refactor: extract shared rate limiter, standardize error codes, name constants#4
Merged
refactor: extract shared rate limiter, standardize error codes, name constants#4
Conversation
…magic numbers - Extract SlidingWindowRateLimiter utility from 3 duplicate implementations (ChallengeKeyRateLimiter, DeviceRegistrationRateLimiter, WebSocketConnectionRateLimiter) - Standardize ApiException to use integer status codes (10 instances of HttpStatusCode.*.value replaced with literal ints for consistency with 98 existing) - Extract magic numbers in Application.kt to named constants: CLEANUP_INTERVAL_MS, MAX_REQUEST_BODY_BYTES, HSTS_MAX_AGE_SECONDS - Remove unused io.ktor.http.* import from BucketService.kt
8 tests covering boundary conditions, key independence, reset behavior, instance isolation, cleanup safety, and concurrent access under contention.
…ter refactor - Update server test count from 456 to 464 in AGENTS.md, CONTRIBUTING.md, and server/AGENTS.md (3 files, 5 occurrences) - Add SlidingWindowRateLimiter to server/AGENTS.md util listing and test table - Update stale ChallengeKeyRateLimiter reference in RateLimiterTest.kt comments - Remove unused assertEquals import and lambda parameter in test file
- Root: thin with Commands, File Map, Golden Samples, Heuristics, Terminology, and working scope index links - Server: add managed header, Setup, Code Style, Security, Checklist, Examples, and When Stuck sections - Android: add managed header, Setup, Code Style, Security, Checklist, Examples, and When Stuck sections - All 3 files pass validate-structure.sh (0 errors, 0 warnings)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Code quality cleanup addressing issues found by comprehensive codebase audit:
SlidingWindowRateLimiterutility — consolidates 3 near-identical rate limiter implementations (ChallengeKeyRateLimiter,DeviceRegistrationRateLimiter,WebSocketConnectionRateLimiter) into a single reusable class with configurablemaxRequestsandwindowMs. Reduces ~90 lines of duplicated synchronized sliding-window logic to a single 66-line utility.SlidingWindowRateLimiter— boundary conditions, key independence, reset, instance isolation, cleanup safety, concurrent access.ApiExceptionerror codes — replaces 10 instances ofApiException(HttpStatusCode.BadRequest.value, ...)with integer literals (400,403,404,429) for consistency with 98 existing instances.CLEANUP_INTERVAL_MS(5 min),MAX_REQUEST_BODY_BYTES(10 MB), andHSTS_MAX_AGE_SECONDS(2 years) from inline expressions inApplication.kt.io.ktor.http.*fromBucketService.kt.Test plan