Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
    • Design History File
      • Requirements
      • Test plans
        • PLAN-001 Users submit their credentials to receive an access token
        • PLAN_002 Token expiration in user authentication process
        • PLAN_003 Account lockout for user authentication
        • PLAN_004 Enforcing HTTPS protocol for API communications
        • PLAN_005 Valid SSL/TLS certificates
        • PLAN_006 Rate limiting for anonymous users
        • PLAN_007 Rate limiting for authenticated users
        • PLAN_008 Logging and monitoring of rate limit violations
        • PLAN_009 Validation of request and response data against FHIR schemas
        • PLAN_010 Base64 encoded images are accepted
        • PLAN_011 Non-Base64 encoded images are rejected
        • PLAN_012 Diagnosis support endpoint accepts multiple images
        • PLAN_013 Improved accuracy with multiple images
        • PLAN_014: Password hashing during user registration
        • PLAN_015: Password hash comparison during login
        • PLAN_016: Registration of a new user by authorized individuals
        • PLAN_017 Specification of body zone for scoring systems requiring zone factor
        • PLAN_018 The device's API maintains an uptime of at least 99% over a one-month period
        • PLAN_019 API penetration testing with Intruder.io
      • Test runs
      • Review meetings
      • REL-001 Version 1.1.0.0
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Grants
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Design History File
  • Test plans
  • PLAN_007 Rate limiting for authenticated users

PLAN_007 Rate limiting for authenticated users

Description​

This test verifies the rate limiting functionality for authenticated users accessing the REST API.

System requirements​

There are no minimum software and hardware requirements to run this test.

Preconditions​

  • The entire system (including the reverse proxy, REST API, and all upstream services) is deployed, operational, and accessible online.
  • All communications with the REST API are conducted over HTTPS, either through a reverse proxy server or directly with the hosting server.
  • Rate limit configured to 1000 requests per minute for authenticated users.

Input data​

No specific data is needed to perform this test.

Steps​

  1. Log in with valid credentials to obtain an access token.
  2. Send 1000 requests to the API within one minute using the access token.
  3. Send an additional request within the same minute using the same access token.
  4. Observe the response for the additional request.
  5. Wait for one minute to pass.
  6. Send a request after the rate limit window has reset using the same access token.

Expected outcome​

  • The first 1000 requests should succeed with a 200 OK status code.
  • The additional request should receive an HTTP 429 Too Many Requests status code with an appropriate error message.
  • The request sent after the rate limit window resets should succeed with a 200 OK status code.

Verifies software requirements​

  • SWR-003

Risk control for​

  • Preventing denial of service (DoS) attacks.
  • Ensuring equitable resource distribution.

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Tester: JD-017, JD-009, JD-004
  • Approver: JD-005
Previous
PLAN_006 Rate limiting for anonymous users
Next
PLAN_008 Logging and monitoring of rate limit violations
  • Description
  • System requirements
  • Preconditions
  • Input data
  • Steps
  • Expected outcome
  • Verifies software requirements
  • Risk control for
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)