src/lib/rate-limit.ts

import { redis } from '@/lib/redis';

export interface RateLimitConfig {
  /** Duration of the sliding window in milliseconds. */
  windowMs: number;
  /** Maximum number of requests allowed per window. */
  max: number;
  /** Redis key prefix distinguishing different limit types. */
  keyPrefix: string;
}

export interface RateLimitResult {
  allowed: boolean;
  limit: number;
  remaining: number;
  /** Unix timestamp (ms) at which the oldest entry in the window expires. */
  resetAt: number;
}

/**
 * Redis sliding-window rate limiter.
 *
 * Uses a sorted set per identifier where each member is a unique request
 * timestamp. Old entries outside the window are pruned on each call.
 */
export async function checkRateLimit(
  identifier: string,
  config: RateLimitConfig,
): Promise<RateLimitResult> {
  const key = `rl:${config.keyPrefix}:${identifier}`;
  const now = Date.now();
  const windowStart = now - config.windowMs;

  const pipeline = redis.pipeline();
  // Remove entries older than the window.
  pipeline.zremrangebyscore(key, '-inf', windowStart);
  // Record this request; score = timestamp, member adds randomness for uniqueness.
  pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
  // Count entries currently in the window.
  pipeline.zcard(key);
  // Expire the key after one full window so Redis doesn't accumulate stale keys.
  pipeline.pexpire(key, config.windowMs);

  const results = await pipeline.exec();

  const count = (results?.[2]?.[1] as number) ?? 0;
  const remaining = Math.max(0, config.max - count);

  return {
    allowed: count <= config.max,
    limit: config.max,
    remaining,
    resetAt: now + config.windowMs,
  };
}

/**
 * Returns standard rate-limit response headers from a RateLimitResult.
 */
export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
  return {
    'X-RateLimit-Limit': result.limit.toString(),
    'X-RateLimit-Remaining': result.remaining.toString(),
    'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),
  };
}

/**
 * Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.
 */
export const rateLimiters = {
  /** Auth endpoints: 5 attempts per 15 minutes per identifier. */
  auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },
  /** Authenticated API: 120 requests per minute. */
  api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },
  /** File uploads: 10 per minute. */
  upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },
  /** Bulk operations: 5 per minute. */
  bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },
  /** Hard-delete code requests: 5 per hour per user. Each request emails
   *  a fresh code; without the cap a compromised admin account could
   *  email-bomb the operator's inbox or use the endpoint as a client-id
   *  oracle. */
  hardDeleteCode: { windowMs: 60 * 60 * 1000, max: 5, keyPrefix: 'hard-delete-code' },
  /** Inbound webhook with bad secret: 10 attempts per 15 minutes per IP.
   *  Real webhooks won't fail the secret check, so any traffic here is
   *  enumeration / brute-force. Block beyond the cap with a 429. */
  webhookBadSecret: { windowMs: 15 * 60 * 1000, max: 10, keyPrefix: 'wh-bad-secret' },
  /** Receipt scanner: 10 OCR runs per minute per user. */
  ocr: { windowMs: 60 * 1000, max: 10, keyPrefix: 'ocr' },
  /** Server-side AI calls (summary, embeddings, etc): 60 per minute per user. */
  ai: { windowMs: 60 * 1000, max: 60, keyPrefix: 'ai' },
  /** Data exports (GDPR bundle, PDF, CSV): 30 per hour per user. */
  exports: { windowMs: 60 * 60 * 1000, max: 30, keyPrefix: 'export' },
  /** Public unauthenticated form posts (interest, residential inquiry): 5 per hour per IP. */
  publicForm: { windowMs: 60 * 60 * 1000, max: 5, keyPrefix: 'publicform' },
  /** Server-to-server intake from the marketing website's dual-write helper.
   *  All traffic shares the website's egress IP, so the bucket has to
   *  accommodate every legitimate inquiry the site can produce in an hour
   *  without dropping data. The shared-secret header gates abuse; this
   *  limiter is just a defensive backstop in case the secret leaks. */
  websiteIntake: { windowMs: 60 * 60 * 1000, max: 500, keyPrefix: 'websiteintake' },
  /** Portal sign-in: 5 attempts per 15min per (ip,email) bucket. Defends
   *  against credential stuffing on /api/portal/auth/sign-in. */
  portalSignIn: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'portal:signin' },
  /** Portal forgot-password: 3/hour/IP. Tighter than sign-in because it
   *  triggers an outbound email and is the primary email-enumeration
   *  vector (timing differences between known/unknown). */
  portalForgot: { windowMs: 60 * 60 * 1000, max: 3, keyPrefix: 'portal:forgot' },
  /** Portal activate / reset / set-password: 10/hour/IP. Bounds brute-
   *  force against the 32-byte token (random walk math is in our favour
   *  but a tight ceiling keeps the search space practically infeasible). */
  portalToken: { windowMs: 60 * 60 * 1000, max: 10, keyPrefix: 'portal:token' },
} as const satisfies Record<string, RateLimitConfig>;

export type RateLimiterName = keyof typeof rateLimiters;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import { redis } from '@/lib/redis';`

			`export interface RateLimitConfig {`
			`/** Duration of the sliding window in milliseconds. */`
			`windowMs: number;`
			`/** Maximum number of requests allowed per window. */`
			`max: number;`
			`/** Redis key prefix distinguishing different limit types. */`
			`keyPrefix: string;`
			`}`

			`export interface RateLimitResult {`
			`allowed: boolean;`
			`limit: number;`
			`remaining: number;`
			`/** Unix timestamp (ms) at which the oldest entry in the window expires. */`
			`resetAt: number;`
			`}`

			`/**`
			`* Redis sliding-window rate limiter.`
			`*`
			`* Uses a sorted set per identifier where each member is a unique request`
			`* timestamp. Old entries outside the window are pruned on each call.`
			`*/`
			`export async function checkRateLimit(`
			`identifier: string,`
			`config: RateLimitConfig,`
			`): Promise<RateLimitResult> {`
			const key = `rl:${config.keyPrefix}:${identifier}`;
			`const now = Date.now();`
			`const windowStart = now - config.windowMs;`

			`const pipeline = redis.pipeline();`
			`// Remove entries older than the window.`
			`pipeline.zremrangebyscore(key, '-inf', windowStart);`
			`// Record this request; score = timestamp, member adds randomness for uniqueness.`
			pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
			`// Count entries currently in the window.`
			`pipeline.zcard(key);`
			`// Expire the key after one full window so Redis doesn't accumulate stale keys.`
			`pipeline.pexpire(key, config.windowMs);`

			`const results = await pipeline.exec();`

			`const count = (results?.[2]?.[1] as number) ?? 0;`
			`const remaining = Math.max(0, config.max - count);`

			`return {`
			`allowed: count <= config.max,`
			`limit: config.max,`
			`remaining,`
			`resetAt: now + config.windowMs,`
			`};`
			`}`

			`/**`
			`* Returns standard rate-limit response headers from a RateLimitResult.`
			`*/`
			`export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {`
			`return {`
			`'X-RateLimit-Limit': result.limit.toString(),`
			`'X-RateLimit-Remaining': result.remaining.toString(),`
			`'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),`
			`};`
			`}`

			`/**`
			`* Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.`
			`*/`
			`export const rateLimiters = {`
			`/** Auth endpoints: 5 attempts per 15 minutes per identifier. */`
			`auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },`
			`/** Authenticated API: 120 requests per minute. */`
			`api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },`
			`/** File uploads: 10 per minute. */`
			`upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },`
			`/** Bulk operations: 5 per minute. */`
			`bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },`
fix(audit): security HIGHs — rate-limit hard-delete codes, collapse error msgs, doc bad-secret per-IP H1: hard-delete-request and bulk-hard-delete-request endpoints had no rate limit; an admin's compromised account could email-bomb the operator's inbox or use the endpoints as a client-id oracle. Added a new `hardDeleteCode` limiter (5 per hour per user). H3: hard-delete error messages distinguished "no code requested" from "wrong code", letting an attacker brute-force the 4-digit space with ~5k attempts (vs the full 10k). Both single + bulk paths now return the same 'Invalid or expired confirmation code' message. H5: invalid Documenso webhook secret submissions are now rate-limited per-IP (10 per 15min) and only audit-logged inside the cap, so a slow enumeration can't fill the audit log silently. Real Documenso traffic won't fail the secret check, so any traffic beyond the cap is brute-force. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 22:06:40 +02:00			`/** Hard-delete code requests: 5 per hour per user. Each request emails`
			`* a fresh code; without the cap a compromised admin account could`
			`* email-bomb the operator's inbox or use the endpoint as a client-id`
			`* oracle. */`
			`hardDeleteCode: { windowMs: 60 * 60 * 1000, max: 5, keyPrefix: 'hard-delete-code' },`
			`/** Inbound webhook with bad secret: 10 attempts per 15 minutes per IP.`
			`* Real webhooks won't fail the secret check, so any traffic here is`
			`* enumeration / brute-force. Block beyond the cap with a 429. */`
			`webhookBadSecret: { windowMs: 15 * 60 * 1000, max: 10, keyPrefix: 'wh-bad-secret' },`
feat(rate-limit): per-user limiters for OCR, AI, and exports Adds three named rate limiters to the existing Redis sliding-window catalog and a withRateLimit wrapper that composes inside withAuth. Wires the OCR limiter into the receipt-scan endpoint so a runaway client can't burn through the AI budget in a tight loop. - ocr: 10/min/user - ai: 60/min/user (reserved for future server-side AI surfaces) - exports: 30/hour/user (reserved for GDPR bundle, PDF, CSV exports) 429 responses include X-RateLimit-* headers and a Retry-After hint. Tests: 771/771 vitest (was 766) — +5 rate-limit tests covering catalog shape, sliding window, cross-prefix isolation, cross-user isolation, and resetAt timestamp. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 19:56:01 +02:00			`/** Receipt scanner: 10 OCR runs per minute per user. */`
			`ocr: { windowMs: 60 * 1000, max: 10, keyPrefix: 'ocr' },`
			`/** Server-side AI calls (summary, embeddings, etc): 60 per minute per user. */`
			`ai: { windowMs: 60 * 1000, max: 60, keyPrefix: 'ai' },`
			`/** Data exports (GDPR bundle, PDF, CSV): 30 per hour per user. */`
			`exports: { windowMs: 60 * 60 * 1000, max: 30, keyPrefix: 'export' },`
chore(hardening): maintenance jobs, defense-in-depth, redis-backed public rate limit - maintenance worker now expires GDPR export bundles (db row + MinIO object) on the gdpr_exports.expires_at boundary, plus 90-day retention sweep on ai_usage_ledger; both jobs scheduled daily. - portId scoping added to listClientRelationships and listClientExports (defense-in-depth — parent-resource gates already prevent cross-tenant reads, but service layer should enforce on its own). - SELECT FOR UPDATE on parent client/company row inside add/update address transactions to serialize concurrent isPrimary toggles. - public /interests + /residential-inquiries endpoints swap their in-memory ipHits maps for the redis sliding-window limiter via the new rateLimiters.publicForm config (5/hr/IP), so the cap survives restarts and is shared across worker processes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-29 01:52:41 +02:00			`/** Public unauthenticated form posts (interest, residential inquiry): 5 per hour per IP. */`
			`publicForm: { windowMs: 60 * 60 * 1000, max: 5, keyPrefix: 'publicform' },`
feat(website-intake): dual-write endpoint + migration chain repair Adds website_submissions table + shared-secret POST endpoint so the marketing site can dual-write inquiries alongside its NocoDB write. Race-safe via INSERT ... ON CONFLICT, idempotent on submission_id, refuses every request when WEBSITE_INTAKE_SECRET is unset. Also repairs pre-existing 0020/0021/0022 prevId collision (renumbered + journal re-sorted) so db:generate works again. 11 unit tests. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-04 22:52:33 +02:00			`/** Server-to-server intake from the marketing website's dual-write helper.`
			`* All traffic shares the website's egress IP, so the bucket has to`
			`* accommodate every legitimate inquiry the site can produce in an hour`
			`* without dropping data. The shared-secret header gates abuse; this`
			`* limiter is just a defensive backstop in case the secret leaks. */`
			`websiteIntake: { windowMs: 60 * 60 * 1000, max: 500, keyPrefix: 'websiteintake' },`
fix(security): tier-0 audit blockers (next CVE, role gate, perm traps, key validation, rate limits) Closes the five highest-risk findings from docs/audit-comprehensive-2026-05-05.md so the platform is not exposed while the rest of the audit backlog (1 CRIT + 18 HIGH + 32 MED + 23 LOW) is worked through: * CVE-2025-29927 — bump next 15.1.0 → 15.2.9; nginx strips X-Middleware-Subrequest at the edge as defense-in-depth. * Cross-tenant role escalation — POST/PATCH/DELETE on /admin/roles now require super-admin (was: any holder of admin.manage_users). Adds shared `requireSuperAdmin(ctx)` helper. * Silent-403 traps — `documents.edit` and `files.edit` keys added to RolePermissions; seeded role values updated; migration 0041 backfills the new keys on every existing roles+port_role_overrides JSONB. File routes remap the dead `create` action to `upload` / `manage_folders`. * Berth-PDF / brochure register endpoints — reject body.storageKey unless it matches the namespace the matching presign endpoint issued (prevents repointing a tenant's PDF at foreign-port bytes). * Portal auth rate limits — sign-in 5/15min/(ip,email), forgot-password 3/hr/IP, activate/reset/set-password 10/hr/IP. Adds `enforcePublicRateLimit()` for non-`withAuth` routes. Test status unchanged: 1168/1168 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md (CRITICAL, HIGH §§1–4) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 18:33:13 +02:00			`/** Portal sign-in: 5 attempts per 15min per (ip,email) bucket. Defends`
			`* against credential stuffing on /api/portal/auth/sign-in. */`
			`portalSignIn: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'portal:signin' },`
			`/** Portal forgot-password: 3/hour/IP. Tighter than sign-in because it`
			`* triggers an outbound email and is the primary email-enumeration`
			`* vector (timing differences between known/unknown). */`
			`portalForgot: { windowMs: 60 * 60 * 1000, max: 3, keyPrefix: 'portal:forgot' },`
			`/** Portal activate / reset / set-password: 10/hour/IP. Bounds brute-`
			`* force against the 32-byte token (random walk math is in our favour`
			`* but a tight ceiling keeps the search space practically infeasible). */`
			`portalToken: { windowMs: 60 * 60 * 1000, max: 10, keyPrefix: 'portal:token' },`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`} as const satisfies Record<string, RateLimitConfig>;`
feat(rate-limit): per-user limiters for OCR, AI, and exports Adds three named rate limiters to the existing Redis sliding-window catalog and a withRateLimit wrapper that composes inside withAuth. Wires the OCR limiter into the receipt-scan endpoint so a runaway client can't burn through the AI budget in a tight loop. - ocr: 10/min/user - ai: 60/min/user (reserved for future server-side AI surfaces) - exports: 30/hour/user (reserved for GDPR bundle, PDF, CSV exports) 429 responses include X-RateLimit-* headers and a Retry-After hint. Tests: 771/771 vitest (was 766) — +5 rate-limit tests covering catalog shape, sliding window, cross-prefix isolation, cross-user isolation, and resetAt timestamp. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 19:56:01 +02:00
			`export type RateLimiterName = keyof typeof rateLimiters;`