TZUTC: -0800   
   MSGID: 54372.syncprog@1:103/705 2deb7f16   
   PID: Synchronet 3.21b-Linux master/5c73d262c Jan 21 2026 GCC 12.2.0   
   TID: SBBSecho 3.36-Linux master/cad77a5d2 Feb 05 2026 GCC 12.2.0   
   BBSID: VERT   
   CHRS: ASCII 1   
   FORMAT: flowed   
   https://gitlab.synchro.net/main/sbbs/-/commit/bd375c1e4077420ff7f9148e   
   Added Files:   
   	src/sbbs3/ratelimit.hpp   
   Modified Files:   
   	src/sbbs3/sbbs_ini.c websrvr.cpp websrvr.h   
   Log Message:   
   Add a basic and optional rate limiter, initially just for HTTP[S] requests   
      
   This is experimental - I'm a little uneasy about the threadsafety and may need   
   to add some mutex protection, but testing will help to know.   
      
   I'm also a little uneasy about the memory usage. My original idea was to use   
   an array or vector with a element for every second in the rate limit period,   
   each element would be an unordered_map with the IP address as the key and the   
   count (of requests) in that second as the value. This would limit the memory   
   usage to period * IPs. The process of trimming or wrapping array to   
   automatically "throw out" seconds beyond the rate limit period wasn't clear   
   to me yet.   
      
   However, as I started to type the implementation, Co-pilot recommended this   
   approach which simplier: it uses an unordered_map with the IP for the key, but   
   the value is an array of times of each request from each client. So the   
   memory requirements are IPs * max_requests_per_period * period. It's still   
   bounded, but a larger possible total amount of memory required. The cleanup   
   operation is now clear though and Co-pilot implemented that for me as well.   
      
   Enable this feature by setting in the following keys in the [Web] section of   
   ctrl/sbbs.ini:   
    - MaxRequestPerPeriod   
    - RequestRateLimitPeriod   
      
   e.g. setting MaxRequestPerPeriod to 1000 and RequestRateLimitPeriod to 600   
   would set the maximum request rate to 1000 requests per 10 minutes.   
      
   If this works well, we can use this same rate limiter for other actions   
   (e.g. connections) and servers and could have separate rate limits for   
   authenticated versus unauthenticated users, apply whitelists, etc.   
   --- SBBSecho 3.36-Linux   
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)   
   SEEN-BY: 103/705 105/81 106/201 124/5016 128/187 129/14 153/757 7715   
   SEEN-BY: 154/10 30 110 203/0 218/700 221/0 226/30 227/114 229/110   
   SEEN-BY: 229/134 206 317 400 426 428 470 700 705 240/1120 5832 263/1   
   SEEN-BY: 266/512 280/464 5003 5006 291/111 292/8125 301/1 320/219   
   SEEN-BY: 322/757 341/66 234 342/200 396/45 423/120 460/58 256 1124   
   SEEN-BY: 633/280 712/848 770/1 902/26 5020/400 8912 5054/30 5075/35   
   PATH: 103/705 280/464 460/58 229/426