Merge pull request #229 from petersdt/feat/api-rate-limiting

feat: add rate limiting to API routes using edge middleware and lru-c…

Author: Baskarayelu

README.md

@@ -415,6 +415,16 @@ MIT
 
 - This repository contains an OpenAPI descriptor for the current v1 API at `openapi.yaml` (root). The `servers` entry points to the `/api/v1` base path. Update `openapi.yaml` as you add endpoints.
 
+**Rate Limiting**
+
+- All `/api/*` routes are protected by a global rate limiter using in-memory `lru-cache`.
+- **Limits (per IP/session):**
+  - **Auth endpoints (`/api/auth/*`)**: 10 requests per minute
+  - **Write endpoints (`POST`, `PUT`, `DELETE`, `PATCH`)**: 50 requests per minute
+  - **General read endpoints (`GET`)**: 100 requests per minute
+- **Whitelisted routes**: `/api/health` is exempt from rate limiting to ensure uptime monitoring is not blocked.
+- **Behavior**: When a limit is exceeded, the server responds with a `429 Too Many Requests` status code and a `Retry-After` header indicating the number of seconds until the rate limit resets. Rate limit information is also provided in the response headers (`X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`).
+
 **Non-breaking guarantee**
 
 - To meet the repository's backward-compatibility requirement, we keep `/api/*` behavior unchanged by rewriting it to `/api/v1/*`. This preserves compatibility for existing consumers.

app/api/auth/login/route.ts

@@ -1,6 +1,21 @@
 import { NextResponse } from 'next/server';
 import { Keypair } from '@stellar/stellar-sdk';
 import { getAndClearNonce } from '@/lib/auth-cache';
+import {
+  createSession,
+  getSessionCookieHeader,
+} from '../../../../lib/session';
+
+export const dynamic = 'force-dynamic';
+
+/**
+ * Wallet-based auth flow:
+ * 1. Frontend: user connects wallet (e.g. Freighter), gets address.
+ * 2. Frontend: build a nonce message (e.g. "Sign in to Remitwise at {timestamp}").
+ * 3. Frontend: sign message with wallet
+ * 4. Frontend: POST /api/auth/login with { address, signature }
+ * 5. Backend: verify with Keypair using stored server memory nonce; create encrypted session cookie.
+ */
 
 export async function POST(request: Request) {
   try {
@@ -42,11 +57,22 @@ export async function POST(request: Request) {
       );
     }
 
-    const response = NextResponse.json({ success: true, token: 'mock-session-token' });
-    response.cookies.set('session', 'mock-session-cookie', { httpOnly: true, path: '/' });
-    return response;
+    const sealed = await createSession(address);
+    const cookieHeader = getSessionCookieHeader(sealed);
+
+    return new Response(
+      JSON.stringify({ ok: true, address }),
+      {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json',
+          'Set-Cookie': cookieHeader,
+        },
+      }
+    );
 
-  } catch {
-    return NextResponse.json({ error: 'Bad Request' }, { status: 400 });
+  } catch (err) {
+    console.error('Login error:', err);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
   }
 }

middleware.ts

@@ -0,0 +1,115 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { LRUCache } from 'lru-cache';
+
+// Configuration for Rate Limiting Limits
+const RATE_LIMITS = {
+    auth: 10,     // 10 req/min for /api/auth/*
+    write: 50,    // 50 req/min for POST/PUT/DELETE /api/*
+    general: 100, // 100 req/min for GET /api/*
+};
+
+// Rate limiting cache: max 10,000 IPs, items expire in 1 minute
+const rateLimitCache = new LRUCache<string, { count: number; expiresAt: number }>({
+    max: 10000,
+    ttl: 60 * 1000, // 1 minute
+});
+
+export function middleware(request: NextRequest) {
+    const { pathname } = request.nextUrl;
+
+    // Extract IP or fallback for key
+    const forwardedFor = request.headers.get('x-forwarded-for');
+    let ip = '127.0.0.1';
+    if (forwardedFor) {
+        ip = forwardedFor.split(',')[0].trim();
+    } else {
+        // Fallback for local dev or when header is missing
+        const remoteAddr = request.headers.get('x-real-ip');
+        if (remoteAddr) {
+            ip = remoteAddr;
+        }
+    }
+
+    // 0. Whitelist test environments (Playwright E2E)
+    if (
+        request.headers.get('x-playwright-test') === 'true' &&
+        process.env.NODE_ENV !== 'production'
+    ) {
+        return NextResponse.next();
+    }
+
+    // 1. Whitelist Health Check
+    if (pathname === '/api/health' || pathname.startsWith('/api/health/')) {
+        return NextResponse.next();
+    }
+
+    // Determine Rate Limit based on route & method
+    let limit = RATE_LIMITS.general;
+
+    if (pathname.startsWith('/api/auth/')) {
+        limit = RATE_LIMITS.auth;
+    } else if (['POST', 'PUT', 'DELETE', 'PATCH'].includes(request.method)) {
+        limit = RATE_LIMITS.write;
+    }
+
+    // Construct Cache Key
+    // e.g., '127.0.0.1:/api/auth' (grouping auth limits separately if desired, 
+    // but let's just do by IP + limit Type to be safe, or just IP.
+    // Standard is usually just "IP:auth", "IP:write", "IP:general")
+    let limitType = 'general';
+    if (pathname.startsWith('/api/auth/')) {
+        limitType = 'auth';
+    } else if (['POST', 'PUT', 'DELETE', 'PATCH'].includes(request.method)) {
+        limitType = 'write';
+    }
+
+    const cacheKey = `${ip}:${limitType}`;
+
+    // Check and update cache
+    const now = Date.now();
+    const tokenRecord = rateLimitCache.get(cacheKey) || { count: 0, expiresAt: now + 60000 };
+
+    if (now > tokenRecord.expiresAt) {
+        tokenRecord.count = 0;
+        tokenRecord.expiresAt = now + 60000;
+    }
+
+    tokenRecord.count += 1;
+    rateLimitCache.set(cacheKey, tokenRecord);
+
+    if (tokenRecord.count > limit) {
+        // Exceeded limit
+        const retryAfter = Math.ceil((tokenRecord.expiresAt - now) / 1000).toString();
+
+        return new NextResponse(
+            JSON.stringify({
+                error: 'Too Many Requests',
+                message: 'Rate limit exceeded.',
+            }),
+            {
+                status: 429,
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Retry-After': retryAfter,
+                    'X-RateLimit-Limit': limit.toString(),
+                    'X-RateLimit-Remaining': '0',
+                    'X-RateLimit-Reset': tokenRecord.expiresAt.toString(),
+                },
+            }
+        );
+    }
+
+    // Allow Request
+    const response = NextResponse.next();
+    response.headers.set('X-RateLimit-Limit', limit.toString());
+    response.headers.set('X-RateLimit-Remaining', (limit - tokenRecord.count).toString());
+    response.headers.set('X-RateLimit-Reset', tokenRecord.expiresAt.toString());
+
+    return response;
+}
+
+// Config ensures middleware only runs on API routes
+export const config = {
+    matcher: '/api/:path*',
+};