Endpoints that do not require authentication should have a reasonable global limit (fixed/sliding window). Authenticated endpoints should rate limit on a per-user basis (possibly with an additional, much higher global rate limit). The exact rate limit will differ depending on the expected use (e.g. …client/v3/rooms/{roomId}/send/… will have a higher limit compared to …/client/v3/login).
A process-only approach is probably reasonable to start (don't need to persist users' current progress towards a limit). All rate limits should be configurable
Initial implement of per-endpoint rate limits.
Endpoints that do not require authentication should have a reasonable global limit (fixed/sliding window). Authenticated endpoints should rate limit on a per-user basis (possibly with an additional, much higher global rate limit). The exact rate limit will differ depending on the expected use (e.g.
…client/v3/rooms/{roomId}/send/…will have a higher limit compared to…/client/v3/login).A process-only approach is probably reasonable to start (don't need to persist users' current progress towards a limit). All rate limits should be configurable