Rate-limiting middleware requires AddRateLimiter

Article
08/31/2024

ASP.NET Core rate-limiting middleware has been updated with extra functionality. The middleware now requires services registered with AddRateLimiter.

Version introduced

ASP.NET Core 8.0 Preview 5

Previous behavior

Previously, rate limiting could be used without AddRateLimiter. For example, the middleware could be configured by calling Configure<RateLimiterOptions>(o => { }):

var builder = WebApplication.CreateBuilder(args);
builder.Services.Configure<RateLimiterOptions>(o => o
    .AddFixedWindowLimiter(policyName: "fixed", options =>
    {
        // configuration
    }));

var app = builder.Build();
app.UseRateLimiter();
app.MapGet("/", () => Results.Ok($"Hello world")).RequireRateLimiting("fixed");
app.Run();

New behavior

If AddRateLimiter is not called on app startup, ASP.NET Core throws an informative error:

Unable to find the required services. Please add all the required services by calling 'IServiceCollection.AddRateLimiter' in the application startup code.

Type of breaking change

This change is a behavioral change.

Reason for change

Rate-limiting middleware requires services that are only registered by calling AddRateLimiter.

Recommended action

Ensure that AddRateLimiter is called at application startup.

For example, update Configure<RateLimiterOptions>(o => { }) to use AddRateLimiter:

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRateLimiter(o => o
    .AddFixedWindowLimiter(policyName: "fixed", options =>
    {
        // configuration
    }));

var app = builder.Build();
app.UseRateLimiter();
app.MapGet("/", () => Results.Ok($"Hello world")).RequireRateLimiting("fixed");
app.Run();

Affected APIs

Microsoft.AspNetCore.Builder.RateLimiterApplicationBuilderExtensions.UseRateLimiter

Share via