chore: rate limiting

psmyrdek · psmyrdek · commit b1135a72e86a · 2025-05-08T10:46:10.000+02:00
diff --git a/src/middleware/index.ts b/src/middleware/index.ts
@@ -1,5 +1,41 @@
 import { createSupabaseServerInstance } from '@/db/supabase.client';
-import { defineMiddleware } from 'astro:middleware';
+import { sequence, defineMiddleware } from 'astro:middleware';
+import { checkRateLimit, setRateLimitCookie } from '../services/rateLimiter';
+
+// Define rate limit configurations: path -> seconds
+const RATE_LIMIT_CONFIG: { [path: string]: number } = {
+  '/api/auth': 10, // Default existing behavior: 10 seconds for /api/auth and its sub-routes
+  // Add other specific path configurations here, e.g.:
+  // '/api/heavy-operation': 60,
+};
+
+const rateLimiter = defineMiddleware(async ({ cookies, url }, next) => {
+  const currentPath = url.pathname;
+  let matchedPath: string | undefined;
+  let matchedLimit: number | undefined;
+
+  // Find if the current path matches any configured rate-limited paths
+  for (const pathPrefix in RATE_LIMIT_CONFIG) {
+    if (currentPath.startsWith(pathPrefix)) {
+      matchedPath = pathPrefix; // Use the configured prefix as the key for rate limiting
+      matchedLimit = RATE_LIMIT_CONFIG[pathPrefix];
+      break;
+    }
+  }
+
+  if (matchedPath && matchedLimit !== undefined) {
+    if (checkRateLimit(cookies, matchedPath, matchedLimit)) {
+      setRateLimitCookie(cookies, matchedPath, matchedLimit);
+      return next();
+    }
+    return new Response(JSON.stringify({ error: 'Rate limit exceeded' }), {
+      status: 429,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  return next();
+});
 
 // Public paths that don't require authentication
 const PUBLIC_PATHS = [
@@ -17,7 +53,7 @@ const PUBLIC_PATHS = [
   '/privacy/en',
 ];
 
-export const onRequest = defineMiddleware(
+const validateRequest = defineMiddleware(
   async ({ locals, cookies, url, request, redirect }, next) => {
     try {
       const supabase = createSupabaseServerInstance({
@@ -70,3 +106,5 @@ export const onRequest = defineMiddleware(
     }
   },
 );
+
+export const onRequest = sequence(rateLimiter, validateRequest);
diff --git a/src/services/rateLimiter.ts b/src/services/rateLimiter.ts
@@ -1,36 +1,82 @@
-const RATE_LIMIT_COOKIE_NAME = 'login_attempt_timestamp';
-const RATE_LIMIT_SECONDS = 10;
-
-/**
- * Checks if the request is rate-limited based on a timestamp in an HTTP-only cookie.
- * @param headers The Headers object from the request.
- * @returns True if the request is allowed, false if it's rate-limited.
- */
-export function checkRateLimit(headers: Headers): boolean {
-  const lastAttemptTimestamp = headers
-    .get('cookie')
-    ?.split('; ')
-    .find((row) => row.startsWith(`${RATE_LIMIT_COOKIE_NAME}=`))
-    ?.split('=')[1];
-
-  if (lastAttemptTimestamp) {
-    const lastAttemptTime = parseInt(lastAttemptTimestamp, 10);
-    const currentTime = Date.now();
-    if (currentTime - lastAttemptTime < RATE_LIMIT_SECONDS * 1000) {
-      return false; // Rate-limited
+import { type AstroCookies } from 'astro';
+
+const RATE_LIMIT_COOKIE_NAME = 'app_rl_v1';
+const DEFAULT_RATE_LIMIT_SECONDS = 10;
+
+// Type for the cookie value: a map of routes to their last access timestamps
+type RateLimitData = {
+  [route: string]: number; // route: timestamp
+};
+
+export function checkRateLimit(
+  cookies: AstroCookies,
+  route: string,
+  rateLimitSeconds: number = DEFAULT_RATE_LIMIT_SECONDS,
+): boolean {
+  const cookie = cookies.get(RATE_LIMIT_COOKIE_NAME);
+  if (!cookie?.value) {
+    return true; // No cookie, or empty cookie value, allow
+  }
+
+  try {
+    const decodedValue = atob(cookie.value);
+    const rateLimitData = JSON.parse(decodedValue) as RateLimitData;
+    const lastAccessTime = rateLimitData[route];
+
+    if (!lastAccessTime) {
+      return true; // No timestamp for this route yet, allow
+    }
+
+    const timeSinceLastAccess = Date.now() - lastAccessTime;
+    if (timeSinceLastAccess < rateLimitSeconds * 1000) {
+      console.log(
+        `Rate limit exceeded for route: ${route}. Time since last access: ${timeSinceLastAccess}ms, Limit: ${rateLimitSeconds * 1000}ms`,
+      );
+      return false; // Rate limit exceeded
     }
+    return true; // Rate limit not exceeded
+  } catch (error) {
+    console.error('Error decoding or parsing rate limit cookie:', error);
+    // If there's an error (e.g., malformed cookie), allow the request and overwrite the cookie later.
+    // Alternatively, you could block to be safer, depending on requirements.
+    return true;
   }
-  return true; // Allowed
 }
 
-/**
- * Sets an HTTP-only cookie with the current timestamp to track the last login attempt.
- * @param responseHeaders The Headers object to add the Set-Cookie header to.
- */
-export function setRateLimitCookie(responseHeaders: Headers): void {
+export function setRateLimitCookie(
+  cookies: AstroCookies,
+  route: string,
+  rateLimitSeconds: number = DEFAULT_RATE_LIMIT_SECONDS,
+): void {
   const currentTime = Date.now();
-  responseHeaders.append(
-    'Set-Cookie',
-    `${RATE_LIMIT_COOKIE_NAME}=${currentTime}; HttpOnly; Path=/; Max-Age=${RATE_LIMIT_SECONDS}; SameSite=Lax`,
-  );
+  let rateLimitData: RateLimitData = {};
+
+  const existingCookie = cookies.get(RATE_LIMIT_COOKIE_NAME);
+  if (existingCookie?.value) {
+    try {
+      const decodedValue = atob(existingCookie.value);
+      rateLimitData = JSON.parse(decodedValue) as RateLimitData;
+    } catch (error) {
+      console.error('Error decoding or parsing existing rate limit cookie:', error);
+      // If cookie is malformed, start fresh
+      rateLimitData = {};
+    }
+  }
+
+  rateLimitData[route] = currentTime;
+
+  // Clean up old entries (optional, but good for cookie size management)
+  // This example doesn't include cleanup, but you might want to add it if routes are dynamic or numerous.
+
+  try {
+    const newCookieValue = btoa(JSON.stringify(rateLimitData));
+    cookies.set(RATE_LIMIT_COOKIE_NAME, newCookieValue, {
+      path: '/',
+      maxAge: Math.max(rateLimitSeconds, DEFAULT_RATE_LIMIT_SECONDS) * 2, // Cookie should last longer than the longest rate limit
+      sameSite: 'lax',
+      httpOnly: true, // Make cookie httpOnly for security
+    });
+  } catch (error) {
+    console.error('Error encoding or setting rate limit cookie:', error);
+  }
 }
