Skip to content

feat(backend): Add tiered rate limiting to auth and escrow creation endpoints#460

Open
jerrymusaga wants to merge 1 commit into
StayLitCodes:mainfrom
jerrymusaga:feat/400-rate-limiting-auth-escrow
Open

feat(backend): Add tiered rate limiting to auth and escrow creation endpoints#460
jerrymusaga wants to merge 1 commit into
StayLitCodes:mainfrom
jerrymusaga:feat/400-rate-limiting-auth-escrow

Conversation

@jerrymusaga

Copy link
Copy Markdown
Contributor

Summary

Closes #400

  • Global ThrottlerModule registered in AppModule with two named tiers: default (IP-based, 100 req/min) and user (user-ID-based, activated per endpoint via @Throttle)
  • VaultixThrottlerGuard (APP_GUARD): single smart guard that selects IP or user-ID as the bucket key based on the throttler name, writes standard Retry-After on 429, and logs violations at warn level
  • Auth endpoints (POST /auth/challenge, POST /auth/verify): 5 req/min per IP; refresh 20, logout 10 — all IP-only via @SkipThrottle({ user: true })
  • POST /escrows: 20 req/min per authenticated user
  • POST /webhooks: 10 req/min per authenticated user; fixes incorrect @UseInterceptors(ThrottlerGuard) usage
  • Response headers on every request: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset (with -user suffix for user throttler)
  • Removed duplicate ThrottlerModule.forRoot() from AuthModule

Rate-limit policy

Endpoint Method Limit Tracking
GET /* (global) GET 100/min IP
POST /auth/challenge POST 5/min IP
POST /auth/verify POST 5/min IP
POST /auth/refresh POST 20/min IP
POST /auth/logout POST 10/min IP
POST /escrows POST 20/min User ID
POST /webhooks POST 10/min User ID

Test plan

  • TypeScript: tsc --noEmit → 0 errors
  • Unit tests: pnpm test → 128/128 pass, 0 regressions
  • E2E tests: test/e2e/rate-limit.e2e-spec.ts covers 429 + Retry-After for auth, POST /escrows, POST /webhooks, GET /escrows
  • Docs: docs/RATE_LIMITING.md added with full policy, headers, logging info
  • NODE_ENV=test raises all limits to 10 000 so normal test flows are unaffected

…ndpoints

- Register ThrottlerModule globally in AppModule with two named tiers:
    default (IP-based, 100 req/min) and user (user ID-based, disabled globally,
    activated per endpoint)
- Add VaultixThrottlerGuard (APP_GUARD): IP tracker by default; generateKey
  switches to authenticated user ID for the 'user' throttler; always writes
  plain Retry-After header on 429; logs violations at warn level
- Auth endpoints: IP-based 5 req/min on challenge + verify (down from 10),
  20 req/min on refresh, 10 req/min on logout; skip user throttler via
  @SkipThrottle({ user: true }) on AuthController
- POST /escrows: 20 req/min per authenticated user via @Throttle({ user: ... })
- POST /webhooks: 10 req/min per authenticated user; fix misuse of
  @UseInterceptors(ThrottlerGuard) → @SkipThrottle/@Throttle pattern
- Remove duplicate ThrottlerModule.forRoot() from AuthModule (now global)
- Rewrite AuthThrottlerGuard to extend VaultixThrottlerGuard
- X-RateLimit-Limit / Remaining / Reset headers set on every response by the
  base ThrottlerGuard (no-suffix for 'default'; -user suffix for 'user' tier)
- E2E tests: rate-limit.e2e-spec.ts covers auth, POST /escrows, POST /webhooks,
  and GET /escrows with override guards at low limits
- Add docs/RATE_LIMITING.md documenting the policy, headers, and logging

Closes StayLitCodes#400
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(backend): Add rate limiting to auth and escrow creation endpoints

1 participant