Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

c.f.https://github.com/coder/dogfood/issues/216

I'm marking this s1 (@Kira-Pilot downgraded to S2) on the grounds that customers could be hitting the same issue as we are in dogfood ^^.

I modified some CI tests to set a rate limit, then put a break point in this code inratelimit.go

// Prioritize by user, but fallback to IP.apiKey, ok := r.Context().Value(apiKeyContextKey{}).(database.APIKey)if !ok {return httprate.KeyByIP(r)}

ok never ends up true.

The problem is that the rate limit middleware is setbefore the middleware that extracts the API key, so the key is never available in the request context the rate limiter uses.

This has knock-on consequences that ourX-Coder-Bypass-Ratelimit header for scale testing is always ignored.

Relevant Log Output

Expected Behavior

Rate limits are enforced per user, even if requests come from different IP addresses.

Steps to Reproduce

Login, send requests.

Environment

Additional Context

No response