fc-server: implent proper rate limiting with token bucket algorithm; fix rate_limit_rps

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I68237ff6216337eba1afa8e8606d545b6a6a6964
2026-02-27 20:50:43 +03:00 · 2026-02-27 20:50:43 +03:00 · d0ffa5d9e5
commit d0ffa5d9e5
parent 754f5afb6d
4 changed files with 110 additions and 60 deletions
--- a/crates/common/src/config.rs
+++ b/crates/common/src/config.rs
@ -38,18 +38,21 @@ pub struct DatabaseConfig {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(default)]
 pub struct ServerConfig {
-  pub host:                String,
-  pub port:                u16,
-  pub request_timeout:     u64,
-  pub max_body_size:       usize,
-  pub api_key:             Option<String>,
-  pub allowed_origins:     Vec<String>,
-  pub cors_permissive:     bool,
-  pub rate_limit_rps:      Option<u64>,
-  pub rate_limit_burst:    Option<u32>,
+  pub host:                 String,
+  pub port:                 u16,
+  pub request_timeout:      u64,
+  pub max_body_size:        usize,
+  pub api_key:              Option<String>,
+  pub allowed_origins:      Vec<String>,
+  pub cors_permissive:      bool,
+  pub rate_limit_rps:       Option<u64>,
+  pub rate_limit_burst:     Option<u32>,
  /// Allowed URL schemes for repository URLs. Insecure schemes emit a warning
  /// on startup
-  pub allowed_url_schemes: Vec<String>,
+  pub allowed_url_schemes:  Vec<String>,
+  /// Force Secure flag on session cookies (enable when behind HTTPS reverse
+  /// proxy)
+  pub force_secure_cookies: bool,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@ -498,21 +501,22 @@ impl DatabaseConfig {
 impl Default for ServerConfig {
  fn default() -> Self {
    Self {
-      host:                "127.0.0.1".to_string(),
-      port:                3000,
-      request_timeout:     30,
-      max_body_size:       10 * 1024 * 1024, // 10MB
-      api_key:             None,
-      allowed_origins:     Vec::new(),
-      cors_permissive:     false,
-      rate_limit_rps:      None,
-      rate_limit_burst:    None,
-      allowed_url_schemes: vec![
+      host:                 "127.0.0.1".to_string(),
+      port:                 3000,
+      request_timeout:      30,
+      max_body_size:        10 * 1024 * 1024, // 10MB
+      api_key:              None,
+      allowed_origins:      Vec::new(),
+      cors_permissive:      false,
+      rate_limit_rps:       None,
+      rate_limit_burst:     None,
+      allowed_url_schemes:  vec![
        "https".into(),
        "http".into(),
        "git".into(),
        "ssh".into(),
      ],
+      force_secure_cookies: false,
    }
  }
 }