I want regular users to be limited as expected, but I’d like admin users (or users with specific roles) to bypass the rate limit altogether.
I’m aware that Directus has built-in rate limiting, but I’d like to know how I can conditionally skip the limiter based on the user role — ideally from within a custom hook in a Directus extension.
Has anyone done something similar?
Is there a recommended way to check the user role and bypass the limiter inside a custom extension?
Any help or examples would be greatly appreciated!
I found that rate limiting in Directus is handled by Express middleware, so the accountability object (with user role) isn’t available yet.
Is there a hook or way to override this middleware so I can implement a custom rate limiter that checks for a special header like X-BYPASS-RATE-LIMIT with a token to bypass the limit?
There’s currently no way to override an existing piece of middleware to conditionally skip the rate limiter. The requests are counted and tracked as part of a built in middleware that’s called on every route for everybody.
That being said, in most modern hosting paradigms you configure the rate limiter in the networking layer rather than the application layer, so there is a world where you disable Directus’ built-in rate-limiter and instead rely on nginx/aws api gateway/caddy/a PaaS to configure and handle the rate limiting piece
