chore(guard): add metadata to rate limit error (#3292)

NathanFlurry · web-flow · commit 820b3805da71 · 2025-10-30T18:17:26.000-07:00
diff --git a/engine/packages/guard-core/src/errors.rs b/engine/packages/guard-core/src/errors.rs
@@ -1,9 +1,20 @@
 use rivet_error::*;
+use rivet_util::Id;
 use serde::{Deserialize, Serialize};
 
-#[derive(RivetError)]
-#[error("guard", "rate_limit", "Too many requests. Try again later.")]
-pub struct RateLimit;
+#[derive(RivetError, Serialize, Deserialize)]
+#[error(
+	"guard",
+	"rate_limit",
+	"Too many requests. Try again later.",
+	"Too many requests to '{method} {path}' (actor_id: {actor_id:?}) from IP {ip}."
+)]
+pub struct RateLimit {
+	pub actor_id: Option<Id>,
+	pub method: String,
+	pub path: String,
+	pub ip: String,
+}
 
 #[derive(RivetError, Serialize, Deserialize)]
 #[error(
diff --git a/engine/packages/guard-core/src/proxy_service.rs b/engine/packages/guard-core/src/proxy_service.rs
@@ -722,16 +722,31 @@ impl ProxyService {
 			None
 		};
 
-		// Extract IP address from remote_addr
-		let client_ip = self.remote_addr.ip();
+		// Extract IP address from X-Forwarded-For header or fall back to remote_addr
+		let client_ip = req
+			.headers()
+			.get(X_FORWARDED_FOR)
+			.and_then(|h| h.to_str().ok())
+			.and_then(|forwarded| {
+				// X-Forwarded-For can be a comma-separated list, take the first IP
+				forwarded.split(',').next().map(|s| s.trim())
+			})
+			.and_then(|ip_str| ip_str.parse::<std::net::IpAddr>().ok())
+			.unwrap_or_else(|| self.remote_addr.ip());
 
 		// Apply rate limiting
 		if !self
 			.state
 			.check_rate_limit(client_ip, &actor_id, req.headers())
 			.await?
 		{
-			return Err(errors::RateLimit.build());
+			return Err(errors::RateLimit {
+				actor_id,
+				method: req.method().to_string(),
+				path: path.clone(),
+				ip: client_ip.to_string(),
+			}
+			.build());
 		}
 
 		// Check in-flight limit
@@ -740,7 +755,13 @@ impl ProxyService {
 			.acquire_in_flight(client_ip, &actor_id, req.headers())
 			.await?
 		{
-			return Err(errors::RateLimit.build());
+			return Err(errors::RateLimit {
+				actor_id,
+				method: req.method().to_string(),
+				path: path.clone(),
+				ip: client_ip.to_string(),
+			}
+			.build());
 		}
 
 		// Increment metrics
