Rate Limiting

MealPal uses Valkey (Redis-compatible) for per-user rate limiting via fastapi-limiter.

Rate Limit Tiers

Tier	Per Minute	Per Day	Use Case
Unauthenticated	5	50	Prevent anonymous abuse
Free	10	100	Normal users
Premium	60	10,000	Power users

How It Works

1. Request comes in → extract user ID (or IP if anonymous)
2. Redis increments counter: INCR user:123:minute
3. Redis sets expiry: EXPIRE user:123:minute 60
4. If count > limit → 429 Too Many Requests
5. If count ≤ limit → request proceeds

Key Files

File	Purpose
backend/app/middleware/rate_limit.py	Core rate limiting logic
backend/app/config.py	Rate limit settings
backend/app/main.py	Init/shutdown rate limiter

Usage in Endpoints

from ...middleware.rate_limit import rate_limit, daily_limit

@router.post(
    "/analyze",
    dependencies=[Depends(rate_limit), Depends(daily_limit)]
)
async def analyze_meal(...):
    # Protected by both per-minute and daily limits
    ...

Error Response

{
  "detail": "Too Many Requests"
}

Headers include X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After.

Why Valkey?

Redis changed its license in 2024 (SSPL). Valkey is the Linux Foundation community fork — 100% Redis compatible, truly open source (BSD).