Fix/wallet rate limiter unused by deltron-fr · Pull Request #288 · Suncrest-Labs/nester

deltron-fr · 2026-04-24T19:52:03Z

Closes #252

Summary

Wires the existing but unused middleware.WalletRateLimiter into the production chain in cmd/api/main.go, immediately after Authenticate so the bucket is keyed by the wallet address in the JWT claims (not the caller's IP). A single wallet can no longer bypass rate limits by rotating IPs across VPNs, proxies, or Tor.
Adds RATELIMIT_WALLET_LIMIT (default 60) and RATELIMIT_WALLET_WINDOW (default 1m) to config with the same validation as the existing global and write limits. Documented in .env.example.
Adds a walletKeyFromContext helper that pulls the wallet from the authenticated auth.User; unauthenticated requests produce an empty key and pass through the wallet limiter (public routes are still covered by the IP and write limiters that wrap the chain outside of auth).

drips-wave · 2026-04-24T19:53:19Z

@deltron-fr Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

deltron-fr added 2 commits April 24, 2026 19:42

fix(api): replace wildcard CORS with origin allowlist

d54c393

fix(api): enforce per-wallet rate limiting on authenticated routes

6bab1bb

deltron-fr requested a review from 0xDeon as a code owner April 24, 2026 19:52