ghostguild-org/server/middleware/03.rate-limit.js

import { RateLimiterMemory } from 'rate-limiter-flexible'

// Moderate rate limit for payment endpoints
const paymentLimiter = new RateLimiterMemory({
  points: 10,
  duration: 60,
  keyPrefix: 'rl_payment'
})

// Light rate limit for upload endpoints
const uploadLimiter = new RateLimiterMemory({
  points: 10,
  duration: 60,
  keyPrefix: 'rl_upload'
})

// General API rate limit
const generalLimiter = new RateLimiterMemory({
  points: 100,
  duration: 60,
  keyPrefix: 'rl_general'
})

function getClientIp(event) {
  return getHeader(event, 'x-forwarded-for')?.split(',')[0]?.trim()
    || getHeader(event, 'x-real-ip')
    || event.node.req.socket.remoteAddress
    || 'unknown'
}

const PAYMENT_PREFIXES = ['/api/helcim/']
const UPLOAD_PATHS = new Set(['/api/upload/image'])

export default defineEventHandler(async (event) => {
  const path = getRequestURL(event).pathname
  if (!path.startsWith('/api/')) return

  // Bypass rate limiting in test/dev opt-in mode so parallel E2E runs from a
  // single IP (127.0.0.1) do not exhaust the per-IP budget. Mirrors the gate
  // used by /api/dev/* endpoints — only set in development and by Playwright.
  if (process.env.ALLOW_DEV_TEST_ENDPOINTS === 'true') return

  const ip = getClientIp(event)

  try {
    if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
      await paymentLimiter.consume(ip)
    } else if (UPLOAD_PATHS.has(path)) {
      await uploadLimiter.consume(ip)
    } else {
      await generalLimiter.consume(ip)
    }
  } catch (rateLimiterRes) {
    setHeader(event, 'Retry-After', Math.ceil(rateLimiterRes.msBeforeNext / 1000))
    throw createError({
      statusCode: 429,
      statusMessage: 'Too many requests. Please try again later.'
    })
  }
})