routes: skip rate limiting for trusted certificate holders

2026-02-18 08:42:25 +01:00
parent 283f87b9c4
commit c69290af2d
3 changed files with 102 additions and 87 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -226,12 +226,23 @@ def setup_rate_limiting(app: Flask) -> None:
    from flask_limiter import Limiter
    from flask_limiter.util import get_remote_address

-    def is_health_endpoint() -> bool:
-        """Check if request is to health endpoint (exempt from rate limiting)."""
-        # Get configured URL prefix (e.g., "/paste")
+    def is_rate_limit_exempt() -> bool:
+        """Check if request is exempt from global rate limiting.
+
+        Exempt: health endpoint, trusted certificate holders.
+        """
        prefix = app.config.get("URL_PREFIX", "")
        health_path = f"{prefix}/health" if prefix else "/health"
-        return request.path == health_path
+        if request.path == health_path:
+            return True
+
+        # Trusted certificate holders bypass rate limiting
+        try:
+            from app.api.routes import get_client_id
+
+            return get_client_id() is not None
+        except Exception:
+            return False

    limiter = Limiter(
        key_func=get_remote_address,
@@ -239,7 +250,7 @@ def setup_rate_limiting(app: Flask) -> None:
        default_limits=["200 per day", "60 per hour"],
        storage_uri="memory://",
        strategy="fixed-window",
-        default_limits_exempt_when=is_health_endpoint,
+        default_limits_exempt_when=is_rate_limit_exempt,
    )

    # Store limiter on app for use in routes