From c5602a80bd0c7f569651b7c5a8a47e41c574f6e6 Mon Sep 17 00:00:00 2001
From: Chummy <chumyin0912@gmail.com>
Date: Wed, 18 Feb 2026 09:54:27 +0800
Subject: [PATCH] fix(gateway): honor configured max key bounds

---
 src/gateway/mod.rs | 38 ++++++++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/src/gateway/mod.rs b/src/gateway/mod.rs
index 0db6447..a1ac097 100644
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@@ -248,6 +248,14 @@ fn client_key_from_request(
         .unwrap_or_else(|| "unknown".to_string())
 }
 
+fn normalize_max_keys(configured: usize, fallback: usize) -> usize {
+    if configured == 0 {
+        fallback.max(1)
+    } else {
+        configured
+    }
+}
+
 /// Shared state for all axum handlers
 #[derive(Clone)]
 pub struct AppState {
@@ -378,20 +386,22 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
         config.gateway.require_pairing,
         &config.gateway.paired_tokens,
     ));
+    let rate_limit_max_keys = normalize_max_keys(
+        config.gateway.rate_limit_max_keys,
+        RATE_LIMIT_MAX_KEYS_DEFAULT,
+    );
     let rate_limiter = Arc::new(GatewayRateLimiter::new(
         config.gateway.pair_rate_limit_per_minute,
         config.gateway.webhook_rate_limit_per_minute,
-        config
-            .gateway
-            .rate_limit_max_keys
-            .max(RATE_LIMIT_MAX_KEYS_DEFAULT),
+        rate_limit_max_keys,
     ));
+    let idempotency_max_keys = normalize_max_keys(
+        config.gateway.idempotency_max_keys,
+        IDEMPOTENCY_MAX_KEYS_DEFAULT,
+    );
     let idempotency_store = Arc::new(IdempotencyStore::new(
         Duration::from_secs(config.gateway.idempotency_ttl_secs.max(1)),
-        config
-            .gateway
-            .idempotency_max_keys
-            .max(IDEMPOTENCY_MAX_KEYS_DEFAULT),
+        idempotency_max_keys,
     ));
 
     // ── Tunnel ────────────────────────────────────────────────
@@ -1020,6 +1030,18 @@ mod tests {
         assert_eq!(key, "10.0.0.5");
     }
 
+    #[test]
+    fn normalize_max_keys_uses_fallback_for_zero() {
+        assert_eq!(normalize_max_keys(0, 10_000), 10_000);
+        assert_eq!(normalize_max_keys(0, 0), 1);
+    }
+
+    #[test]
+    fn normalize_max_keys_preserves_nonzero_values() {
+        assert_eq!(normalize_max_keys(2_048, 10_000), 2_048);
+        assert_eq!(normalize_max_keys(1, 10_000), 1);
+    }
+
     #[test]
     fn persist_pairing_tokens_writes_config_tokens() {
         let temp = tempfile::tempdir().unwrap();