App Logo
Concepts

Rate Limit

Rate Limiting in GoBetterAuth

Rate limiting is a crucial mechanism to protect your application from abuse, such as brute-force attacks or excessive API requests. GoBetterAuth provides built-in support for rate limiting to help you manage and control the flow of requests to your authentication endpoints.

How Rate Limiting Works

Rate limiting restricts the number of requests a user or client can make to your authentication endpoints within a specified time window. This helps prevent abuse, brute-force attacks, and ensures fair usage.

GoBetterAuth uses a configurable rate limiting system that can be tailored to your needs.

Configuration

You can configure rate limiting in GoBetterAuth using the RateLimitConfig struct in your main config:

type RateLimitConfig struct {
  Enabled       bool
  Window        time.Duration
  Max           int
  Algorithm     string
  Prefix        string
  CustomRules   map[string]RateLimitCustomRuleFunc
  IP            IPConfig
}
  • Enabled: Turn rate limiting on or off.
  • Window: The time window for rate limiting (e.g., 1 minute).
  • Max: Maximum number of requests allowed in the window.
  • Algorithm: The algorithm used (e.g. "fixed-window", more may be added...).
  • Prefix: Key prefix for storage.
  • CustomRules: Define custom rules per endpoint.
  • IP: Configure which headers to use for client IP detection.

Basic Example

Here’s a simple example to enable rate limiting for all authentication endpoints:

import (
  gobetterauthconfig "github.com/GoBetterAuth/go-better-auth/config"
  gobetterauthmodels "github.com/GoBetterAuth/go-better-auth/models"
)

config := gobetterauthconfig.NewConfig(
  // Other config options...
  gobetterauthconfig.WithRateLimit(
    gobetterauthmodels.RateLimitConfig{
      Enabled:    true,
    },
  ),
)

Custom Rules Example

You can set custom rate limits for specific endpoints using CustomRules:

import (
  "net/http"
  "time"

  gobetterauthconfig "github.com/GoBetterAuth/go-better-auth/config"
  gobetterauthmodels "github.com/GoBetterAuth/go-better-auth/models"
)

config := gobetterauthconfig.NewConfig(
  // Other config options...
  gobetterauthconfig.WithRateLimit(
    gobetterauthmodels.RateLimitConfig{
      Enabled:    true,
      CustomRules: map[string]gobetterauthmodels.RateLimitCustomRuleFunc{
        "/auth/sign-up/email": func(req *http.Request) gobetterauthmodels.RateLimitCustomRule {
          return gobetterauthmodels.RateLimitCustomRule{
            Window: 1 * time.Hour,
            Max:    5,
          }
        },
      },
    },
  ),
)

Disabling Rate Limiting for Specific Endpoints

You can disable rate limiting for certain endpoints:

import (
  "net/http"
  
  gobetterauthconfig "github.com/GoBetterAuth/go-better-auth/config"
  gobetterauthmodels "github.com/GoBetterAuth/go-better-auth/models"
)

config := gobetterauthconfig.NewConfig(
  // Other config options...
  gobetterauthconfig.WithRateLimit(
    gobetterauthmodels.RateLimitConfig{
      Enabled:    true,
      CustomRules: map[string]gobetterauthmodels.RateLimitCustomRuleFunc{
        "/auth/me": func(req *http.Request) gobetterauthmodels.RateLimitCustomRule {
          return gobetterauthmodels.RateLimitCustomRule{
            Disabled: true,
          }
        },
      },
    },
  ),
)

Best Practices

  • Set stricter limits for sensitive endpoints like sign-in and sign-up.

CSRF

Understanding Cross-Site Request Forgery (CSRF) Protection in GoBetterAuth

Event Driven Architecture

A clean, flexible event bus abstraction for event-driven applications

On this page

How Rate Limiting WorksConfigurationBasic ExampleCustom Rules ExampleDisabling Rate Limiting for Specific EndpointsBest Practices