Skip to content

Derive Retry-After header from configured RPS #252

New issue
New issue
Open
Open
Derive Retry-After header from configured RPS#252
Labels
follow-upFollow-up task from PR review
@adnaan

Description

@adnaan
adnaan
opened on Mar 18, 2026

Context

This follow-up task was identified during the review of PR #248.

Source PR: #248
PR Title: feat: add per-IP rate limiting for global and auth endpoints
Suggested by: @claude[bot]

Task Description

The auth deny handler hardcodes Retry-After: 60 but the auth RPS is configurable via RATE_LIMIT_AUTH_RPS (default 0.1). If someone sets RATE_LIMIT_AUTH_RPS=1, the header still says 60 seconds.

Compute Retry-After from the configured rate: ceil(1/rps) seconds. For the default 0.1 rps this gives 10s — the current 60s is intentionally conservative to discourage rapid retry, so document this choice if keeping it, or switch to the computed value.

The global deny handler uses Retry-After: 1 which is correct for 100 rps.

Original Comment

The value 60 is hardcoded in the injected auth deny handler but the auth RPS is configurable. If someone sets RATE_LIMIT_AUTH_RPS=1, the Retry-After header will still say 60. Consider computing this from the configured rate. — @claude[bot]

Metadata

Metadata

Assignees

No one assigned

    Labels

    follow-upFollow-up task from PR review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions