Add configurable rate limiting for dev/stage environments

- Add ORCHARD_LOGIN_RATE_LIMIT env var to Helm deployment template
- Set relaxed rate limit (1000/minute) for dev/stage deployments
- Production keeps strict default (5/minute) for security
- Re-enable auth tests in CI (no longer excluded by marker)
- Update test docstrings to reflect rate limit configuration

.gitlab-ci.yml

@@ -52,13 +52,13 @@ kics:
     - pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio httpx
   script:
     - cd backend
-    # Run full integration test suite, excluding large/slow tests and auth-intensive tests
-    # Auth-intensive tests make many login requests which trigger rate limiting on deployed environments
+    # Run full integration test suite, excluding large/slow tests
     # ORCHARD_TEST_URL tells the tests which server to connect to
+    # Note: Auth tests work because dev/stage deployments have relaxed rate limits
     - |
       python -m pytest tests/integration/ -v \
         --junitxml=integration-report.xml \
-        -m "not large and not slow and not auth_intensive" \
+        -m "not large and not slow" \
         --tb=short
   artifacts:
     when: always

CHANGELOG.md

@@ -81,7 +81,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)
 
 ### Fixed
-- Fixed CI integration test rate limiting: added `auth_intensive` marker and excluded auth-heavy tests from deployed environments
+- Fixed CI integration test rate limiting: added configurable `ORCHARD_LOGIN_RATE_LIMIT` env var, relaxed to 1000/minute for dev/stage
 - Fixed duplicate `TestSecurityEdgeCases` class definition in test_auth_api.py
 - Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
 - Fixed Content-Disposition header encoding for non-ASCII filenames using RFC 5987 (#38)

backend/tests/integration/test_auth_api.py

@@ -1,15 +1,15 @@
 """Integration tests for authentication API endpoints.
 
 Note: These tests are marked as auth_intensive because they make many login
-requests which can trigger rate limiting on deployed environments. They are
-excluded from CI integration tests but run in local and unit test suites.
+requests. Dev/stage deployments have relaxed rate limits (1000/minute) to
+allow these tests to run. Production uses strict rate limits (5/minute).
 """
 
 import pytest
 from uuid import uuid4
 
 
-# Mark all tests in this module as auth_intensive
+# Mark all tests in this module as auth_intensive (informational, not excluded from CI)
 pytestmark = pytest.mark.auth_intensive
 
 

helm/orchard/templates/deployment.yaml

@@ -110,6 +110,12 @@ spec:
               value: {{ .Values.orchard.download.mode | quote }}
             - name: ORCHARD_PRESIGNED_URL_EXPIRY
               value: {{ .Values.orchard.download.presignedUrlExpiry | quote }}
+            {{- if .Values.orchard.rateLimit }}
+            {{- if .Values.orchard.rateLimit.login }}
+            - name: ORCHARD_LOGIN_RATE_LIMIT
+              value: {{ .Values.orchard.rateLimit.login | quote }}
+            {{- end }}
+            {{- end }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:

helm/orchard/values-dev.yaml

@@ -113,6 +113,10 @@ orchard:
     mode: "presigned"
     presignedUrlExpiry: 3600
 
+  # Relaxed rate limits for dev/feature environments (allows integration tests to run)
+  rateLimit:
+    login: "1000/minute"  # Default is 5/minute, relaxed for CI integration tests
+
 # PostgreSQL - ephemeral, no persistence
 postgresql:
   enabled: true

helm/orchard/values-stage.yaml

@@ -120,6 +120,10 @@ orchard:
     mode: "presigned"  # presigned, redirect, or proxy
     presignedUrlExpiry: 3600  # Presigned URL expiry in seconds
 
+  # Relaxed rate limits for stage (allows CI integration tests to run)
+  rateLimit:
+    login: "1000/minute"  # Default is 5/minute, relaxed for CI integration tests
+
 # PostgreSQL subchart configuration
 postgresql:
   enabled: true