Changes

api/Program.cs

@@ -53,7 +53,7 @@ try
     builder.Services.AddSwaggerWithXmlComments(Assembly.GetExecutingAssembly(), "API");
     builder.Services.ConfigureCaddyForwardedHeaders();
     builder.Services.AddFrontendCorsFromConfiguration(builder.Configuration);
-    builder.Services.AddPublicApiRateLimiting();
+    builder.Services.AddPublicApiRateLimiting(builder.Configuration);
 
     var app = builder.Build();
 

api/appsettings.json

@@ -109,5 +109,27 @@
   "CvMatcherApi": {
     "BaseUrl": "",
     "InternalApiKey": ""
+  },
+  "RateLimiting": {
+    "Global": {
+      "PermitLimit": 120,
+      "Window": "00:01:00",
+      "QueueLimit": 0,
+      "AutoReplenishment": true
+    },
+    "Policies": {
+      "contact": {
+        "PermitLimit": 5,
+        "Window": "00:01:00",
+        "QueueLimit": 0,
+        "AutoReplenishment": true
+      },
+      "cv-matcher": {
+        "PermitLimit": 10,
+        "Window": "00:10:00",
+        "QueueLimit": 0,
+        "AutoReplenishment": true
+      }
+    }
   }
 }

shared-models/Settings/RateLimitingSettings.cs

@@ -0,0 +1,20 @@
+namespace Shared.Models.Settings
+{
+    public class RateLimitingSettings
+    {
+        public RateLimitPolicySettings Global { get; set; } = new();
+        public Dictionary<string, RateLimitPolicySettings> Policies { get; set; } = new();
+    }
+
+    public class RateLimitPolicySettings
+    {
+        public int PermitLimit { get; set; } = 100;
+
+        // Bound from configuration strings like "00:01:00" (1 minute) or "00:10:00" (10 minutes).
+        public TimeSpan Window { get; set; } = TimeSpan.FromMinutes(1);
+
+        public int QueueLimit { get; set; } = 0;
+
+        public bool AutoReplenishment { get; set; } = true;
+    }
+}

startup-helpers/RateLimitingExtensions.cs

@@ -1,17 +1,26 @@
 using System.Threading.RateLimiting;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Shared.Models.Settings;
 
 namespace StartupHelpers;
 
 public static class RateLimitingExtensions
 {
-    public static void AddPublicApiRateLimiting(this IServiceCollection services)
+    public static void AddPublicApiRateLimiting(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        string sectionName = "RateLimiting")
     {
+        var settings = configuration.GetSection(sectionName).Get<RateLimitingSettings>()
+                       ?? new RateLimitingSettings();
+
         services.AddRateLimiter(options =>
         {
+            var global = settings.Global ?? new RateLimitPolicySettings();
             options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
             {
                 var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
@@ -19,40 +28,32 @@ public static class RateLimitingExtensions
                     partitionKey: ip,
                     factory: _ => new FixedWindowRateLimiterOptions
                     {
-                        PermitLimit = 120,
-                        Window = TimeSpan.FromMinutes(1),
-                        QueueLimit = 0,
-                        AutoReplenishment = true
+                        PermitLimit = global.PermitLimit,
+                        Window = global.Window,
+                        QueueLimit = global.QueueLimit,
+                        AutoReplenishment = global.AutoReplenishment
                     });
             });
 
-            options.AddPolicy("contact", httpContext =>
+            foreach (var entry in settings.Policies)
             {
-                var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
-                return RateLimitPartition.GetFixedWindowLimiter(
-                    partitionKey: ip,
-                    factory: _ => new FixedWindowRateLimiterOptions
-                    {
-                        PermitLimit = 5,
-                        Window = TimeSpan.FromMinutes(1),
-                        QueueLimit = 0,
-                        AutoReplenishment = true
-                    });
-            });
+                var policyName = entry.Key;
+                var policy = entry.Value ?? new RateLimitPolicySettings();
 
-            options.AddPolicy("cv-matcher", httpContext =>
-            {
-                var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
-                return RateLimitPartition.GetFixedWindowLimiter(
-                    partitionKey: ip,
-                    factory: _ => new FixedWindowRateLimiterOptions
-                    {
-                        PermitLimit = 10,
-                        Window = TimeSpan.FromMinutes(10),
-                        QueueLimit = 0,
-                        AutoReplenishment = true
-                    });
-            });
+                options.AddPolicy(policyName, httpContext =>
+                {
+                    var ip = httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
+                    return RateLimitPartition.GetFixedWindowLimiter(
+                        partitionKey: ip,
+                        factory: _ => new FixedWindowRateLimiterOptions
+                        {
+                            PermitLimit = policy.PermitLimit,
+                            Window = policy.Window,
+                            QueueLimit = policy.QueueLimit,
+                            AutoReplenishment = policy.AutoReplenishment
+                        });
+                });
+            }
 
             options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
             options.OnRejected = async (context, ct) =>