draft of new api settings ui stuff

[O2theC]

i recently moved some ratelimits to env vars to allow better configurability. i decided to try my hand at adding an ui area to configure them. i attached an img below showing what it looks like

the main changes are from a flat requests per minute for rate-limits to a requests in a time period, i feel this better fits with the ability to have the period being more than a minute

i added a small description text on them to give more info about them, currently just what the ratelimit is per.

once the format/design, and the names/wording is confirmed i will work on moving the names and such to the translation thing. As i don't know languages other than english, i will not be able to get translations for other languages

due to how long/tall the list of configs are, i'm wondering if we might want to make it go across the entire panel rather than only being on one half, not sure if that be proper for the design though, there is also the idea of more collapsable sections, but again, not sure if it would fit in the design and be good ux.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR separates password reset rate limiting from general authentication rate limiting by removing generic auth config keys, adding dedicated password reset config entries, routing auth.post.forgot-password requests to a dedicated limiter, and restructuring the Filament Settings admin UI to present all API rate limits in organized grouped fieldsets with plain English labels.

Changes

API Rate Limiting Refactor

Layer / File(s)	Summary
Password reset rate limit configuration config/http.php	Removes auth_period and auth config keys; establishes dedicated password_reset_period and password_reset entries for password reset–specific limiting.
Password reset routing rate limit app/Providers/RouteServiceProvider.php	The authentication rate limiter adds a dedicated per-IP branch for the auth.post.forgot-password route using the new password reset config values; other auth endpoints continue using the default limiter.
Settings UI rate limits restructure app/Filament/Admin/Pages/Settings.php	Updates Filament imports and reorganizes the "Misc → API" settings from flat TextInput fields into grouped Fieldset sections for each limiter (client, application, password reset, websocket, backup/restore, database create, subuser create, file pull, default). Each fieldset contains request count, period length, and explanatory scope text (per user, per IP, per server) using plain English instead of translation strings.

Possibly Related PRs

• pelican-dev/panel#2332: Both PRs update API rate-limiting configuration by wiring the same limiter keys (http.rate_limit.* for auth and password reset) through config and RouteServiceProvider::configureRateLimiting(), with this PR also surfacing those fields in the Filament Settings UI.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'draft of new api settings ui stuff' is vague and uses generic terms like 'stuff' that don't convey meaningful information about the specific changes.	Provide a more descriptive title that clearly indicates the main change, such as 'Add API rate limit configuration UI' or 'Restructure API settings with rate limit controls'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description clearly explains the changes: moving rate limits to environment variables, adding a new UI for configuration, changing from 'per minute' to 'per time period', adding descriptive text, and raising design/UX questions about layout.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[O2theC]

for clarification, this is in the admin panel -> Settings -> Misc -> API

[O2theC]

somewhat related, i can't seem to find where the auth ratelimit is used, made a discussion for that

[O2theC]

as confirmed from #2349 (reply in thread) the auth ratelimit is left over from ptero and is no longer being used due to using filament. As approved in that same discussion, i will be removing the auth ratelimit in a future commit for this PR

[O2theC]

as i do not know php nor the ratelimit system enough, i am not sure if https://github.com/O2theC/panel/blob/new-ratelimit-configs-in-ui/app/Providers/RouteServiceProvider.php#L71:L75 is as it should be. let me know if there is a certain way it should be handled or cleaned up

[lancepioch]

Hi, please reopen this same PR when it's ready for review and then DM me on Discord or email me a link so I can review it, thanks!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

app/Filament/Admin/Pages/Settings.php (2)

803-964: 💤 Low value

Consider extracting the repeated fieldset pattern into a helper method.

The nine fieldsets (client, application, password_reset, websocket, backup_restore, database_create, subuser_create, file_pull, default) follow nearly identical structures: each has a label, two TextInput components for request count and period length, and a Text component for scope description. This repetition could be reduced by extracting a helper method.

💡 Example refactoring pattern

private function makeRateLimitFieldset(
    string $label,
    string $envPrefix,
    string $configKey,
    string $scopeDescription
): Fieldset {
    return Fieldset::make()
        ->label($label)
        ->schema([
            TextInput::make("APP_API_{$envPrefix}_RATELIMIT")
                ->label('Requests Per Period')
                ->required()
                ->numeric()
                ->minValue(1)
                ->suffix('Requests')
                ->default(env("APP_API_{$envPrefix}_RATELIMIT", config("http.rate_limit.{$configKey}"))),
            TextInput::make("APP_API_{$envPrefix}_RATELIMIT_PERIOD")
                ->label('Period Length')
                ->required()
                ->numeric()
                ->minValue(1)
                ->suffix('Minutes')
                ->default(env("APP_API_{$envPrefix}_RATELIMIT_PERIOD", config("http.rate_limit.{$configKey}_period"))),
            Text::make($scopeDescription),
        ]);
}

Then call it as:

$this->makeRateLimitFieldset('Client API Ratelimit', 'CLIENT', 'client', 'Ratelimit is per user, or IP if there is no user'),
$this->makeRateLimitFieldset('Application API Ratelimit', 'APPLICATION', 'application', 'Ratelimit is per user, or IP if there is no user'),
// ... etc

This is optional since the current implementation is functional and clear, but it would improve maintainability if rate limit categories are added or modified in the future.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/Filament/Admin/Pages/Settings.php` around lines 803 - 964, The repeated
Fieldset::make() blocks in Settings.php implement the same pattern for various
rate limits; extract that pattern into a private helper (e.g.
makeRateLimitFieldset) that accepts parameters like $label, $envPrefix,
$configKey, and $scopeDescription and returns a Fieldset, then replace each
repeated block (the Client/Application/Password Reset/Websocket/Backup
Restore/Database Create/Subuser Create/File Pull/Default blocks) with calls to
this helper inside the form schema; ensure the helper constructs the two
TextInput keys APP_API_{ENV}_RATELIMIT and APP_API_{ENV}_RATELIMIT_PERIOD and
uses env(..., config(...)) for defaults and preserves the Text scope
description.

---

803-964: ⚡ Quick win

Plan to migrate hardcoded strings to translation system.

All labels, helper text, and scope descriptions throughout the API rate limit fieldsets use hardcoded English strings instead of trans() calls (e.g., 'Client API Ratelimit', 'Requests Per Period', 'Ratelimit is per user, or IP if there is no user'). This blocks internationalization.

While the PR description acknowledges this is temporary and will be addressed once the design is finalized, ensure this migration happens before the feature is considered complete to maintain consistency with the rest of the settings page (which uses trans('admin/setting...') throughout).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/Filament/Admin/Pages/Settings.php` around lines 803 - 964, The rate limit
fieldsets use hardcoded English strings; replace each literal label and helper
text with translation calls (e.g., trans(...)) so the UI is localizable: update
Fieldset::make(...) labels like 'Client API Ratelimit', TextInput::make(...)
->label('Requests Per Period'), ->suffix('Minutes'/'Requests') and
Text::make(...) helper lines inside the blocks for APP_API_CLIENT_RATELIMIT,
APP_API_CLIENT_RATELIMIT_PERIOD, APP_API_APPLICATION_RATELIMIT,
APP_API_APPLICATION_RATELIMIT_PERIOD, APP_API_PASSWORD_RESET_RATELIMIT,
APP_API_PASSWORD_RESET_RATELIMIT_PERIOD, APP_API_WEBSOCKET_RATELIMIT,
APP_API_WEBSOCKET_RATELIMIT_PERIOD, APP_API_BACKUP_RESTORE_RATELIMIT,
APP_API_BACKUP_RESTORE_RATELIMIT_PERIOD, APP_API_DATABASE_CREATE_RATELIMIT,
APP_API_DATABASE_CREATE_RATELIMIT_PERIOD, APP_API_SUBUSER_CREATE_RATELIMIT,
APP_API_SUBUSER_CREATE_RATELIMIT_PERIOD, APP_API_FILE_PULL_RATELIMIT,
APP_API_FILE_PULL_RATELIMIT_PERIOD, APP_API_DEFAULT_RATELIMIT, and
APP_API_DEFAULT_RATELIMIT_PERIOD to use trans('admin/settings.<meaningful_key>')
(create matching translation keys for section labels, field labels, suffixes and
helper descriptions).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/Filament/Admin/Pages/Settings.php`:
- Around line 803-964: The repeated Fieldset::make() blocks in Settings.php
implement the same pattern for various rate limits; extract that pattern into a
private helper (e.g. makeRateLimitFieldset) that accepts parameters like $label,
$envPrefix, $configKey, and $scopeDescription and returns a Fieldset, then
replace each repeated block (the Client/Application/Password
Reset/Websocket/Backup Restore/Database Create/Subuser Create/File Pull/Default
blocks) with calls to this helper inside the form schema; ensure the helper
constructs the two TextInput keys APP_API_{ENV}_RATELIMIT and
APP_API_{ENV}_RATELIMIT_PERIOD and uses env(..., config(...)) for defaults and
preserves the Text scope description.
- Around line 803-964: The rate limit fieldsets use hardcoded English strings;
replace each literal label and helper text with translation calls (e.g.,
trans(...)) so the UI is localizable: update Fieldset::make(...) labels like
'Client API Ratelimit', TextInput::make(...) ->label('Requests Per Period'),
->suffix('Minutes'/'Requests') and Text::make(...) helper lines inside the
blocks for APP_API_CLIENT_RATELIMIT, APP_API_CLIENT_RATELIMIT_PERIOD,
APP_API_APPLICATION_RATELIMIT, APP_API_APPLICATION_RATELIMIT_PERIOD,
APP_API_PASSWORD_RESET_RATELIMIT, APP_API_PASSWORD_RESET_RATELIMIT_PERIOD,
APP_API_WEBSOCKET_RATELIMIT, APP_API_WEBSOCKET_RATELIMIT_PERIOD,
APP_API_BACKUP_RESTORE_RATELIMIT, APP_API_BACKUP_RESTORE_RATELIMIT_PERIOD,
APP_API_DATABASE_CREATE_RATELIMIT, APP_API_DATABASE_CREATE_RATELIMIT_PERIOD,
APP_API_SUBUSER_CREATE_RATELIMIT, APP_API_SUBUSER_CREATE_RATELIMIT_PERIOD,
APP_API_FILE_PULL_RATELIMIT, APP_API_FILE_PULL_RATELIMIT_PERIOD,
APP_API_DEFAULT_RATELIMIT, and APP_API_DEFAULT_RATELIMIT_PERIOD to use
trans('admin/settings.<meaningful_key>') (create matching translation keys for
section labels, field labels, suffixes and helper descriptions).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d23e871f-1faa-4ab8-897b-18e71337047c

📥 Commits

Reviewing files that changed from the base of the PR and between 2a328a2 and dbb349f.

📒 Files selected for processing (3)

• app/Filament/Admin/Pages/Settings.php
• app/Providers/RouteServiceProvider.php
• config/http.php

💤 Files with no reviewable changes (2)

• app/Providers/RouteServiceProvider.php
• config/http.php

[O2theC]

something important, i do believe this currently overrides the values (ie not using a translation key). i was hoping to get confirmation that the design of the ui and wording is good before changing it to use translation keys