Allow Configurable Rate-Limit Key Derivation in RateLimiter Middleware

[thzgajendra]

Problem Statement

The current RateLimiter middleware in gofr supports request limiting primarily based on IP address (PerIP flag).
While this works well for generic APIs, it is not sufficient for authentication and identity-based use cases such as:

• Login attempts per email
• OTP validation per user ID
• Password reset attempts per account
• API throttling per API key / tenant / user

At the moment, developers cannot easily apply rate limiting on identifiers other than IP without writing custom middleware or duplicating logic.

---

Current Limitation

RateLimiterConfig{
    RequestsPerSecond: 5,
    Burst:             10,
    PerIP:             true,
}

[sreenivasivbieb]

@coolwednesday @thzgajendra Hey Hi , I am working on this enhancement, I am also writing tests on the new enhancement any other changes that i also need to be consider pls feel free to share.

[sreenivasivbieb]

@coolwednesday can you assign this issue to me, I would like to work on it

[sreenivasivbieb]

Rate Limiter Enhancement Proposal

Problem

Current GoFr RateLimiter only supports IP-based limiting. Need support for email, user ID, API key, tenant, etc.

Solution

1. Updated Configuration

type RateLimiterConfig struct {
    RequestsPerSecond float64
    Burst             int
    PerIP             bool              // Keep for backward compatibility
    KeyExtractor      func(*gofr.Context) (string, error)  // NEW
}

2. Built-in Key Extractors

// Extract from header
func ExtractHeader(name string) KeyExtractor

// Extract from request body
func ExtractBody(field string) KeyExtractor

// Extract from URL params
func ExtractParam(name string) KeyExtractor

// Extract IP (default)
func ExtractIP(c *gofr.Context) (string, error)

3. Usage Examples

Login by Email:

app.POST("/login", RateLimiter(RateLimiterConfig{
    RequestsPerSecond: 5,
    Burst:             10,
    KeyExtractor:      ExtractBody("email"),
}), loginHandler)

OTP by User ID:

app.POST("/verify-otp", RateLimiter(RateLimiterConfig{
    RequestsPerSecond: 3,
    Burst:             5,
    KeyExtractor:      ExtractParam("user_id"),
}), otpHandler)

API Key Throttling:

app.Use(RateLimiter(RateLimiterConfig{
    RequestsPerSecond: 100,
    Burst:             200,
    KeyExtractor:      ExtractHeader("X-API-Key"),
}))

Backward Compatible (IP-based):

app.Use(RateLimiter(RateLimiterConfig{
    RequestsPerSecond: 10,
    Burst:             20,
    PerIP:             true,  // Works as before
}))

Benefits

• ✅ Solves all use cases (login, OTP, API keys, tenants)
• ✅ Backward compatible
• ✅ Simple to use
• ✅ Flexible for custom logic

[sreenivasivbieb]

@coolwednesday if you like the proposed sol can you assign the task to me