mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
834c92dcb2
meldestelle/docs/API_GATEWAY_ENHANCEMENTS.md
stefan f8eade8091 (fix) Umbau zu SCS 
### API-Gateway erweitern
- Bestehenden API-Gateway-Service mit zusätzlichen Funktionen ausstatten:
    - Rate Limiting implementieren
    - Request/Response Logging verbessern
    - Cross-Service Tracing mit eindeutigen Request-IDs einführen
2025-07-21 17:17:40 +02:00

6.4 KiB
Raw Blame History

API Gateway Enhancements

This document describes the enhancements made to the API Gateway service, including rate limiting, improved request/response logging, and cross-service tracing with unique request IDs.

Table of Contents

  1. Rate Limiting
  2. Request/Response Logging
  3. Cross-Service Tracing
  4. Testing and Verification

Rate Limiting

The API Gateway now includes enhanced rate limiting capabilities to protect the API from abuse and ensure fair usage.

Features

  • Global Rate Limiting: Limits the total number of requests across all endpoints
  • Endpoint-Specific Rate Limiting: Different limits for different API endpoints
  • User-Type-Specific Rate Limiting: Different limits based on user type (anonymous, authenticated, admin)
  • Sophisticated Request Key Generation: Uses IP address, user agent, and user ID for more precise rate limiting
  • Rate Limit Headers: Informs clients about rate limits and remaining requests

Configuration

Rate limiting can be configured in the application properties:

# Enable/disable rate limiting
ratelimit.enabled=true

# Global rate limit settings
ratelimit.global.limit=100
ratelimit.global.periodMinutes=1

# Include rate limit headers in responses
ratelimit.includeHeaders=true

# Endpoint-specific rate limits can be configured in AppConfig.kt

Response Headers

When rate limiting is enabled, the following headers are included in responses:

  • X-RateLimit-Enabled: Indicates if rate limiting is enabled
  • X-RateLimit-Limit: The global rate limit
  • X-RateLimit-Policy: Description of the rate limit policy
  • X-RateLimit-Endpoint: The endpoint being rate limited (if applicable)
  • X-RateLimit-Endpoint-Limit: The limit for the specific endpoint (if applicable)
  • X-RateLimit-Endpoint-Period: The period for the specific endpoint (if applicable)
  • X-RateLimit-UserType: The user type (if authenticated)
  • X-RateLimit-UserType-Limit: The limit for the user type (if authenticated)
  • X-RateLimit-UserType-Period: The period for the user type (if authenticated)
  • Retry-After: Seconds to wait before retrying (if rate limited)

Request/Response Logging

The API Gateway now includes enhanced request and response logging to provide better visibility into API usage and performance.

Features

  • Structured Logging: JSON-like structured logging format for easier parsing
  • Sensitive Data Filtering: Masks sensitive information in logs (passwords, tokens, etc.)
  • Performance Metrics: Includes memory usage and other performance metrics
  • Configurable Logging Levels: Different logging levels for different environments
  • Request/Response Correlation: Links requests and responses with unique request IDs

Configuration

Logging can be configured in the application properties:

# Logging level
logging.level=INFO

# Request/response logging
logging.requests=true
logging.responses=true

# Request header/parameter logging
logging.request.headers=true
logging.request.parameters=true

# Response header logging
logging.response.headers=true
logging.response.time=true

# Structured logging
logging.structured=true

# Exclude paths from logging
logging.exclude.paths=/health,/metrics,/favicon.ico

Sensitive Data Filtering

The following types of data are automatically masked in logs:

  • Authorization headers
  • Cookies
  • API keys
  • Passwords
  • Tokens
  • Other sensitive parameters (configurable)

Cross-Service Tracing

The API Gateway now includes enhanced cross-service tracing capabilities to track requests across multiple services.

Features

  • Unique Request IDs: Generates unique request IDs with context information
  • Request ID Propagation: Propagates request IDs to downstream services
  • Additional Tracing Headers: Includes additional headers for better correlation
  • W3C Trace Context Compatibility: Compatible with the W3C Trace Context standard
  • Enhanced Logging: Includes tracing information in logs

Request ID Format

Request IDs now include more context information:

req-{environment}-{service}-{timestamp}-{uuid}

Example:

req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000

Tracing Headers

The following headers are included in responses:

  • X-Request-ID: The unique request ID
  • X-Correlation-ID: Same as the request ID, for compatibility
  • X-Request-Start-Time: When the request started
  • X-Service-Name: The name of the service
  • X-Service-Version: The version of the service
  • X-Response-Time: How long the request took to process
  • traceparent: W3C Trace Context compatible trace parent header

Testing and Verification

Rate Limiting

To test rate limiting:

  1. Send multiple requests to the same endpoint in quick succession
  2. Observe the rate limit headers in the responses
  3. After exceeding the rate limit, you should receive a 429 Too Many Requests response
  4. Check the logs for rate limit exceeded messages

Example using curl:

# Send multiple requests
for i in {1..150}; do
  curl -i -X GET http://localhost:8080/api/v1/events
done

Request/Response Logging

To verify enhanced logging:

  1. Send requests to various endpoints
  2. Check the logs for structured log entries
  3. Verify that sensitive data is properly masked
  4. Check for performance metrics in the logs

Example log entry:

timestamp=2025-07-21T16:45:23.456 method=GET path=/api/v1/events status=200 client=127.0.0.1 requestId=req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000 duration=42ms memoryUsage=1234567b

Cross-Service Tracing

To verify cross-service tracing:

  1. Send a request to an endpoint that calls other services
  2. Check the response headers for tracing headers
  3. Verify that the request ID is propagated to downstream services
  4. Check the logs for correlated request and response entries

Example using curl:

# Send a request and check headers
curl -i -X GET http://localhost:8080/api/v1/events

Look for headers like:

X-Request-ID: req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000
X-Correlation-ID: req-prod-gateway-1627384950123-550e8400-e29b-41d4-a716-446655440000
X-Request-Start-Time: 1627384950123
X-Service-Name: API Gateway
X-Service-Version: 1.0.0
X-Response-Time: 42
traceparent: 00-550e8400e29b41d4a716446655440000-abcdef0123456789-01