fix: Retry-After header now uses actual limiter window

Previously the Retry-After header was hardcoded to "60" seconds
regardless of the rate limiter's actual window duration. Now uses
the limiter's configured window (e.g., 600 seconds for recovery
endpoints, 300 for exports).

Related to #579
This commit is contained in:
rcourtman 2025-12-16 10:07:03 +00:00
parent a028f312de
commit e41b805de2

View file

@ -158,8 +158,8 @@ func UniversalRateLimitMiddleware(next http.Handler) http.Handler {
// Check rate limit
if !limiter.Allow(ip) {
// Add retry-after header
w.Header().Set("Retry-After", "60")
// Add retry-after header matching the limiter's actual window
w.Header().Set("Retry-After", strconv.Itoa(int(limiter.window.Seconds())))
w.Header().Set("X-RateLimit-Limit", strconv.Itoa(limiter.limit))
w.Header().Set("X-RateLimit-Remaining", "0")
w.Header().Set("X-RateLimit-Reset", time.Now().Add(limiter.window).Format(time.RFC3339))