Add option to rate limit the publish endpoint

[ricardo-devis-agullo]

This adds an option to rate-limit the publish endpoint. By default it will use a memory one with lru-cache, but it's extendable by passing an object that follows the interface described so you could plug-in Redis or whatever library you want. I'm leaning towards enabling this by default

Rate Limiting

The registry supports rate limiting for the publish endpoint to prevent abuse. By default, it allows 100 requests per 15 minutes per IP/user combination.

Basic Configuration

const registry = require('oc-registry');

registry({
  // ... other config
  publishRateLimit: {
    windowMs: 15 * 60 * 1000, // 15 minutes (default)
    max: 100 // Maximum requests per window (default)
  }
});

Advanced Configuration

registry({
  // ... other config
  publishRateLimit: {
    windowMs: 5 * 60 * 1000, // 5 minutes
    max: 50, // 50 requests per 5 minutes
    maxCacheSize: 2000, // Maximum number of rate limit entries in memory
    keyGenerator: req => `${req.ip}:${req.user || 'anonymous'}`, // Custom key generation
    skip: req => req.headers['x-admin'] === 'true', // Skip for admin users
    store: new RedisStore({
      // Custom storage backend
      client: redisClient,
      prefix: 'rate-limit:'
    })
  }
});

Custom Storage Backends

You can implement custom storage backends by creating a class that implements the RateLimitStore interface:

class RedisRateLimitStore {
  async increment(key, windowMs) {
    // Your Redis implementation
    return { totalHits: count, resetTime: new Date() };
  }

  init() {
    // Optional: initialization logic
  }
}

[pbazydlo]

rather than gathering things like windowMs, maxHits, maxCacheSize, etc. on global level wouldn't it be better to leave it purely to the rate limit store?

So you could provide in config a factory function that would provide those values to the store directly. For default store you would provide those values on line 22, but not configurable.