Fix custom rate limiters ignored due to mountPath mismatch

[Copilot]

Custom rate limiters are registered with fullPath (mountPath + path) but looked up with only ctx.path, causing 43+ routes across /api, /oauth, and plugins to fall back to default limits instead of their stricter custom limits.

Changes

• defaultRateLimiter(): Construct fullPath identically to rateLimiter() before lookups
• Updated 3 references from ctx.path to fullPath:
  • RateLimiter.hasRateLimiter()
  • RateLimiter.getRateLimiter()
  • Consume key construction
• Updated metrics path tracking to use fullPath

Example

// Before: paths didn't match
rateLimiter() registers: "/api/documents.export" (mountPath + path)
defaultRateLimiter() lookups: "/documents.export" (path only)
→ Custom limiter never found, falls back to default

// After: paths match
const fullPath = `${ctx.mountPath ?? ""}${ctx.path}`;
rateLimiter() registers: "/api/documents.export"
defaultRateLimiter() lookups: "/api/documents.export"
→ Custom limiter correctly enforced

Impact

Routes like /api/documents.export (25 req/min), /api/teams.create (10 req/min), and other sensitive endpoints now enforce their intended strict limits instead of the permissive default.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Detail Bug] Custom rate limiters ignored due to mountPath vs. path mismatch</issue_title>
<issue_description># Summary

• Context: The rate limiter middleware system has two components: rateLimiter() which registers custom rate limits for specific routes, and defaultRateLimiter() which enforces those limits globally.
• Bug: Custom rate limiters are registered using the full path (including mount path) but are looked up using only the context path, causing a path mismatch.
• Actual vs. expected: Custom rate limiters are never enforced; instead, the default rate limiter is always used even when custom limits are defined.
• Impact: All routes with custom rate limits (43+ routes across /api, /oauth, and plugin routes) are using incorrect rate limits, potentially allowing abuse on endpoints that should be more strictly limited.

Code with bug

// In defaultRateLimiter() - uses only ctx.path for lookup
export function defaultRateLimiter() {
  return async function rateLimiterMiddleware(ctx: Context, next: Next) {
    if (!env.RATE_LIMITER_ENABLED) {
      return next();
    }

    const key = RateLimiter.hasRateLimiter(ctx.path)  // <-- BUG 🔴 Uses only ctx.path
      ? `${ctx.path}:${ctx.ip}`
      : `${ctx.ip}`;
    const limiter = RateLimiter.getRateLimiter(ctx.path);  // <-- BUG 🔴 Uses only ctx.path

    try {
      await limiter.consume(key);
    } catch (rateLimiterRes) {
      // ... error handling
    }

    return next();
  };
}

// In rateLimiter() - registers using fullPath (mountPath + path)
export function rateLimiter(config: RateLimiterConfig) {
  return async function registerRateLimiterMiddleware(
    ctx: Context,
    next: Next
  ) {
    if (!env.RATE_LIMITER_ENABLED) {
      return next();
    }

    const fullPath = `${ctx.mountPath ?? ""}${ctx.path}`;  // <-- Constructs full path

    if (!RateLimiter.hasRateLimiter(fullPath)) {
      RateLimiter.setRateLimiter(
        fullPath,  // <-- Registers with full path including mount
        defaults(
          {
            ...config,
            points: config.requests,
          },
          {
            duration: 60,
            points: env.RATE_LIMITER_REQUESTS,
            keyPrefix: RateLimiter.RATE_LIMITER_REDIS_KEY_PREFIX,
            storeClient: Redis.defaultClient,
          }
        )
      );
    }

    return next();
  };
}

Evidence

Example

Consider a request to the /api/documents.export endpoint which has a custom rate limit of 25 requests per minute:

1. The API router is mounted at /api in server/services/web.ts:

   app.use(mount("/api", api));

2. When rateLimiter() middleware runs for the route:

   • ctx.mountPath = "/api"
   • ctx.path = "/documents.export"
   • fullPath = "/api/documents.export"
   • Registers rate limiter with key: "/api/documents.export"

3. When defaultRateLimiter() middleware runs to enforce the limit:

   • Uses ctx.path = "/documents.export" for lookup
   • RateLimiter.hasRateLimiter("/documents.export") returns false
   • Falls back to RateLimiter.defaultRateLimiter instead of the custom limiter
   • Uses consume key: "127.0.0.1" (IP only, not path-specific)

4. Result:

   • Expected: 25 requests per minute per IP per path
   • Actual: Default rate limit (typically much higher) per IP across all paths

Failing test

Test script

import { Context } from "koa";
import env from "@server/env";
import RateLimiter from "@server/utils/RateLimiter";
import { rateLimiter, defaultRateLimiter } from "./rateLimiter";

describe("rateLimiter middleware", () => {
  const originalRateLimiterEnabled = env.RATE_LIMITER_ENABLED;

  beforeEach(() => {
    // Enable rate limiter for tests
    env.RATE_LIMITER_ENABLED = true;
    // Clear the rate limiter map before each test
    RateLimiter.rateLimiterMap.clear();
  });

  afterEach(() => {
    // Restore original value
    env.RATE_LIMITER_ENABLED = originalRateLimiterEnabled;
  });

  it("should register and enforce custom rate limiter with matching paths", async () => {
    const customConfig = { duration: 60, requests: 5 };

    // Simulate the rateLimiter middleware registration
    const registerMiddleware = rateLimiter(customConfig);
    const mockCtx = {
      path: "/documents.export",
      mountPath: undefined, // No mount path
      ip: "127.0.0.1",
      set: jest.fn(),
      request: {},
    } as unknown as Context;

    await registerMiddleware(mockCtx, jest.fn());

    // Check if the rate limiter was registered
    const registeredPath = "/documents.export";
    expect(RateLimiter.hasRateLimiter(registeredPath)).toBe(true);

    // Simulate the defaultRateLimiter middleware lookup
    const limiter = RateLimiter.getRateLimiter(mockCtx.path);

    // Verify that the custom rate limiter is found
    expect(limiter).not.toBe(RateLimiter.default...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes outline/outline#10891

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/outline/outline/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}