From 0f7166c1a368da07fea919dc0d28efa2d792bae8 Mon Sep 17 00:00:00 2001
From: Gelu Mihes <gelu@mihes.ro>
Date: Tue, 12 May 2026 10:16:17 +0300
Subject: [PATCH] Changes

---
 api/Controllers/CvMatcherController.cs       |  2 +-
 api/appsettings.json                         |  2 +-
 docker-compose/.env.template                 | 12 ++++++++++++
 docker-compose/docker-compose.production.yml | 11 +++++++++++
 docker-compose/docker-compose.staging.yml    | 11 +++++++++++
 docker-compose/docker-compose.yml            | 11 +++++++++++
 6 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/api/Controllers/CvMatcherController.cs b/api/Controllers/CvMatcherController.cs
index 0e18c48..d3550ef 100644
--- a/api/Controllers/CvMatcherController.cs
+++ b/api/Controllers/CvMatcherController.cs
@@ -16,7 +16,7 @@ namespace Api.Controllers;
 /// </summary>
 [ApiController]
 [Route("api/cv-matcher")]
-[EnableRateLimiting("cv-matcher")]
+[EnableRateLimiting("CvMatcher")]
 public sealed class CvMatcherController : ControllerBase
 {
     private readonly ICvMatcherApi _cvApi;
diff --git a/api/appsettings.json b/api/appsettings.json
index 43c8c48..5d00ad8 100644
--- a/api/appsettings.json
+++ b/api/appsettings.json
@@ -124,7 +124,7 @@
         "QueueLimit": 0,
         "AutoReplenishment": true
       },
-      "cv-matcher": {
+      "CvMatcher": {
         "PermitLimit": 10,
         "Window": "00:10:00",
         "QueueLimit": 0,
diff --git a/docker-compose/.env.template b/docker-compose/.env.template
index cd58b87..dd7fcd6 100644
--- a/docker-compose/.env.template
+++ b/docker-compose/.env.template
@@ -101,3 +101,15 @@ Serilog__WriteTo__2__Args__enableSsl=true
 # CvMatcher API internal
 CvMatcherApi__BaseUrl=http://cv-matcher-api:8081
 CvMatcherApi__InternalApiKey=
+
+# Rate Limiting (api - public rate limits)
+# Window uses TimeSpan strings: "hh:mm:ss" (e.g. "00:01:00" = 1 minute, "00:10:00" = 10 minutes).
+RateLimiting__Global__PermitLimit=120
+RateLimiting__Global__Window=00:01:00
+RateLimiting__Global__QueueLimit=0
+RateLimiting__Policies__contact__PermitLimit=5
+RateLimiting__Policies__contact__Window=00:01:00
+RateLimiting__Policies__contact__QueueLimit=0
+RateLimiting__Policies__CvMatcher__PermitLimit=10
+RateLimiting__Policies__CvMatcher__Window=00:10:00
+RateLimiting__Policies__CvMatcher__QueueLimit=0
diff --git a/docker-compose/docker-compose.production.yml b/docker-compose/docker-compose.production.yml
index 2f913fe..a10b7a7 100644
--- a/docker-compose/docker-compose.production.yml
+++ b/docker-compose/docker-compose.production.yml
@@ -170,6 +170,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}
diff --git a/docker-compose/docker-compose.staging.yml b/docker-compose/docker-compose.staging.yml
index 174ed84..c68ec3f 100644
--- a/docker-compose/docker-compose.staging.yml
+++ b/docker-compose/docker-compose.staging.yml
@@ -170,6 +170,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}
diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
index ca9775c..5916e3e 100644
--- a/docker-compose/docker-compose.yml
+++ b/docker-compose/docker-compose.yml
@@ -190,6 +190,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}