feat(backend): Add tiered rate limiting to auth and escrow creation endpoints#460
Open
jerrymusaga wants to merge 1 commit into
Open
feat(backend): Add tiered rate limiting to auth and escrow creation endpoints#460jerrymusaga wants to merge 1 commit into
jerrymusaga wants to merge 1 commit into
Conversation
…ndpoints
- Register ThrottlerModule globally in AppModule with two named tiers:
default (IP-based, 100 req/min) and user (user ID-based, disabled globally,
activated per endpoint)
- Add VaultixThrottlerGuard (APP_GUARD): IP tracker by default; generateKey
switches to authenticated user ID for the 'user' throttler; always writes
plain Retry-After header on 429; logs violations at warn level
- Auth endpoints: IP-based 5 req/min on challenge + verify (down from 10),
20 req/min on refresh, 10 req/min on logout; skip user throttler via
@SkipThrottle({ user: true }) on AuthController
- POST /escrows: 20 req/min per authenticated user via @Throttle({ user: ... })
- POST /webhooks: 10 req/min per authenticated user; fix misuse of
@UseInterceptors(ThrottlerGuard) → @SkipThrottle/@Throttle pattern
- Remove duplicate ThrottlerModule.forRoot() from AuthModule (now global)
- Rewrite AuthThrottlerGuard to extend VaultixThrottlerGuard
- X-RateLimit-Limit / Remaining / Reset headers set on every response by the
base ThrottlerGuard (no-suffix for 'default'; -user suffix for 'user' tier)
- E2E tests: rate-limit.e2e-spec.ts covers auth, POST /escrows, POST /webhooks,
and GET /escrows with override guards at low limits
- Add docs/RATE_LIMITING.md documenting the policy, headers, and logging
Closes StayLitCodes#400
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #400
AppModulewith two named tiers:default(IP-based, 100 req/min) anduser(user-ID-based, activated per endpoint via@Throttle)VaultixThrottlerGuard(APP_GUARD): single smart guard that selects IP or user-ID as the bucket key based on the throttler name, writes standardRetry-Afteron 429, and logs violations atwarnlevelPOST /auth/challenge,POST /auth/verify): 5 req/min per IP; refresh 20, logout 10 — all IP-only via@SkipThrottle({ user: true })POST /escrows: 20 req/min per authenticated userPOST /webhooks: 10 req/min per authenticated user; fixes incorrect@UseInterceptors(ThrottlerGuard)usageX-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset(with-usersuffix for user throttler)ThrottlerModule.forRoot()fromAuthModuleRate-limit policy
Test plan
tsc --noEmit→ 0 errorspnpm test→ 128/128 pass, 0 regressionstest/e2e/rate-limit.e2e-spec.tscovers 429 + Retry-After for auth, POST /escrows, POST /webhooks, GET /escrowsdocs/RATE_LIMITING.mdadded with full policy, headers, logging infoNODE_ENV=testraises all limits to 10 000 so normal test flows are unaffected