Add configurable API rate limits with subtabs in settings (v0.10.0)

- Make rate limiting configurable via WordPress options - Add subtabs to API settings: General, Rate Limits, Endpoints - Add HTTP method badges for endpoint documentation - Update CHANGELOG with rate limiting configuration details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 21:50:12 +01:00
parent 481495805b
commit b701d127f8
5 changed files with 420 additions and 140 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,21 +46,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Pricing API:
  - `POST /wp-bnb/v1/pricing/calculate` - Full price calculation with services
  - `GET /wp-bnb/v1/pricing/seasons` - Get configured seasons and pricing modifiers
- API Settings tab in plugin settings:
-  - Enable/disable REST API toggle
-  - Enable/disable rate limiting toggle
-  - Endpoint documentation table
-  - Authentication instructions
+- API Settings tab in plugin settings with three subtabs:
+  - General subtab: Enable/disable REST API, rate limiting toggle, API information
+  - Rate Limits subtab: Configurable time window and endpoint-specific limits
+  - Endpoints subtab: Full endpoint documentation with HTTP method badges
+- Configurable rate limiting:
+  - Time window setting (10-300 seconds, default 60)
+  - Per-endpoint-type limits (public, availability, booking, admin)
+  - Settings stored in WordPress options, defaults maintained in code

 ### Changed

 - Plugin.php updated to initialize REST API on `rest_api_init` hook
 - Settings page now has seven tabs: General, Pricing, License, Updates, Metrics, API
 - README.md updated with comprehensive REST API documentation
+- RateLimiter class now loads limits from WordPress options with fallback defaults

 ### Security

- Rate limiting: public (60/min), availability (30/min), booking (10/min), admin (120/min)
+- Rate limiting: configurable per endpoint type (defaults: public 60/min, availability 30/min, booking 10/min, admin 120/min)
 - Admin endpoints require `edit_posts` capability
 - Supports WordPress Application Passwords for external API access
 - Client identification by user ID (authenticated) or IP address (anonymous)