageReference Include="Npgsql" Version="9.0.3" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="8.1.3" />
 	<PackageReference Include="Dapper" Version="2.1.66" />
   </ItemGroup>
 

OpenCand.API/Program.cs

@@ -10,13 +10,14 @@ namespace OpenCand.API
     {
         public static void Main(string[] args)
         {
-            var builder = WebApplication.CreateBuilder(args);
+            var builder = WebApplication.CreateBuilder(args);            // Add services to the container.
-
-            // Add services to the container.
             builder.Services.AddControllers();
 
             SetupServices(builder);
 
+            // Configure rate limiting
+            builder.Services.ConfigureRateLimiting();
+
             builder.Services.AddEndpointsApiExplorer();
             builder.Services.AddSwaggerGen();
 
@@ -34,9 +35,10 @@ namespace OpenCand.API
             {
                 FileProvider = new PhysicalFileProvider(Path.Combine(workingDir, "fotos_cand")),
                 RequestPath = "/assets/fotos"
-            });
+            });            app.UseHttpsRedirection();
 
-            app.UseHttpsRedirection();
+            // Use rate limiting middleware
+            app.UseRateLimiter();
 
             app.UseAuthorization();
 

OpenCand.ETL/OpenCand.ETL.csproj

@@ -7,11 +7,11 @@
     <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="CsvHelper" Version="33.0.1" />
+    <PackageReference Include="CsvHelper" Version="33.1.0" />
     <PackageReference Include="Dapper" Version="2.1.66" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="9.0.5" />
     <PackageReference Include="Microsoft.Extensions.Hosting" Version="9.0.5" />
-    <PackageReference Include="Npgsql" Version="8.0.2" />
+    <PackageReference Include="Npgsql" Version="9.0.3" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="9.0.5" />
   </ItemGroup>
   <ItemGroup>