Jennie Robinson Faber
4d44e7045c
Main's middleware-level auth limiter (5 req / 5 min, IP-only) duplicated
the handler-level limiter introduced earlier on this branch (5/hr IP +
3/hr per-email, blocks email enumeration across IPs). Drop the
middleware version and let the handlers own it.
Added ALLOW_DEV_TEST_ENDPOINTS bypass to the rateLimit utility so
parallel E2E runs from 127.0.0.1 don't exhaust per-IP/email budgets,
mirroring the existing middleware bypass.
Trimmed the obsolete middleware auth test; handler-level coverage lives
in tests/server/api/auth-{login,verify}.test.js. Switched IP-isolation
test to the payment path so it still exercises the limiter.
36 lines
1.2 KiB
JavaScript
36 lines
1.2 KiB
JavaScript
// Tiny in-memory sliding-window rate limiter.
|
|
// Acceptable for single-instance Nitro on Netlify; swap to Mongo/Upstash if
|
|
// we move to multi-instance.
|
|
const buckets = new Map()
|
|
|
|
export function rateLimit(key, { max, windowMs }) {
|
|
// Bypass in test/dev opt-in mode so parallel E2E runs from a single IP
|
|
// (127.0.0.1) don't exhaust per-IP/email budgets. Mirrors the gate used by
|
|
// /api/dev/* endpoints and server/middleware/03.rate-limit.js.
|
|
if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return true
|
|
|
|
const now = Date.now()
|
|
|
|
// Probabilistic sweep: ~1% of calls evict keys whose newest entry has fully
|
|
// aged out, so the Map doesn't grow unbounded under random-key spraying.
|
|
if (Math.random() < 0.01) {
|
|
for (const [k, arr] of buckets) {
|
|
const last = arr[arr.length - 1]
|
|
if (last === undefined || now - last >= windowMs) buckets.delete(k)
|
|
}
|
|
}
|
|
|
|
const arr = (buckets.get(key) || []).filter((t) => now - t < windowMs)
|
|
if (arr.length >= max) {
|
|
buckets.set(key, arr)
|
|
return false
|
|
}
|
|
arr.push(now)
|
|
buckets.set(key, arr)
|
|
return true
|
|
}
|
|
|
|
// Test helper — clears all buckets so each test starts clean.
|
|
export function resetRateLimit() {
|
|
buckets.clear()
|
|
}
|