Centralize rate limiting config

Create shared rateLimitConfig.ts with tiers (strict, moderate, lenient, generous, per-user variants) and update edge functions to import centralized rate limiters. Replace inline rate limiter usage with new config, preserving backward compatibility. Add documentation guide for rate limiting usage.

supabase/functions/_shared/rateLimitConfig.ts

@@ -0,0 +1,174 @@
+/**
+ * Centralized Rate Limiting Configuration for Edge Functions
+ * 
+ * Provides standardized rate limit tiers that can be imported by any edge function.
+ * This ensures consistent rate limiting behavior across the application.
+ */
+
+import { RateLimitConfig } from './rateLimiter.ts';
+
+/**
+ * Rate Limit Tier Definitions
+ * 
+ * Choose the appropriate tier based on the operation cost and abuse risk:
+ * 
+ * - **STRICT**: For expensive operations (uploads, exports, data modifications)
+ * - **MODERATE**: For standard API operations (moderation actions, content creation)
+ * - **STANDARD**: For typical read/write operations (most endpoints)
+ * - **LENIENT**: For lightweight read operations (cached data, public endpoints)
+ * - **GENEROUS**: For high-frequency operations (polling, real-time updates)
+ */
+
+// Base time window for all rate limiters (1 minute)
+const RATE_LIMIT_WINDOW_MS = 60000;
+
+/**
+ * STRICT: 5 requests per minute
+ * 
+ * Use for:
+ * - File uploads (images, documents)
+ * - Data exports
+ * - Batch operations
+ * - Resource-intensive computations
+ * - CloudFlare API calls
+ * 
+ * Examples: upload-image, export-user-data
+ */
+export const RATE_LIMIT_STRICT: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 5,
+};
+
+/**
+ * MODERATE: 10 requests per minute
+ * 
+ * Use for:
+ * - Moderation actions (approve, reject)
+ * - Content submission
+ * - User profile updates
+ * - Email sending
+ * - Notification triggers
+ * 
+ * Examples: process-selective-approval, process-selective-rejection, submit-entity-edit
+ */
+export const RATE_LIMIT_MODERATE: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 10,
+};
+
+/**
+ * STANDARD: 20 requests per minute
+ * 
+ * Use for:
+ * - Standard read/write operations
+ * - Search endpoints
+ * - Contact forms
+ * - Account management
+ * - Authentication operations
+ * 
+ * Examples: send-contact-message, request-account-deletion, validate-email
+ */
+export const RATE_LIMIT_STANDARD: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 20,
+};
+
+/**
+ * LENIENT: 30 requests per minute
+ * 
+ * Use for:
+ * - Lightweight read operations
+ * - Cached data retrieval
+ * - Public endpoint queries
+ * - Status checks
+ * - Location detection
+ * 
+ * Examples: detect-location, check-transaction-status
+ */
+export const RATE_LIMIT_LENIENT: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 30,
+};
+
+/**
+ * GENEROUS: 60 requests per minute
+ * 
+ * Use for:
+ * - High-frequency polling
+ * - Real-time updates
+ * - Webhook receivers
+ * - Health checks
+ * - Internal service-to-service calls
+ * 
+ * Examples: novu-webhook, scheduled-maintenance
+ */
+export const RATE_LIMIT_GENEROUS: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 60,
+};
+
+/**
+ * PER_USER: 20 requests per minute (default)
+ * 
+ * Use for authenticated endpoints where you want to rate limit per user ID
+ * rather than per IP address. Useful for:
+ * - User-specific operations
+ * - Preventing account abuse
+ * - Per-user quotas
+ * 
+ * Can be customized with different request counts:
+ * - perUserStrict: 5 req/min
+ * - perUserModerate: 10 req/min
+ * - perUserStandard: 20 req/min (default)
+ * - perUserLenient: 40 req/min
+ */
+export const RATE_LIMIT_PER_USER_STRICT: RateLimitConfig = {
+  windowMs: RATE_LIMIT_WINDOW_MS,
+  maxRequests: 5,
+  keyGenerator: (req: Request) => {
+    // Extract user ID from Authorization header JWT
+    const authHeader = req.headers.get('Authorization');
+    if (authHeader) {
+      try {
+        const token = authHeader.replace('Bearer ', '');
+        const payload = JSON.parse(atob(token.split('.')[1]));
+        return `user:${payload.sub}`;
+      } catch {
+        // Fall back to IP if JWT parsing fails
+        return req.headers.get('x-forwarded-for')?.split(',')[0] || '0.0.0.0';
+      }
+    }
+    return req.headers.get('x-forwarded-for')?.split(',')[0] || '0.0.0.0';
+  }
+};
+
+export const RATE_LIMIT_PER_USER_MODERATE: RateLimitConfig = {
+  ...RATE_LIMIT_PER_USER_STRICT,
+  maxRequests: 10,
+};
+
+export const RATE_LIMIT_PER_USER_STANDARD: RateLimitConfig = {
+  ...RATE_LIMIT_PER_USER_STRICT,
+  maxRequests: 20,
+};
+
+export const RATE_LIMIT_PER_USER_LENIENT: RateLimitConfig = {
+  ...RATE_LIMIT_PER_USER_STRICT,
+  maxRequests: 40,
+};
+
+/**
+ * Rate Limit Tier Summary
+ * 
+ * | Tier              | Requests/Min | Use Case                          |
+ * |-------------------|--------------|-----------------------------------|
+ * | STRICT            | 5            | Expensive operations, uploads     |
+ * | MODERATE          | 10           | Moderation, submissions           |
+ * | STANDARD          | 20           | Standard read/write operations    |
+ * | LENIENT           | 30           | Lightweight reads, public data    |
+ * | GENEROUS          | 60           | Polling, webhooks, health checks  |
+ * | PER_USER_STRICT   | 5/user       | User-specific expensive ops       |
+ * | PER_USER_MODERATE | 10/user      | User-specific moderation          |
+ * | PER_USER_STANDARD | 20/user      | User-specific standard ops        |
+ * | PER_USER_LENIENT  | 40/user      | User-specific frequent ops        |
+ */