src/lib/rate-limit.ts

import { redis } from '@/lib/redis';

export interface RateLimitConfig {
  /** Duration of the sliding window in milliseconds. */
  windowMs: number;
  /** Maximum number of requests allowed per window. */
  max: number;
  /** Redis key prefix distinguishing different limit types. */
  keyPrefix: string;
}

export interface RateLimitResult {
  allowed: boolean;
  limit: number;
  remaining: number;
  /** Unix timestamp (ms) at which the oldest entry in the window expires. */
  resetAt: number;
}

/**
 * Redis sliding-window rate limiter.
 *
 * Uses a sorted set per identifier where each member is a unique request
 * timestamp. Old entries outside the window are pruned on each call.
 */
export async function checkRateLimit(
  identifier: string,
  config: RateLimitConfig,
): Promise<RateLimitResult> {
  const key = `rl:${config.keyPrefix}:${identifier}`;
  const now = Date.now();
  const windowStart = now - config.windowMs;

  const pipeline = redis.pipeline();
  // Remove entries older than the window.
  pipeline.zremrangebyscore(key, '-inf', windowStart);
  // Record this request; score = timestamp, member adds randomness for uniqueness.
  pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
  // Count entries currently in the window.
  pipeline.zcard(key);
  // Expire the key after one full window so Redis doesn't accumulate stale keys.
  pipeline.pexpire(key, config.windowMs);

  const results = await pipeline.exec();

  const count = (results?.[2]?.[1] as number) ?? 0;
  const remaining = Math.max(0, config.max - count);

  return {
    allowed: count <= config.max,
    limit: config.max,
    remaining,
    resetAt: now + config.windowMs,
  };
}

/**
 * Returns standard rate-limit response headers from a RateLimitResult.
 */
export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
  return {
    'X-RateLimit-Limit': result.limit.toString(),
    'X-RateLimit-Remaining': result.remaining.toString(),
    'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),
  };
}

/**
 * Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.
 */
export const rateLimiters = {
  /** Auth endpoints: 5 attempts per 15 minutes per identifier. */
  auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },
  /** Authenticated API: 120 requests per minute. */
  api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },
  /** File uploads: 10 per minute. */
  upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },
  /** Bulk operations: 5 per minute. */
  bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },
} as const satisfies Record<string, RateLimitConfig>;
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import { redis } from '@/lib/redis';`

			`export interface RateLimitConfig {`
			`/** Duration of the sliding window in milliseconds. */`
			`windowMs: number;`
			`/** Maximum number of requests allowed per window. */`
			`max: number;`
			`/** Redis key prefix distinguishing different limit types. */`
			`keyPrefix: string;`
			`}`

			`export interface RateLimitResult {`
			`allowed: boolean;`
			`limit: number;`
			`remaining: number;`
			`/** Unix timestamp (ms) at which the oldest entry in the window expires. */`
			`resetAt: number;`
			`}`

			`/**`
			`* Redis sliding-window rate limiter.`
			`*`
			`* Uses a sorted set per identifier where each member is a unique request`
			`* timestamp. Old entries outside the window are pruned on each call.`
			`*/`
			`export async function checkRateLimit(`
			`identifier: string,`
			`config: RateLimitConfig,`
			`): Promise<RateLimitResult> {`
			const key = `rl:${config.keyPrefix}:${identifier}`;
			`const now = Date.now();`
			`const windowStart = now - config.windowMs;`

			`const pipeline = redis.pipeline();`
			`// Remove entries older than the window.`
			`pipeline.zremrangebyscore(key, '-inf', windowStart);`
			`// Record this request; score = timestamp, member adds randomness for uniqueness.`
			pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
			`// Count entries currently in the window.`
			`pipeline.zcard(key);`
			`// Expire the key after one full window so Redis doesn't accumulate stale keys.`
			`pipeline.pexpire(key, config.windowMs);`

			`const results = await pipeline.exec();`

			`const count = (results?.[2]?.[1] as number) ?? 0;`
			`const remaining = Math.max(0, config.max - count);`

			`return {`
			`allowed: count <= config.max,`
			`limit: config.max,`
			`remaining,`
			`resetAt: now + config.windowMs,`
			`};`
			`}`

			`/**`
			`* Returns standard rate-limit response headers from a RateLimitResult.`
			`*/`
			`export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {`
			`return {`
			`'X-RateLimit-Limit': result.limit.toString(),`
			`'X-RateLimit-Remaining': result.remaining.toString(),`
			`'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),`
			`};`
			`}`

			`/**`
			`* Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.`
			`*/`
			`export const rateLimiters = {`
			`/** Auth endpoints: 5 attempts per 15 minutes per identifier. */`
			`auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },`
			`/** Authenticated API: 120 requests per minute. */`
			`api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },`
			`/** File uploads: 10 per minute. */`
			`upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },`
			`/** Bulk operations: 5 per minute. */`
			`bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },`
			`} as const satisfies Record<string, RateLimitConfig>;`