Merge pull request #108 from wheval/fix/issues-85-94-99-101

fix: resolve issues #101, #99, #94, #85

Author: Nathydre

wata-board-dapp/package-lock.json

@@ -0,0 +1,42 @@
+/**
+ * Tier-based Rate Limit Configuration (#85)
+ *
+ * Defines per-tier request limits:
+ *   anonymous  →  5 req/min
+ *   verified   → 15 req/min
+ *   premium    → 50 req/min
+ *   admin      → 200 req/min
+ */
+
+import { UserTier, TierRateLimitConfig } from '../types/userTier';
+
+export const TIER_RATE_LIMITS: Record<UserTier, TierRateLimitConfig> = {
+  [UserTier.ANONYMOUS]: {
+    windowMs: 60 * 1000,
+    maxRequests: 5,
+    queueSize: 5,
+  },
+  [UserTier.VERIFIED]: {
+    windowMs: 60 * 1000,
+    maxRequests: 15,
+    queueSize: 10,
+  },
+  [UserTier.PREMIUM]: {
+    windowMs: 60 * 1000,
+    maxRequests: 50,
+    queueSize: 25,
+  },
+  [UserTier.ADMIN]: {
+    windowMs: 60 * 1000,
+    maxRequests: 200,
+    queueSize: 50,
+  },
+};
+
+/**
+ * Get the rate-limit configuration for a given user tier.
+ * Falls back to ANONYMOUS limits for unknown tiers.
+ */
+export function getRateLimitForTier(tier: UserTier): TierRateLimitConfig {
+  return TIER_RATE_LIMITS[tier] ?? TIER_RATE_LIMITS[UserTier.ANONYMOUS];
+}

wata-board-dapp/src/config/rateLimits.ts

@@ -0,0 +1,128 @@
+/**
+ * Metrics Collection Middleware (#99)
+ *
+ * Collects per-request API metrics (method, path, status, response time,
+ * user ID) and exposes aggregation helpers consumed by the
+ * MonitoringService and the frontend dashboard.
+ */
+
+import { Request, Response, NextFunction } from 'express';
+
+export interface ApiMetric {
+  timestamp: number;
+  method: string;
+  path: string;
+  statusCode: number;
+  responseTimeMs: number;
+  userId: string;
+}
+
+export interface SystemHealth {
+  uptime: number;
+  memoryUsageMb: number;
+  activeConnections: number;
+  requestsPerMinute: number;
+  errorRate: number;
+}
+
+class MetricsCollector {
+  private metrics: ApiMetric[] = [];
+  private readonly maxRetention = 10_000;
+  private activeConnections = 0;
+
+  // ── Express middleware ──────────────────────────────────────
+
+  middleware() {
+    return (req: Request, res: Response, next: NextFunction) => {
+      const start = Date.now();
+      this.activeConnections++;
+
+      const userId =
+        (req.headers['x-user-id'] as string) || req.ip || 'unknown';
+
+      res.on('finish', () => {
+        this.activeConnections--;
+        const metric: ApiMetric = {
+          timestamp: Date.now(),
+          method: req.method,
+          path: req.path,
+          statusCode: res.statusCode,
+          responseTimeMs: Date.now() - start,
+          userId,
+        };
+
+        this.metrics.push(metric);
+
+        if (this.metrics.length > this.maxRetention) {
+          this.metrics = this.metrics.slice(-this.maxRetention);
+        }
+      });
+
+      next();
+    };
+  }
+
+  // ── Query helpers ──────────────────────────────────────────
+
+  /** Metrics within the given time window (default 1 min). */
+  getMetrics(windowMs: number = 60_000): ApiMetric[] {
+    const cutoff = Date.now() - windowMs;
+    return this.metrics.filter((m) => m.timestamp > cutoff);
+  }
+
+  /** Aggregated system health snapshot. */
+  getSystemHealth(): SystemHealth {
+    const recentMetrics = this.getMetrics(60_000);
+    const errors = recentMetrics.filter((m) => m.statusCode >= 400);
+    const mem = process.memoryUsage();
+
+    return {
+      uptime: process.uptime(),
+      memoryUsageMb: Math.round(mem.heapUsed / 1024 / 1024),
+      activeConnections: this.activeConnections,
+      requestsPerMinute: recentMetrics.length,
+      errorRate:
+        recentMetrics.length > 0 ? errors.length / recentMetrics.length : 0,
+    };
+  }
+
+  /** Per-user request counts in the last window. */
+  getUserMetrics(
+    windowMs: number = 60_000,
+  ): Record<string, { count: number; errors: number }> {
+    const recent = this.getMetrics(windowMs);
+    const result: Record<string, { count: number; errors: number }> = {};
+
+    for (const m of recent) {
+      if (!result[m.userId]) result[m.userId] = { count: 0, errors: 0 };
+      result[m.userId].count++;
+      if (m.statusCode >= 400) result[m.userId].errors++;
+    }
+
+    return result;
+  }
+
+  /** Per-endpoint breakdown in the last window. */
+  getEndpointMetrics(
+    windowMs: number = 60_000,
+  ): Record<string, { count: number; avgResponseMs: number }> {
+    const recent = this.getMetrics(windowMs);
+    const agg: Record<
+      string,
+      { count: number; totalMs: number; avgResponseMs: number }
+    > = {};
+
+    for (const m of recent) {
+      const key = `${m.method} ${m.path}`;
+      if (!agg[key]) agg[key] = { count: 0, totalMs: 0, avgResponseMs: 0 };
+      agg[key].count++;
+      agg[key].totalMs += m.responseTimeMs;
+      agg[key].avgResponseMs = Math.round(agg[key].totalMs / agg[key].count);
+    }
+
+    return agg;
+  }
+}
+
+/** Singleton instance */
+export const metricsCollector = new MetricsCollector();

wata-board-dapp/src/middleware/metrics.ts

@@ -0,0 +1,190 @@
+/**
+ * Tiered Rate Limiter Middleware (#85)
+ *
+ * Sliding-window rate limiter that respects user tiers.
+ * Exposes both an Express middleware and a programmatic API
+ * (checkLimit / getStatus) so the monitoring service (#99)
+ * can query rate-limit state without consuming a slot.
+ */
+
+import { Request, Response, NextFunction } from 'express';
+import { UserTier, TierRateLimitStatus } from '../types/userTier';
+import { getRateLimitForTier } from '../config/rateLimits';
+import { userTierService } from '../services/userTierService';
+import logger from '../utils/logger';
+
+interface WindowEntry {
+  timestamps: number[];
+  queueCount: number;
+}
+
+export class TieredRateLimiter {
+  private windows: Map<string, WindowEntry> = new Map();
+  private cleanupInterval: NodeJS.Timeout;
+
+  constructor() {
+    // Prune stale entries every 2 minutes
+    this.cleanupInterval = setInterval(() => this.cleanup(), 2 * 60 * 1000);
+  }
+
+  // ── Core logic ─────────────────────────────────────────────
+
+  /**
+   * Check (and consume) one request slot for a user.
+   */
+  checkLimit(userId: string): TierRateLimitStatus {
+    const tier = userTierService.getUserTier(userId);
+    const config = getRateLimitForTier(tier);
+    const now = Date.now();
+    const windowStart = now - config.windowMs;
+
+    let entry = this.windows.get(userId);
+    if (!entry) {
+      entry = { timestamps: [], queueCount: 0 };
+      this.windows.set(userId, entry);
+    }
+
+    // Slide the window
+    entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+
+    const remaining = config.maxRequests - entry.timestamps.length;
+    const resetTime = new Date(
+      entry.timestamps.length > 0
+        ? entry.timestamps[0] + config.windowMs
+        : now + config.windowMs,
+    );
+
+    if (remaining > 0) {
+      entry.timestamps.push(now);
+      return {
+        tier,
+        allowed: true,
+        remainingRequests: remaining - 1,
+        resetTime,
+        queued: false,
+        limit: config.maxRequests,
+      };
+    }
+
+    // Try to queue the request
+    if (entry.queueCount < config.queueSize) {
+      entry.queueCount++;
+      return {
+        tier,
+        allowed: false,
+        remainingRequests: 0,
+        resetTime,
+        queued: true,
+        queuePosition: entry.queueCount,
+        limit: config.maxRequests,
+      };
+    }
+
+    // Rejected entirely
+    return {
+      tier,
+      allowed: false,
+      remainingRequests: 0,
+      resetTime,
+      queued: false,
+      limit: config.maxRequests,
+    };
+  }
+
+  /**
+   * Read-only status check (does NOT consume a request slot).
+   */
+  getStatus(userId: string): TierRateLimitStatus {
+    const tier = userTierService.getUserTier(userId);
+    const config = getRateLimitForTier(tier);
+    const now = Date.now();
+    const windowStart = now - config.windowMs;
+
+    const entry = this.windows.get(userId);
+    const timestamps = entry
+      ? entry.timestamps.filter((t) => t > windowStart)
+      : [];
+    const remaining = Math.max(0, config.maxRequests - timestamps.length);
+    const resetTime = new Date(
+      timestamps.length > 0
+        ? timestamps[0] + config.windowMs
+        : now + config.windowMs,
+    );
+
+    return {
+      tier,
+      allowed: remaining > 0,
+      remainingRequests: remaining,
+      resetTime,
+      queued: false,
+      limit: config.maxRequests,
+    };
+  }
+
+  // ── Express middleware factory ─────────────────────────────
+
+  middleware() {
+    return (req: Request, res: Response, next: NextFunction) => {
+      const userId =
+        (req.headers['x-user-id'] as string) || req.ip || 'unknown';
+      const status = this.checkLimit(userId);
+
+      // Always expose rate-limit headers
+      res.set('X-RateLimit-Limit', String(status.limit));
+      res.set('X-RateLimit-Remaining', String(status.remainingRequests));
+      res.set(
+        'X-RateLimit-Reset',
+        String(Math.ceil(status.resetTime.getTime() / 1000)),
+      );
+      res.set('X-RateLimit-Tier', status.tier);
+
+      if (!status.allowed && !status.queued) {
+        logger.warn('Rate limit exceeded', { userId, tier: status.tier });
+        return res.status(429).json({
+          error: 'Rate limit exceeded',
+          tier: status.tier,
+          retryAfter: Math.ceil(
+            (status.resetTime.getTime() - Date.now()) / 1000,
+          ),
+          limit: status.limit,
+        });
+      }
+
+      if (status.queued) {
+        logger.info('Request queued', {
+          userId,
+          tier: status.tier,
+          position: status.queuePosition,
+        });
+        return res.status(202).json({
+          message: 'Request queued',
+          queuePosition: status.queuePosition,
+          tier: status.tier,
+        });
+      }
+
+      next();
+    };
+  }
+
+  // ── Helpers ────────────────────────────────────────────────
+
+  private cleanup() {
+    const now = Date.now();
+    for (const [userId, entry] of this.windows.entries()) {
+      entry.timestamps = entry.timestamps.filter(
+        (t) => t > now - 5 * 60 * 1000,
+      );
+      if (entry.timestamps.length === 0 && entry.queueCount === 0) {
+        this.windows.delete(userId);
+      }
+    }
+  }
+
+  destroy() {
+    clearInterval(this.cleanupInterval);
+  }
+}
+
+/** Singleton instance */
+export const tieredRateLimiter = new TieredRateLimiter();

wata-board-dapp/src/middleware/rateLimiter.ts

@@ -0,0 +1,27 @@
+/**
+ * Migration 001 — Initial Data Preservation Setup (#101)
+ *
+ * Template migration that demonstrates the execute / rollback
+ * pattern.  Replace the body with real logic before deploying
+ * a new contract version.
+ */
+
+import { MigrationStep } from '../services/contractUpgradeService';
+import logger from '../utils/logger';
+
+export const migration001: MigrationStep = {
+  id: 'migration-001-initial-setup',
+  version: '1.1.0',
+  description: 'Set up data preservation mappings for contract upgrade',
+
+  async execute(): Promise<void> {
+    logger.info('Executing migration 001: Initial setup');
+    // TODO: backup existing payment records to off-chain storage
+    // TODO: create state mapping for new contract fields
+  },
+
+  async rollback(): Promise<void> {
+    logger.info('Rolling back migration 001');
+    // Reverse the changes made in execute()
+  },
+};