feat: add slowapi rate limiting

backend/app/main.py

@@ -9,11 +9,15 @@ from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
-from fastapi.responses import FileResponse
+from fastapi.responses import FileResponse, JSONResponse
 from sqlalchemy import select
 from sqlalchemy.exc import SQLAlchemyError
 
+from slowapi.errors import RateLimitExceeded
+from slowapi.middleware import SlowAPIMiddleware
+
 from app.config import get_settings
+from app.rate_limit import limiter
 from app.database import init_db, get_db
 from app.rag.vectorstore import get_chroma_client
 
@@ -63,6 +67,16 @@ app = FastAPI(
     lifespan=lifespan,
 )
 
+app.state.limiter = limiter
+app.add_exception_handler(
+    RateLimitExceeded,
+    lambda request, exc: JSONResponse(
+        status_code=429,
+        content={"detail": "Rate limit exceeded. Please try again later."},
+    ),
+)
+app.add_middleware(SlowAPIMiddleware)
+
 # ── CORS (allow frontend dev server) ─────────────────
 app.add_middleware(
     CORSMiddleware,

backend/app/rate_limit.py

@@ -0,0 +1,24 @@
+"""
+SlowAPI rate limiting configuration.
+"""
+from fastapi import Request
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+
+
+def rate_limit_key_func(request: Request) -> str:
+    """Use authenticated user id when available, otherwise fall back to client IP."""
+    authorization = request.headers.get("authorization", "")
+    if authorization.lower().startswith("bearer "):
+        try:
+            from app.auth import decode_token
+
+            user_id = decode_token(authorization.split(" ", 1)[1])
+            if user_id:
+                return f"user:{user_id}"
+        except Exception:
+            pass
+    return f"ip:{get_remote_address(request)}"
+
+
+limiter = Limiter(key_func=rate_limit_key_func)

backend/app/routes/chat.py

@@ -5,7 +5,7 @@ import json
 import logging
 from typing import Optional
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import StreamingResponse
 from sqlalchemy.orm import Session
 
@@ -14,6 +14,7 @@ from app.models import User, ChatMessage, Document
 from app.schemas import ChatRequest, ChatResponse, ChatMessageResponse, ChatHistoryResponse, SourceChunk
 from app.auth import get_current_user
 from app.rag.agent import generate_answer, generate_answer_stream
+from app.rate_limit import limiter
 
 logger = logging.getLogger(__name__)
 
@@ -21,7 +22,9 @@ router = APIRouter(prefix="/chat", tags=["Chat"])
 
 
 @router.post("/ask", response_model=ChatResponse)
+@limiter.limit("10/minute")
 def ask_question(
+    request: Request,
     payload: ChatRequest,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
@@ -88,7 +91,9 @@ def ask_question(
 
 
 @router.post("/ask/stream")
+@limiter.limit("10/minute")
 def ask_question_stream(
+    request: Request,
     payload: ChatRequest,
     user: User = Depends(get_current_user),
     db: Session = Depends(get_db),

backend/requirements.txt

@@ -40,6 +40,7 @@ huggingface-hub
 
 # Production
 gunicorn
+slowapi
 
 # File Validation
 #sudo apt-get install libmagic1 // for Debian/Ubuntu