hiero-ledger
diff --git a/‎README.md‎
Lines changed: 6 additions & 4 deletions b/‎README.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎docs/configuration.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/configuration.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/rate-limiting.md‎
Lines changed: 41 additions & 0 deletions b/‎docs/rate-limiting.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎packages/config-service/src/services/globalConfig.ts‎
Lines changed: 6 additions & 0 deletions b/‎packages/config-service/src/services/globalConfig.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎packages/server/src/koaJsonRpc/lib/methodConfiguration.ts‎ renamed to ‎packages/relay/src/lib/config/methodConfiguration.ts‎
Lines changed: 3 additions & 9 deletions b/‎packages/server/src/koaJsonRpc/lib/methodConfiguration.ts‎ renamed to ‎packages/relay/src/lib/config/methodConfiguration.ts‎
Lines changed: 3 additions & 9 deletions
diff --git a/‎packages/relay/src/lib/constants.ts‎
Lines changed: 0 additions & 1 deletion b/‎packages/relay/src/lib/constants.ts‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/relay/src/lib/hbarlimiter/index.ts‎ b/‎packages/relay/src/lib/hbarlimiter/index.ts‎
diff --git a/‎packages/relay/src/lib/services/index.ts‎
Lines changed: 4 additions & 0 deletions b/‎packages/relay/src/lib/services/index.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/relay/src/lib/services/rateLimiterService/LruRateLimitStore.ts‎
Lines changed: 162 additions & 0 deletions b/‎packages/relay/src/lib/services/rateLimiterService/LruRateLimitStore.ts‎
Lines changed: 162 additions & 0 deletions
@@ -80,10 +80,10 @@ Note: Read more about `DEV_MODE` which provides optimal local and developer test
 
 The following table highlights some initial configuration values to consider
 
-| Config            | Default | Description                                                                                                                                                                                                                                                                                                                 |
-| ----------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `CHAIN_ID`        | `0x12a` | The network chain id. Local and previewnet envs should use `0x12a` (298). Previewnet, Testnet and Mainnet should use `0x129` (297), `0x128` (296) and `0x127` (295) respectively                                                                                                                                            |
-| `HEDERA_NETWORK`  | ``      | Which network to connect to. Automatically populates the main node & mirror node endpoints. Can be `MAINNET`, `PREVIEWNET`, `TESTNET` or `OTHER`                                                                                                                                                                            |
+| Config            | Default | Description                                                                                                                                                                                                                                                                                            |
+| ----------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `CHAIN_ID`        | `0x12a` | The network chain id. Local and previewnet envs should use `0x12a` (298). Previewnet, Testnet and Mainnet should use `0x129` (297), `0x128` (296) and `0x127` (295) respectively                                                                                                                       |
+| `HEDERA_NETWORK`  | ``      | Which network to connect to. Automatically populates the main node & mirror node endpoints. Can be `MAINNET`, `PREVIEWNET`, `TESTNET` or `OTHER`                                                                                                                                                       |
 | `MIRROR_NODE_URL` | ``      | The Mirror Node API endpoint. Official endpoints are Previewnet (https://previewnet.mirrornode.hedera.com), Testnet (https://testnet.mirrornode.hedera.com), Mainnet (https://mainnet-public.mirrornode.hedera.com). See [Mirror Node REST API](https://docs.hedera.com/hedera/sdks-and-apis/rest-api) |
 
 #### Run
@@ -258,13 +258,15 @@ The hedera-json-rpc-relay ships with a metrics endpoint at `/metrics`. Here is a
 Please note that the `/metrics` endpoint is also a default scrape configurations for prometheus. The `job_name` of `kubernetes-pods` is generally deployed as a default with prometheus; in the case where this scrape_config is present metrics will start getting populated by that scrape_config and no other configurations are necessary.
 
 ##### Dashboard
+
 [Grafana JSON Dashboards](https://github.com/hiero-ledger/hiero-json-rpc-relay/tree/main/charts/hedera-json-rpc-relay/dashboards) can be used as the dashboard for hedera-json-rpc-relay.
 
 ##### Admin-specific RPC methods
 
 - GET `/config` - To provide more transparency and operational insight to the developers, the hiero-json-rpc-relay exposes all environment variables. Such information could aid in troubleshooting and understanding the context in which the relay is running.
 
 Expected response:
+
 ```
 {
     "relay": {
 
@@ -88,6 +88,7 @@ Unless you need to set a non-default value, it is recommended to only populate o
 | `MIRROR_NODE_URL_HEADER_X_API_KEY`          | ""                                    | Authentication for a `MIRROR_NODE_URL` that requires authentication via the `x-api-key` header.                                                                                                                                                                                                                                                                                                                                                                                            |
 | `MULTI_SET`                                 | "false"                               | Switch between different implementation of setting multiple K/V pairs in the shared cache. True is mSet, false is pipeline                                                                                                                                                                                                                                                                                                                                                                 |
 | `JUMBO_TX_ENABLED`                          | "true"                                | Controls how large transactions are handled during `eth_sendRawTransaction`. When set to `true`, transactions up to 128KB can be sent directly to consensus nodes without using Hedera File Service (HFS), as long as contract bytecode doesn't exceed 24KB. When set to `false`, all transactions containing contract deployments use the traditional HFS approach. This feature leverages the increased transaction size limit to simplify processing of standard Ethereum transactions. |
+| `IP_RATE_LIMIT_STORE`                       | null                                  | Specifies the rate limit store to use for IP-based rate limiting: valid values are "LRU", "REDIS", with the possibility to be extended with a custom implementation (see [Store Selection](rate-limiting.md#store-selection)). If unset, falls back to Redis when `REDIS_ENABLED=true`, otherwise uses in-memory LRU.                                                                                                                                                                      |
 | `REDIS_ENABLED`                             | "true"                                | Enable usage of Redis as shared cache                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | `REDIS_RECONNECT_DELAY_MS`                  | "1000"                                | Sets the delay between reconnect retries from the Redis client in ms                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | `REDIS_URL`                                 | "redis://127.0.0.1:6379"              | Sets the url for the Redis shared cache                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 
@@ -2,6 +2,16 @@
 
 Rate-limiting middleware for Koa Json Rpc. Use to limit repeated requests to APIs and/or endpoints by IP.
 
+## How It Works
+
+1. On each incoming request, the `IPRateLimiterService` constructs a key combining the client IP and method name (e.g., `ratelimit:{ip}:{method}`).
+2. It selects a rate limit store backend (LRU or Redis) based on the `IP_RATE_LIMIT_STORE` and `REDIS_ENABLED` environment variables with the possibility to be extended and use a custom store (more info below).
+3. The store's `incrementAndCheck(key, limit, duration)` method is invoked:
+   - **LRU**: maintains counts in an in-memory map and resets them after the configured duration.
+   - **Redis**: uses an atomic Lua script to `INCR` and set `EXPIRE`, ensuring cross-pod consistency.
+4. If the request count exceeds the limit, the service logs a warning, increments the Prometheus counter `rpc_relay_ip_rate_limit`, and `shouldRateLimit` returns `true` (blocking the request).
+5. Setting `RATE_LIMIT_DISABLED=true` bypasses all rate limiting checks globally.
+
 ## Configuration
 
 All rate-limiting options are exposed and can be configured from `.env` .
@@ -23,6 +33,37 @@ RATE_LIMIT_DISABLED = false;
 - **LIMIT_DURATION**: - reset limit duration. This creates a timestamp, which resets all limits, when it's reached. Default is to `60000` (1 minute).
 - **RATE_LIMIT_DISABLED**: - if set to `true` no rate limiting will be performed.
 
+### Store Selection
+
+You can configure which backend store to use for rate limiting via environment variables:
+
+- **IP_RATE_LIMIT_STORE**: Specifies the rate limit store to use. Valid values:
+  - "LRU": In-memory store.
+  - "REDIS": Redis-based store.
+  - Any other custom type if you have implemented a custom store and added it to the `RateLimitStoreType` enum.
+    If not set, the relay will fall back to using Redis when `REDIS_ENABLED=true`, otherwise it uses LRU.
+- **REDIS_ENABLED**: If `true`, enables Redis-based rate limiting when `IP_RATE_LIMIT_STORE` is not explicitly set. Default: `false`.
+- **REDIS_URL**: The Redis connection URL (e.g. `redis://localhost:6379`). Required when using Redis store.
+
+To extend with a custom store:
+
+1. Implement a class that implements `RateLimitStore`.
+2. Add your custom store type string to the `RateLimitStoreType` array in `packages/relay/src/lib/types/rateLimiter.ts`.
+3. Start the relay with `IP_RATE_LIMIT_STORE=MyCustomStore`
+
+   ```ts
+   import { RateLimitStore } from '@hashgraph/json-rpc-relay/dist/lib/types';
+
+   class MyCustomStore implements RateLimitStore {
+     constructor(options: MyOptions) {
+       /* ... */
+     }
+     async incrementAndCheck(key: string, limit: number, durationMs: number): Promise<boolean> {
+       // custom logic
+     }
+   }
+   ```
+
 The following table highlights each relay endpoint and the TIER associated with it as dictated by [methodConfiguration.ts](/packages/server/src/koaJsonRpc/lib/methodConfiguration.ts)
 
 | Method endpoint                           | Tier              |
 
@@ -635,6 +635,12 @@ const _CONFIG = {
     required: false,
     defaultValue: true,
   },
+  IP_RATE_LIMIT_STORE: {
+    envName: 'IP_RATE_LIMIT_STORE',
+    type: 'string',
+    required: false,
+    defaultValue: null,
+  },
   REDIS_RECONNECT_DELAY_MS: {
     envName: 'REDIS_RECONNECT_DELAY_MS',
     type: 'number',
 
@@ -2,20 +2,14 @@
 
 import { ConfigService } from '@hashgraph/json-rpc-config-service/dist/services';
 
+import { MethodRateLimitConfiguration } from '../types';
+
 const tier1rateLimit = ConfigService.get('TIER_1_RATE_LIMIT');
 const tier2rateLimit = ConfigService.get('TIER_2_RATE_LIMIT');
 const tier3rateLimit = ConfigService.get('TIER_3_RATE_LIMIT');
 
-export interface IMethodRateLimit {
-  total: number;
-}
-
-export interface IMethodRateLimitConfiguration {
-  [method: string]: IMethodRateLimit;
-}
-
 // total requests per rate limit duration (default ex. 200 request per 60000ms)
-export const methodConfiguration: IMethodRateLimitConfiguration = {
+export const methodConfiguration: MethodRateLimitConfiguration = {
   web3_clientVersion: {
     total: tier3rateLimit,
   },
 
@@ -273,6 +273,5 @@ export default {
   ETH_GET_TRANSACTION_COUNT: 'eth_getTransactionCount',
   ETH_GET_TRANSACTION_RECEIPT: 'eth_GetTransactionReceipt',
   ETH_SEND_RAW_TRANSACTION: 'eth_sendRawTransaction',
-
   NON_CACHABLE_BLOCK_PARAMS: 'latest|pending|finalized|safe',
 };
@@ -11,3 +11,7 @@ export * from './ethService/blockService/IBlockService';
 export * from './ethService/contractService/ContractService';
 export * from './ethService/contractService/IContractService';
 export * from './ethService/transactionService/TransactionService';
+export * from '../types/rateLimiter';
+export * from './rateLimiterService/LruRateLimitStore';
+export * from './rateLimiterService/RedisRateLimitStore';
+export * from './rateLimiterService/rateLimiterService';
@@ -0,0 +1,162 @@
+// SPDX-License-Identifier: Apache-2.0
+
+import { RateLimitKey, RateLimitStore } from '../../types';
+
+interface DatabaseEntry {
+  reset: number;
+  methodInfo: any;
+}
+
+interface MethodDatabase {
+  methodName: string;
+  remaining: number;
+  total: number;
+}
+
+/**
+ * LRU-based in-memory rate limit store.
+ * Tracks request counts per IP and method within a time window.
+ */
+export class LruRateLimitStore implements RateLimitStore {
+  private database: any;
+  private duration: number;
+
+  /**
+   * Initializes the store with the specified duration window.
+   * @param duration - Time window in milliseconds for rate limiting.
+   */
+  constructor(duration: number) {
+    this.database = Object.create(null);
+    this.duration = duration;
+  }
+
+  /**
+   * Increments the request count for a given IP and method, checking if the limit is exceeded.
+   * @param key - The rate limit key containing IP and method information.
+   * @param limit - Maximum allowed requests in the current window.
+   * @returns True if rate limit exceeded, false otherwise.
+   */
+  async incrementAndCheck(key: RateLimitKey, limit: number): Promise<boolean> {
+    const { ip, method } = key;
+
+    this.precheck(ip, method, limit);
+    if (!this.shouldReset(ip)) {
+      if (this.checkRemaining(ip, method)) {
+        this.decreaseRemaining(ip, method);
+        return false;
+      }
+      return true;
+    } else {
+      this.reset(ip, method, limit);
+      this.decreaseRemaining(ip, method);
+      return false;
+    }
+  }
+
+  /**
+   * Ensures the IP and method are initialized in the database.
+   * @param ip - The IP address to check.
+   * @param methodName - The method name to check.
+   * @param total - The total number of allowed requests.
+   */
+  private precheck(ip: string, methodName: string, total: number): void {
+    if (!this.checkIpExist(ip)) {
+      this.setNewIp(ip);
+    }
+
+    if (!this.checkMethodExist(ip, methodName)) {
+      this.setNewMethod(ip, methodName, total);
+    }
+  }
+
+  /**
+   * Initializes a new IP entry in the database.
+   * @param ip - The IP address to initialize.
+   */
+  private setNewIp(ip: string): void {
+    const entry: DatabaseEntry = {
+      reset: Date.now() + this.duration,
+      methodInfo: {},
+    };
+    this.database[ip] = entry;
+  }
+
+  /**
+   * Initializes a new method entry for a given IP in the database.
+   * @param ip - The IP address associated with the method.
+   * @param methodName - The method name to initialize.
+   * @param total - The total number of allowed requests.
+   */
+  private setNewMethod(ip: string, methodName: string, total: number): void {
+    const entry: MethodDatabase = {
+      methodName: methodName,
+      remaining: total,
+      total: total,
+    };
+    this.database[ip].methodInfo[methodName] = entry;
+  }
+
+  /**
+   * Checks if an IP exists in the database.
+   * @param ip - The IP address to check.
+   * @returns True if the IP exists, false otherwise.
+   */
+  private checkIpExist(ip: string): boolean {
+    return this.database[ip] !== undefined;
+  }
+
+  /**
+   * Checks if a method exists for a given IP in the database.
+   * @param ip - The IP address associated with the method.
+   * @param method - The method name to check.
+   * @returns True if the method exists, false otherwise.
+   */
+  private checkMethodExist(ip: string, method: string): boolean {
+    return this.database[ip].methodInfo[method] !== undefined;
+  }
+
+  /**
+   * Checks if there are remaining requests for a given IP and method.
+   * @param ip - The IP address associated with the method.
+   * @param methodName - The method name to check.
+   * @returns True if there are remaining requests, false otherwise.
+   */
+  private checkRemaining(ip: string, methodName: string): boolean {
+    return this.database[ip].methodInfo[methodName].remaining > 0;
+  }
+
+  /**
+   * Determines if the rate limit should be reset for a given IP.
+   * @param ip - The IP address to check.
+   * @returns True if the rate limit should be reset, false otherwise.
+   */
+  private shouldReset(ip: string): boolean {
+    return this.database[ip].reset < Date.now();
+  }
+
+  /**
+   * Resets the rate limit for a given IP and method.
+   * @param ip - The IP address associated with the method.
+   * @param methodName - The method name to reset.
+   * @param total - The total number of allowed requests.
+   */
+  private reset(ip: string, methodName: string, total: number): void {
+    this.database[ip].reset = Date.now() + this.duration;
+    for (const [keyMethod] of Object.entries(this.database[ip].methodInfo)) {
+      this.database[ip].methodInfo[keyMethod].remaining = this.database[ip].methodInfo[keyMethod].total;
+    }
+    // Ensure the current method being checked is reset with the potentially new total (limit)
+    this.database[ip].methodInfo[methodName].remaining = total;
+    this.database[ip].methodInfo[methodName].total = total; // also update total if it changed
+  }
+
+  /**
+   * Decreases the remaining request count for a given IP and method.
+   * @param ip - The IP address associated with the method.
+   * @param methodName - The method name to decrease the count for.
+   */
+  private decreaseRemaining(ip: string, methodName: string): void {
+    const currentRemaining = this.database[ip].methodInfo[methodName].remaining;
+    this.database[ip].methodInfo[methodName].remaining = currentRemaining > 0 ? currentRemaining - 1 : 0;
+  }
+}