From e41b805de2294e729d32a4cf3a26adb142df5aaa Mon Sep 17 00:00:00 2001 From: rcourtman Date: Tue, 16 Dec 2025 10:07:03 +0000 Subject: [PATCH] fix: Retry-After header now uses actual limiter window Previously the Retry-After header was hardcoded to "60" seconds regardless of the rate limiter's actual window duration. Now uses the limiter's configured window (e.g., 600 seconds for recovery endpoints, 300 for exports). Related to #579 --- internal/api/rate_limit_config.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/api/rate_limit_config.go b/internal/api/rate_limit_config.go index 21cabb5..3aad91e 100644 --- a/internal/api/rate_limit_config.go +++ b/internal/api/rate_limit_config.go @@ -158,8 +158,8 @@ func UniversalRateLimitMiddleware(next http.Handler) http.Handler { // Check rate limit if !limiter.Allow(ip) { - // Add retry-after header - w.Header().Set("Retry-After", "60") + // Add retry-after header matching the limiter's actual window + w.Header().Set("Retry-After", strconv.Itoa(int(limiter.window.Seconds()))) w.Header().Set("X-RateLimit-Limit", strconv.Itoa(limiter.limit)) w.Header().Set("X-RateLimit-Remaining", "0") w.Header().Set("X-RateLimit-Reset", time.Now().Add(limiter.window).Format(time.RFC3339))