Add rate limiting to high-risk

Introduce centralized rate limiting by applying defined tiers (STRICT, STANDARD, LENIENT, MODERATE) to high-risk edge functions: - export-user-data (STRICT, 5 req/min) - send-contact-message (STANDARD, 20 req/min) - validate-email-backend (LENIENT, 30 req/min) - admin-delete-user, resend-deletion-code (MODERATE) - additional standard targets identified (request-account-deletion, cancel-account-deletion) as per guidance Implements: - Wrapped handlers with withRateLimit using centralized rateLimiters - Imported from shared rate limiter module - Annotated with comments explaining tier rationale - Updated three initial functions and extended coverage to admin/account management functions - Added documentation guide for rate limiting usage This aligns with the Rate Limiting Guide and centralizes rate limit configuration for consistency.
2025-12-22 21:51:14 -05:00 · 2025-11-10 21:39:37 +00:00
parent ed6ddbd04b
commit 6da29e95a4
6 changed files with 29 additions and 11 deletions
--- a/supabase/functions/send-contact-message/index.ts
+++ b/supabase/functions/send-contact-message/index.ts
@@ -1,6 +1,7 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
 import { corsHeaders } from '../_shared/cors.ts';
+import { rateLimiters, withRateLimit } from '../_shared/rateLimiter.ts';
 import { edgeLogger } from "../_shared/logger.ts";
 import { createErrorResponse } from "../_shared/errorSanitizer.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";
@@ -338,4 +339,6 @@ The ThrillWiki Team`,
  }
 };

-serve(handler);
+// Apply standard rate limiting (20 req/min) for contact form submissions
+// Balances legitimate user needs with spam prevention
+serve(withRateLimit(handler, rateLimiters.standard, corsHeaders));