Class: Otto::MCP::RateLimiter

Inherits:
Security::RateLimiting show all
Defined in:
lib/otto/mcp/rate_limiting.rb

Overview

Rate limiter for MCP protocol endpoints

Class Method Summary collapse

Class Method Details

.configure_mcp_loggingObject 



113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'lib/otto/mcp/rate_limiting.rb', line 113

def self.configure_mcp_logging
  return unless defined?(ActiveSupport::Notifications)

  ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, payload|
    req      = payload[:request]
    endpoint = req.env['otto.mcp_http_endpoint'] || '/_mcp'

    if req.path.start_with?(endpoint)
      Otto.logger.warn "[MCP] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
    else
      Otto.logger.warn "[Otto] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
    end
  end
end

.configure_mcp_responsesObject 



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'lib/otto/mcp/rate_limiting.rb', line 59

def self.configure_mcp_responses
  # Override throttled responder to provide JSON-RPC formatted responses for MCP requests
  Rack::Attack.throttled_responder = lambda do |request|
    match_data = request.env['rack.attack.match_data']
    now        = match_data[:epoch_time]

    headers = {
      'content-type' => 'application/json',
      'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
    }

    # Check if this is an MCP request
    endpoint = request.env['otto.mcp_http_endpoint'] || '/_mcp'
    if request.path.start_with?(endpoint)
      # JSON-RPC error response for MCP
      error_response = {
        jsonrpc: '2.0',
        id: nil,
        error: {
          code: -32_000,
          message: 'Rate limit exceeded',
          data: {
            retry_after: headers['retry-after'].to_i,
            limit: match_data[:limit],
            period: match_data[:period],
          },
        },
      }
      [429, headers, [JSON.generate(error_response)]]
    else
      # Use the general rate limiting response for non-MCP requests
      # Route's response_type takes precedence over Accept header
      route_def = request.env['otto.route_definition']
      wants_json = (route_def&.response_type == 'json') ||
                   request.env['HTTP_ACCEPT'].to_s.include?('application/json')

      if wants_json
        error_response = {
          error: 'Rate limit exceeded',
          message: 'Too many requests',
          retry_after: headers['retry-after'].to_i,
          limit: match_data[:limit],
          period: match_data[:period],
        }
        [429, headers, [JSON.generate(error_response)]]
      else
        body                    = "Rate limit exceeded. Retry after #{headers['retry-after']} seconds."
        headers['content-type'] = 'text/plain'
        [429, headers, [body]]
      end
    end
  end
end

.configure_mcp_rules(config) ⇒ Object 



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'lib/otto/mcp/rate_limiting.rb', line 31

def self.configure_mcp_rules(config)
  # MCP endpoint requests - 60 per minute by default
  mcp_requests_limit = config[:mcp_requests_per_minute] || 60

  Rack::Attack.throttle('mcp_requests', limit: mcp_requests_limit, period: 60) do |request|
    endpoint = request.env['otto.mcp_http_endpoint'] || '/_mcp'
    request.ip if request.path.start_with?(endpoint)
  end

  # Tool calls are more expensive - 20 per minute by default
  tool_calls_limit = config[:tool_calls_per_minute] || 20

  Rack::Attack.throttle('mcp_tool_calls', limit: tool_calls_limit, period: 60) do |request|
    endpoint = request.env['otto.mcp_http_endpoint'] || '/_mcp'
    if request.path.start_with?(endpoint) && request.post?
      begin
        body = request.body.read
        data = JSON.parse(body)
        request.ip if data['method'] == 'tools/call'
      rescue JSON::ParserError
        nil
      ensure
        request.body.rewind if request.body.respond_to?(:rewind)
      end
    end
  end
end

.configure_rack_attack!(config = {}) ⇒ Object 



19
20
21
22
23
24
25
26
27
28
29
 
# File 'lib/otto/mcp/rate_limiting.rb', line 19

def self.configure_rack_attack!(config = {})
  return unless defined?(Rack::Attack)

  # Start with base configuration from general rate limiting
  super

  # Add MCP-specific rules
  configure_mcp_rules(config)
  configure_mcp_responses
  configure_mcp_logging
end