Summary
The /api/search endpoint has no authentication or rate limiting. Any client can call it unlimited times, abusing the backend's UK Gov Fuel Finder API quota (which is rate-limited and OAuth-credentialled).
What to add
Option A — API key (simplest):
- Generate a static API key, store as environment variable
API_KEY
- Validate
Authorization: Bearer <key> header in a Ktor plugin or route-level check
- Return
401 Unauthorized if missing/invalid
Option B — Per-client rate limiting:
- Add
ktor-server-rate-limit or a custom in-memory token bucket per IP
- Limit to e.g. 60 requests/minute per IP
- Return
429 Too Many Requests with Retry-After header
Recommended: Implement Option A now (simple, immediate), add Option B before public launch.
Also consider
- Add request logging middleware to track usage patterns
- Set a maximum
radius cap server-side (already validated to 0–50 in Routes.kt — good)
Workstream: WS1 Phase 1A / WS3
Summary
The
/api/searchendpoint has no authentication or rate limiting. Any client can call it unlimited times, abusing the backend's UK Gov Fuel Finder API quota (which is rate-limited and OAuth-credentialled).What to add
Option A — API key (simplest):
API_KEYAuthorization: Bearer <key>header in a Ktor plugin or route-level check401 Unauthorizedif missing/invalidOption B — Per-client rate limiting:
ktor-server-rate-limitor a custom in-memory token bucket per IP429 Too Many RequestswithRetry-AfterheaderRecommended: Implement Option A now (simple, immediate), add Option B before public launch.
Also consider
radiuscap server-side (already validated to 0–50 inRoutes.kt— good)Workstream: WS1 Phase 1A / WS3