feat(utils): add session-based rate limiting overload (#878)

kcenon · web-flow · commit 088fde2838ce · 2026-03-20T16:56:52.000+09:00
* Add session-based rate limiting overload Add allow(client_id, session_id) overload that creates a composite key "client_id:session_id" for per-session rate limiting. Falls back to IP-only behavior when session_id is empty. * docs: add Phase 2 changelog entries for #871 and #872 Add security entry for no_tls deprecation warning and added entry for rate_limiter session-based keys.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,7 +11,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Parallelize connection pool initialization with `std::async` ([#870](https://github.com/kcenon/network_system/issues/870))
 
+### Security
+
+- Mark `no_tls` policy as deprecated with warning to use TLS-enabled policies in production ([#871](https://github.com/kcenon/network_system/issues/871))
+
 ### Added
+
+- Extend `rate_limiter` to support composite session-based identification keys ([#872](https://github.com/kcenon/network_system/issues/872))
 - Migration guide for transitioning from adapters to NetworkSystemBridge pattern
   - Comprehensive step-by-step migration instructions
   - API comparison tables for old vs new patterns
diff --git a/src/internal/utils/rate_limiter.h b/src/internal/utils/rate_limiter.h
@@ -160,6 +160,29 @@ class rate_limiter {
         return false;
     }
 
+    /**
+     * @brief Check if request should be allowed (session-aware)
+     *
+     * @param client_id Client identifier (e.g., IP address)
+     * @param session_id Session identifier for per-session rate limiting
+     * @return true if request is allowed, false if rate limited
+     *
+     * When session_id is non-empty, a composite key "client_id:session_id"
+     * is used, enabling per-session rate limiting. When session_id is empty,
+     * falls back to client_id-only behavior.
+     */
+    [[nodiscard]] bool allow(std::string_view client_id, std::string_view session_id) {
+        if (session_id.empty()) {
+            return allow(client_id);
+        }
+        std::string composite_key;
+        composite_key.reserve(client_id.size() + 1 + session_id.size());
+        composite_key.append(client_id);
+        composite_key.push_back(':');
+        composite_key.append(session_id);
+        return allow(std::string_view(composite_key));
+    }
+
     /**
      * @brief Check if request would be allowed (without consuming token)
      *
