Maybe/app/services/api_rate_limiter.rb

class ApiRateLimiter
  # Rate limit tiers (requests per hour)
  RATE_LIMITS = {
    standard: 100,
    premium: 1000,
    enterprise: 10000
  }.freeze

  DEFAULT_TIER = :standard

  def initialize(api_key)
    @api_key = api_key
    @redis = Redis.new
  end

  # Check if the API key has exceeded its rate limit
  def rate_limit_exceeded?
    current_count >= rate_limit
  end

  # Increment the request count for this API key
  def increment_request_count!
    key = redis_key
    current_time = Time.current.to_i
    window_start = (current_time / 3600) * 3600 # Hourly window

    @redis.multi do |transaction|
      # Use a sliding window with hourly buckets
      transaction.hincrby(key, window_start.to_s, 1)
      transaction.expire(key, 7200) # Keep data for 2 hours to handle sliding window
    end
  end

  # Get current request count within the current hour
  def current_count
    key = redis_key
    current_time = Time.current.to_i
    window_start = (current_time / 3600) * 3600

    count = @redis.hget(key, window_start.to_s)
    count.to_i
  end

  # Get the rate limit for this API key's tier
  def rate_limit
    tier = determine_tier
    RATE_LIMITS[tier]
  end

  # Calculate seconds until the rate limit resets
  def reset_time
    current_time = Time.current.to_i
    next_window = ((current_time / 3600) + 1) * 3600
    next_window - current_time
  end

  # Get detailed usage information
  def usage_info
    {
      current_count: current_count,
      rate_limit: rate_limit,
      remaining: [ rate_limit - current_count, 0 ].max,
      reset_time: reset_time,
      tier: determine_tier
    }
  end

  # Class method to get usage for an API key without incrementing
  def self.usage_for(api_key)
    new(api_key).usage_info
  end

  private

    def redis_key
      "api_rate_limit:#{@api_key.id}"
    end

    def determine_tier
      # For now, all API keys are standard tier
      # This can be extended later to support different tiers based on user subscription
      # or API key configuration
      DEFAULT_TIER
    end
end
Add comprehensive API v1 with OAuth and API key authentication (#2389) * OAuth * Add API test routes and update Doorkeeper token handling for test environment - Introduced API namespace with test routes for controller testing in the test environment. - Updated Doorkeeper configuration to allow fallback to plain tokens in the test environment for easier testing. - Modified schema to change resource_owner_id type from bigint to string. * Implement API key authentication and enhance access control - Replaced Doorkeeper OAuth authentication with a custom method supporting both OAuth and API keys in the BaseController. - Added methods for API key authentication, including validation and logging. - Introduced scope-based authorization for API keys in the TestController. - Updated routes to include API key management endpoints. - Enhanced logging for API access to include authentication method details. - Added tests for API key functionality, including validation, scope checks, and access control enforcement. * Add API key rate limiting and usage tracking - Implemented rate limiting for API key authentication in BaseController. - Added methods to check rate limits, render appropriate responses, and include rate limit headers in responses. - Updated routes to include a new usage resource for tracking API usage. - Enhanced tests to verify rate limit functionality, including exceeding limits and per-key tracking. - Cleaned up Redis data in tests to ensure isolation between test cases. * Add Jbuilder for JSON rendering and refactor AccountsController - Added Jbuilder gem for improved JSON response handling. - Refactored index action in AccountsController to utilize Jbuilder for rendering JSON. - Removed manual serialization of accounts and streamlined response structure. - Implemented a before_action in BaseController to enforce JSON format for all API requests. * Add transactions resource to API routes - Added routes for transactions, allowing index, show, create, update, and destroy actions. - This enhancement supports comprehensive transaction management within the API. * Enhance API authentication and onboarding handling - Updated BaseController to skip onboarding requirements for API endpoints and added manual token verification for OAuth authentication. - Improved error handling and logging for invalid access tokens. - Introduced a method to set up the current context for API requests, ensuring compatibility with session-like behavior. - Excluded API paths from onboarding redirects in the Onboardable concern. - Updated database schema to change resource_owner_id type from bigint to string for OAuth access grants. * Fix rubocop offenses - Fix indentation and spacing issues - Convert single quotes to double quotes - Add spaces inside array brackets - Fix comment alignment - Add missing trailing newlines - Correct else/end alignment 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix API test failures and improve test reliability - Fix ApiRateLimiterTest by removing mock users method and using fixtures - Fix UsageControllerTest by removing mock users method and using fixtures - Fix BaseControllerTest by using different users for multiple API keys - Use unique display_key values with SecureRandom to avoid conflicts - Fix double render issue in UsageController by returning after authorize_scope\! - Specify controller name in routes for usage resource - Remove trailing whitespace and empty lines per Rubocop All tests now pass and linting is clean. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add API transactions controller warning to brakeman ignore The account_id parameter in the API transactions controller is properly validated on line 79: family.accounts.find(transaction_params[:account_id]) This ensures users can only create transactions in accounts belonging to their family, making this a false positive. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Claude <noreply@anthropic.com> 2025-06-17 15:57:05 -05:00			`class ApiRateLimiter`
			`# Rate limit tiers (requests per hour)`
			`RATE_LIMITS = {`
			`standard: 100,`
			`premium: 1000,`
			`enterprise: 10000`
			`}.freeze`

			`DEFAULT_TIER = :standard`

			`def initialize(api_key)`
			`@api_key = api_key`
			`@redis = Redis.new`
			`end`

			`# Check if the API key has exceeded its rate limit`
			`def rate_limit_exceeded?`
			`current_count >= rate_limit`
			`end`

			`# Increment the request count for this API key`
			`def increment_request_count!`
			`key = redis_key`
			`current_time = Time.current.to_i`
			`window_start = (current_time / 3600) * 3600 # Hourly window`

			`@redis.multi do \|transaction\|`
			`# Use a sliding window with hourly buckets`
			`transaction.hincrby(key, window_start.to_s, 1)`
			`transaction.expire(key, 7200) # Keep data for 2 hours to handle sliding window`
			`end`
			`end`

			`# Get current request count within the current hour`
			`def current_count`
			`key = redis_key`
			`current_time = Time.current.to_i`
			`window_start = (current_time / 3600) * 3600`

			`count = @redis.hget(key, window_start.to_s)`
			`count.to_i`
			`end`

			`# Get the rate limit for this API key's tier`
			`def rate_limit`
			`tier = determine_tier`
			`RATE_LIMITS[tier]`
			`end`

			`# Calculate seconds until the rate limit resets`
			`def reset_time`
			`current_time = Time.current.to_i`
			`next_window = ((current_time / 3600) + 1) * 3600`
			`next_window - current_time`
			`end`

			`# Get detailed usage information`
			`def usage_info`
			`{`
			`current_count: current_count,`
			`rate_limit: rate_limit,`
			`remaining: [ rate_limit - current_count, 0 ].max,`
			`reset_time: reset_time,`
			`tier: determine_tier`
			`}`
			`end`

			`# Class method to get usage for an API key without incrementing`
			`def self.usage_for(api_key)`
			`new(api_key).usage_info`
			`end`

			`private`

			`def redis_key`
			`"api_rate_limit:#{@api_key.id}"`
			`end`

			`def determine_tier`
			`# For now, all API keys are standard tier`
			`# This can be extended later to support different tiers based on user subscription`
			`# or API key configuration`
			`DEFAULT_TIER`
			`end`
			`end`