Summary
Toggling sources a couple of times is enough to trigger HTTP 429 responses from the MeshMonitor API, rendering the application unusable until the 15-minute rate limit window expires. A page refresh does not help — the block persists until the window resets.
Steps to reproduce
- Open MeshMonitor with multiple sources configured (e.g., MQTT + LoRa)
- Toggle a source on/off a few times in quick succession
- Observe HTTP 429 responses — the UI becomes unresponsive/broken
Root cause analysis
Each source toggle causes the UI to fire a large burst of simultaneous API requests (nodes, messages, channels, map data, route segments, etc. all refetch at once). The general API rate limiter is set to 1000 requests per 15-minute window (rateLimiters.ts). With ~50+ requests per toggle, hitting the limit in just a handful of toggles is easily reproducible.
This is compounded if running behind a reverse proxy without TRUST_PROXY=1 set — in that case all requests share a single bucket keyed to the proxy IP regardless of the number of users (though in this case the reporter is a single user).
Expected behavior
UI-driven navigation actions like source toggling should not be capable of exhausting the rate limit under normal use.
Suggested fix
- Debounce/batch API refetches triggered by source toggling — coalesce the burst into a single invalidation cycle rather than firing all queries simultaneously
- Consider exempting or raising limits for internal UI navigation endpoints, or introducing a separate higher limit for bulk-read operations vs. write/send operations
- Document
TRUST_PROXY=1 more prominently for reverse proxy deployments
Environment
- MeshMonitor version: v4.11.6
- Deployment: behind a reverse proxy
TRUST_PROXY not set
Authored by NodeZero 0️⃣
Summary
Toggling sources a couple of times is enough to trigger HTTP 429 responses from the MeshMonitor API, rendering the application unusable until the 15-minute rate limit window expires. A page refresh does not help — the block persists until the window resets.
Steps to reproduce
Root cause analysis
Each source toggle causes the UI to fire a large burst of simultaneous API requests (nodes, messages, channels, map data, route segments, etc. all refetch at once). The general API rate limiter is set to 1000 requests per 15-minute window (
rateLimiters.ts). With ~50+ requests per toggle, hitting the limit in just a handful of toggles is easily reproducible.This is compounded if running behind a reverse proxy without
TRUST_PROXY=1set — in that case all requests share a single bucket keyed to the proxy IP regardless of the number of users (though in this case the reporter is a single user).Expected behavior
UI-driven navigation actions like source toggling should not be capable of exhausting the rate limit under normal use.
Suggested fix
TRUST_PROXY=1more prominently for reverse proxy deploymentsEnvironment
TRUST_PROXYnot setAuthored by NodeZero 0️⃣