feat: rate-limit

Author: izadoesdev

apps/api/package.json

@@ -19,10 +19,12 @@
     "@logtail/edge": "^0.5.5",
     "@openrouter/ai-sdk-provider": "^1.1.2",
     "@trpc/server": "^11.5.0",
-    "ai": "^5.0.23",
+    "@upstash/ratelimit": "^2.0.6",
+    "ai": "^5.0.27",
     "autumn-js": "^0.1.20",
     "dayjs": "^1.11.13",
     "elysia": "^1.3.20",
-    "jszip": "^3.10.1"
+    "jszip": "^3.10.1",
+    "pino-pretty": "^13.1.1"
   }
 }

apps/api/src/lib/logger.ts

@@ -1,14 +1,28 @@
-import { Logtail } from '@logtail/edge';
+// import { Logtail } from '@logtail/edge';
 
-const token = process.env.LOGTAIL_SOURCE_TOKEN as string;
-const endpoint = process.env.LOGTAIL_ENDPOINT as string;
+// const token = process.env.LOGTAIL_SOURCE_TOKEN as string;
+// const endpoint = process.env.LOGTAIL_ENDPOINT as string;
 
-if (!(token && endpoint)) {
-	console.log('LOGTAIL_SOURCE_TOKEN and LOGTAIL_ENDPOINT must be set');
-}
+// if (!(token && endpoint)) {
+// 	console.log('LOGTAIL_SOURCE_TOKEN and LOGTAIL_ENDPOINT must be set');
+// }
 
-export const logger = new Logtail(token, {
-	endpoint,
-	batchSize: 10,
-	batchInterval: 1000,
+// export const logger = new Logtail(token, {
+// 	endpoint,
+// 	batchSize: 10,
+// 	batchInterval: 1000,
+// });
+
+import { pino } from 'pino';
+
+const logger = pino({
+	level: 'debug',
+	transport: {
+		target: 'pino-pretty',
+		options: {
+			colorize: true,
+		},
+	},
 });
+
+export { logger };

apps/api/src/lib/rate-limit.ts

@@ -0,0 +1,204 @@
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+
+export const RATE_LIMIT_CONFIGS = {
+	public: { requests: 100, window: '1 m' },
+	api: { requests: 200, window: '1 m' },
+	auth: { requests: 30, window: '1 m' },
+	expensive: { requests: 30, window: '1 m' },
+	admin: { requests: 500, window: '1 m' },
+} as const;
+
+export type RateLimitType = keyof typeof RATE_LIMIT_CONFIGS;
+
+export interface RateLimitOptions {
+	type: RateLimitType;
+	identifier?: string;
+	skipAuth?: boolean;
+	customConfig?: { requests: number; window: string };
+	rate?: number;
+}
+
+export interface RateLimitResult {
+	success: boolean;
+	limit: number;
+	remaining: number;
+	reset: Date;
+}
+
+let redisClient: Redis;
+
+const rateLimiterCache = new Map<string, Ratelimit>();
+const ephemeralCache = new Map<string, number>();
+const inMemoryLimits = new Map<string, { count: number; resetTime: number }>();
+
+// Plan-based rate limiters matching pricing tiers
+const redis = Redis.fromEnv();
+
+export const ratelimit = {
+	free: new Ratelimit({
+		redis,
+		analytics: true,
+		prefix: 'ratelimit:free',
+		limiter: Ratelimit.slidingWindow(50, '10s'),
+	}),
+	hobby: new Ratelimit({
+		redis,
+		analytics: true,
+		prefix: 'ratelimit:hobby',
+		limiter: Ratelimit.slidingWindow(100, '10s'),
+	}),
+	pro: new Ratelimit({
+		redis,
+		analytics: true,
+		prefix: 'ratelimit:pro',
+		limiter: Ratelimit.slidingWindow(200, '10s'),
+	}),
+	scale: new Ratelimit({
+		redis,
+		analytics: true,
+		prefix: 'ratelimit:scale',
+		limiter: Ratelimit.slidingWindow(500, '10s'),
+	}),
+};
+
+function getRedisClient(): Redis | null {
+	if (
+		!redisClient &&
+		process.env.UPSTASH_REDIS_REST_URL &&
+		process.env.UPSTASH_REDIS_REST_TOKEN
+	) {
+		try {
+			redisClient = redis; // Use the same Redis instance
+		} catch {
+			// ignore
+		}
+	}
+	return redisClient || null;
+}
+
+function createRateLimiter(
+	type: RateLimitType,
+	customConfig?: { requests: number; window: string }
+): Ratelimit | null {
+	const config = customConfig || RATE_LIMIT_CONFIGS[type];
+	const cacheKey = `${type}-${config.requests}-${config.window}`;
+
+	const cached = rateLimiterCache.get(cacheKey);
+	if (cached) {
+		return cached;
+	}
+
+	const redisInstance = getRedisClient();
+	if (!redisInstance) {
+		return null;
+	}
+
+	try {
+		const rateLimiter = new Ratelimit({
+			redis: redisInstance,
+			limiter: Ratelimit.slidingWindow(config.requests, config.window as '1 m'),
+			analytics: true,
+			prefix: `@databuddy/ratelimit:${type}`,
+			ephemeralCache,
+		});
+		rateLimiterCache.set(cacheKey, rateLimiter);
+		return rateLimiter;
+	} catch {
+		return null;
+	}
+}
+
+function getRateLimitIdentifier(
+	request: Request,
+	customIdentifier?: string,
+	userId?: string
+): string {
+	if (customIdentifier) {
+		return `custom:${customIdentifier}`;
+	}
+	if (userId) {
+		return `user:${userId}`;
+	}
+
+	const apiKey =
+		request.headers.get('x-api-key') ||
+		request.headers.get('authorization')?.replace('Bearer ', '');
+	if (apiKey) {
+		return `apikey:${apiKey.substring(0, 8)}`;
+	}
+
+	const ip =
+		request.headers.get('x-forwarded-for') ||
+		request.headers.get('x-real-ip') ||
+		'unknown';
+	return `ip:${ip}`;
+}
+
+function checkInMemoryRateLimit(
+	identifier: string,
+	config: { requests: number; window: string },
+	rate = 1
+): RateLimitResult {
+	const windowMs = config.window === '1 m' ? 60_000 : 60_000;
+	const now = Date.now();
+	const resetTime = Math.ceil(now / windowMs) * windowMs;
+	const key = `${identifier}:${resetTime}`;
+
+	// Cleanup old entries
+	for (const [k, v] of inMemoryLimits.entries()) {
+		if (v.resetTime < now) {
+			inMemoryLimits.delete(k);
+		}
+	}
+
+	const current = inMemoryLimits.get(key) || { count: 0, resetTime };
+	const newCount = current.count + rate;
+	const success = newCount <= config.requests;
+
+	if (success) {
+		inMemoryLimits.set(key, { count: newCount, resetTime });
+	}
+
+	return {
+		success,
+		limit: config.requests,
+		remaining: Math.max(0, config.requests - newCount),
+		reset: new Date(resetTime + windowMs),
+	};
+}
+
+export async function checkRateLimit(
+	request: Request,
+	options: RateLimitOptions,
+	userId?: string
+): Promise<RateLimitResult> {
+	const identifier = getRateLimitIdentifier(
+		request,
+		options.identifier,
+		userId
+	);
+	const config = options.customConfig || RATE_LIMIT_CONFIGS[options.type];
+	const rate = options.rate || 1;
+
+	const rateLimiter = createRateLimiter(options.type, options.customConfig);
+	if (rateLimiter) {
+		try {
+			const result = await rateLimiter.limit(
+				identifier,
+				rate > 1 ? { rate } : undefined
+			);
+			return {
+				success: result.success,
+				limit: result.limit,
+				remaining: result.remaining,
+				reset: new Date(result.reset),
+			};
+		} catch {
+			// ignore
+		}
+	}
+
+	const result = checkInMemoryRateLimit(identifier, config, rate);
+	return result;
+}