fix: add principal api rate limits

Author: ramtamilselvan

backend/src/index.ts

@@ -15,7 +15,7 @@ import { auditRoutes } from './routes/audit';
 import enterpriseIntegrationRoutes, { oidcPublicRouter } from './routes/enterprise/integration';
 import enterpriseComplianceRoutes from './routes/enterprise/compliance';
 import { authMiddleware } from './middleware/auth';
-import { createRateLimiter } from './middleware/rateLimit';
+import { createRateLimiter, extractPrincipalRateLimitIdentifier } from './middleware/rateLimit';
 import {
   checkedProductionSafetyControls,
   collectProductionSafetyViolations,
@@ -175,6 +175,18 @@ const apiRouteLimiter = createRateLimiter({
   keyPrefix: 'rl:api-route',
 });
 
+function createAuthenticatedPrincipalLimiter(
+  keyPrefix: string,
+  maxRequests: number,
+) {
+  return createRateLimiter({
+    windowMs: 60_000,
+    maxRequests,
+    keyPrefix,
+    keyExtractor: extractPrincipalRateLimitIdentifier,
+  });
+}
+
 const REQUEST_ID_PATTERN = /^[A-Za-z0-9._:-]{1,128}$/;
 
 function resolveRequestId(value: unknown): string {
@@ -339,18 +351,24 @@ app.use('/api', globalLimiter);
 // ---------------------------------------------------------------------------
 // API routes
 // ---------------------------------------------------------------------------
+const credentialPrincipalLimiter = createAuthenticatedPrincipalLimiter('rl:principal:credentials', 30);
+const verificationPrincipalLimiter = createAuthenticatedPrincipalLimiter('rl:principal:verification', 60);
+const governancePrincipalLimiter = createAuthenticatedPrincipalLimiter('rl:principal:governance', 30);
+const auditPrincipalLimiter = createAuthenticatedPrincipalLimiter('rl:principal:audit', 30);
+
 app.use('/api/v1/identity', apiRouteLimiter, identityRoutes);
-app.use('/api/v1/credentials', apiRouteLimiter, authMiddleware, credentialRoutes);
-app.use('/api/v1/verification', apiRouteLimiter, authMiddleware, verificationRoutes);
-app.use('/api/v1/governance', apiRouteLimiter, authMiddleware, governanceRoutes);
-app.use('/api/v1/audit', apiRouteLimiter, authMiddleware, auditRoutes);
+app.use('/api/v1/credentials', apiRouteLimiter, authMiddleware, credentialPrincipalLimiter, credentialRoutes);
+app.use('/api/v1/verification', apiRouteLimiter, authMiddleware, verificationPrincipalLimiter, verificationRoutes);
+app.use('/api/v1/governance', apiRouteLimiter, authMiddleware, governancePrincipalLimiter, governanceRoutes);
+app.use('/api/v1/audit', apiRouteLimiter, authMiddleware, auditPrincipalLimiter, auditRoutes);
 
 // Enterprise routes — mounted behind auth + stricter rate limit
 const enterpriseLimiter = createRateLimiter({
   windowMs: 60_000,
   maxRequests: 30,
   keyPrefix: 'rl:enterprise',
 });
+const enterprisePrincipalLimiter = createAuthenticatedPrincipalLimiter('rl:principal:enterprise', 30);
 
 // OIDC public routes — discovery, JWKS, and token endpoints MUST be accessible
 // without a bearer token per OpenID Connect Discovery §4 and OAuth 2.0 §3.2.
@@ -363,8 +381,8 @@ const oidcPublicLimiter = createRateLimiter({
 app.use('/api/v1/enterprise', oidcPublicLimiter, oidcPublicRouter);
 
 // Auth-gated enterprise routes (registration, authorize, userinfo, webhooks, etc.)
-app.use('/api/v1/enterprise', enterpriseLimiter, authMiddleware, enterpriseIntegrationRoutes);
-app.use('/api/v1/enterprise/compliance', enterpriseLimiter, authMiddleware, enterpriseComplianceRoutes);
+app.use('/api/v1/enterprise', enterpriseLimiter, authMiddleware, enterprisePrincipalLimiter, enterpriseIntegrationRoutes);
+app.use('/api/v1/enterprise/compliance', enterpriseLimiter, authMiddleware, enterprisePrincipalLimiter, enterpriseComplianceRoutes);
 
 const { aiComplianceRoutes } = require('./routes/ai/compliance') as typeof import('./routes/ai/compliance');
 const { aiAgentIdentityRoutes } = require('./routes/ai/agent-identity') as typeof import('./routes/ai/agent-identity');

backend/src/middleware/rateLimit.ts

@@ -284,9 +284,13 @@ function handleRateLimitStoreFailure(
 export function createDIDRateLimiter(config: Omit<RateLimitConfig, 'keyExtractor'>) {
   return createRateLimiter({
     ...config,
-    keyExtractor: (req: Request) => {
-      const authReq = req as Request & { identity?: { did: string } };
-      return authReq.identity?.did ?? extractClientIP(req);
-    },
+    keyExtractor: extractPrincipalRateLimitIdentifier,
   });
 }
+
+export function extractPrincipalRateLimitIdentifier(req: Request): string {
+  const authReq = req as Request & { identity?: { id?: string; did?: string } };
+  if (authReq.identity?.did) return authReq.identity.did;
+  if (authReq.identity?.id) return `identity:${authReq.identity.id}`;
+  return extractClientIP(req);
+}

backend/test/rate-limit.test.ts

@@ -14,7 +14,10 @@ jest.mock('../src/index', () => ({
   },
 }));
 
-import { createRateLimiter } from '../src/middleware/rateLimit';
+import {
+  createRateLimiter,
+  extractPrincipalRateLimitIdentifier,
+} from '../src/middleware/rateLimit';
 
 const ORIGINAL_ENV = { ...process.env };
 
@@ -176,6 +179,58 @@ describe('createRateLimiter', () => {
     );
   });
 
+  it('keys authenticated principal limits by DID instead of source IP', async () => {
+    mockEval.mockResolvedValue(1);
+    const limiter = createRateLimiter({
+      windowMs: 60_000,
+      maxRequests: 2,
+      keyPrefix: 'rl:test',
+      keyExtractor: extractPrincipalRateLimitIdentifier,
+    });
+    const { req, next } = createMockHttp();
+    req.ip = '198.51.100.23';
+    req.identity = { id: 'identity-1', did: 'did:aethelred:alice' };
+
+    await limiter(req, createMockHttp().res, next);
+
+    expect(mockEval).toHaveBeenCalledWith(
+      expect.stringContaining('ZREMRANGEBYSCORE'),
+      1,
+      'rl:test:did:aethelred:alice',
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+    );
+  });
+
+  it('falls back to IP for principal limits before authentication', async () => {
+    mockEval.mockResolvedValue(1);
+    const limiter = createRateLimiter({
+      windowMs: 60_000,
+      maxRequests: 2,
+      keyPrefix: 'rl:test',
+      keyExtractor: extractPrincipalRateLimitIdentifier,
+    });
+    const { req, next } = createMockHttp();
+    req.ip = '198.51.100.23';
+    req.socket.remoteAddress = '198.51.100.23';
+
+    await limiter(req, createMockHttp().res, next);
+
+    expect(mockEval).toHaveBeenCalledWith(
+      expect.stringContaining('ZREMRANGEBYSCORE'),
+      1,
+      'rl:test:198.51.100.23',
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+      expect.any(String),
+    );
+  });
+
   it('fails open outside production when Redis returns an invalid count', async () => {
     mockEval.mockResolvedValue(null);
     const limiter = createRateLimiter({ windowMs: 60_000, maxRequests: 2, keyPrefix: 'rl:test' });