jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(rate-limit): delegate auth limiting to handlers, add dev bypass
Some checks failed
Test / playwright (push) Blocked by required conditions
Details
Test / Notify on failure (push) Blocked by required conditions
Details
Test / visual (push) Blocked by required conditions
Details
Test / vitest (push) Has been cancelled
Details

Browse source 
Main's middleware-level auth limiter (5 req / 5 min, IP-only) duplicated
the handler-level limiter introduced earlier on this branch (5/hr IP +
3/hr per-email, blocks email enumeration across IPs). Drop the
middleware version and let the handlers own it.

Added ALLOW_DEV_TEST_ENDPOINTS bypass to the rateLimit utility so
parallel E2E runs from 127.0.0.1 don't exhaust per-IP/email budgets,
mirroring the existing middleware bypass.

Trimmed the obsolete middleware auth test; handler-level coverage lives
in tests/server/api/auth-{login,verify}.test.js. Switched IP-isolation
test to the payment path so it still exercises the limiter.
This commit is contained in:
Jennie Robinson Faber 2026-04-27 19:18:34 +01:00
parent c1367ebd29
commit 4d44e7045c
3 changed files with 13 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

12
server/middleware/03.rate-limit.js
View file

@ -1,12 +1,5 @@
import { RateLimiterMemory } from 'rate-limiter-flexible'
// Strict rate limit for auth endpoints
const authLimiter = new RateLimiterMemory({
points: 5, // 5 requests
duration: 300, // per 5 minutes
keyPrefix: 'rl_auth'
})
// Moderate rate limit for payment endpoints
const paymentLimiter = new RateLimiterMemory({
points: 10,
@ -35,7 +28,6 @@ function getClientIp(event) {
|| 'unknown'
}
const AUTH_PATHS = new Set(['/api/auth/login', '/api/auth/verify'])
const PAYMENT_PREFIXES = ['/api/helcim/']
const UPLOAD_PATHS = new Set(['/api/upload/image'])
@ -51,9 +43,7 @@ export default defineEventHandler(async (event) => {
const ip = getClientIp(event)
try {
if (AUTH_PATHS.has(path)) {
await authLimiter.consume(ip)
} else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
await paymentLimiter.consume(ip)
} else if (UPLOAD_PATHS.has(path)) {
await uploadLimiter.consume(ip)

5
server/utils/rateLimit.js
View file

@ -4,6 +4,11 @@
const buckets = new Map()
export function rateLimit(key, { max, windowMs }) {
// Bypass in test/dev opt-in mode so parallel E2E runs from a single IP
// (127.0.0.1) don't exhaust per-IP/email budgets. Mirrors the gate used by
// /api/dev/* endpoints and server/middleware/03.rate-limit.js.
if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return true
const now = Date.now()
// Probabilistic sweep: ~1% of calls evict keys whose newest entry has fully