modules/site: add rate limiting for redirect DB lookups

Prevent DoS attacks on legacy URL redirect DB lookups:
- 10 requests per 60 seconds per IP
- Returns 429 Too Many Requests when exceeded
- Auto-cleanup of stale entries every 5 minutes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: aster-void

src/hooks.server.ts

@@ -1,5 +1,5 @@
 import type { Handle } from "@sveltejs/kit";
-import { redirect } from "@sveltejs/kit";
+import { error, redirect } from "@sveltejs/kit";
 import { sequence } from "@sveltejs/kit/hooks";
 import { svelteKitHandler } from "better-auth/svelte-kit";
 import { like } from "drizzle-orm";
@@ -12,6 +12,42 @@ const handleAuth: Handle = async ({ event, resolve }) => {
   return await svelteKitHandler({ event, resolve, auth, building });
 };
 
+// Rate limiter for DB lookup redirects (10 requests per 60 seconds per IP)
+const RATE_LIMIT_WINDOW_MS = 60_000;
+const RATE_LIMIT_MAX_REQUESTS = 10;
+const rateLimitMap = new Map<string, number[]>();
+
+function isRateLimited(ip: string): boolean {
+  const now = Date.now();
+  const timestamps = rateLimitMap.get(ip) ?? [];
+  const validTimestamps = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+
+  if (validTimestamps.length >= RATE_LIMIT_MAX_REQUESTS) {
+    rateLimitMap.set(ip, validTimestamps);
+    return true;
+  }
+
+  validTimestamps.push(now);
+  rateLimitMap.set(ip, validTimestamps);
+  return false;
+}
+
+// Cleanup stale entries every 5 minutes
+setInterval(
+  () => {
+    const now = Date.now();
+    for (const [ip, timestamps] of rateLimitMap) {
+      const valid = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+      if (valid.length === 0) {
+        rateLimitMap.delete(ip);
+      } else {
+        rateLimitMap.set(ip, valid);
+      }
+    }
+  },
+  5 * 60 * 1000,
+);
+
 const handleRedirect: Handle = async ({ event, resolve }) => {
   const path = event.url.pathname;
 
@@ -33,6 +69,13 @@ const handleRedirect: Handle = async ({ event, resolve }) => {
     if (/^\d{4}-\d{2}-\d{2}-/.test(oldSlug)) {
       return resolve(event);
     }
+
+    // Rate limit DB lookups
+    const ip = event.getClientAddress();
+    if (isRateLimited(ip)) {
+      error(429, "Too many requests");
+    }
+
     // DB lookup: find article where slug ends with the old slug pattern
     const found = await db
       .select({ slug: article.slug })