pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-29 09:07:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: pacnpal:bea30317670f0be7caa23a8d2577f18690868cb3
Branches Tags
pacnpal:main pacnpal:dev pacnpal:edit/edt-5d4e06f4-a087-42e0-80bb-a43139fa066b pacnpal:edit/edt-3a0af0c5-3daa-4be8-b4ab-a9fa03de0373 pacnpal:edit/edt-f369b8ce-d150-4532-a6a0-2ba80ace6b58 pacnpal:edit/edt-6e45b77e-1d54-4173-af1a-dcbcd886645d pacnpal:edit/edt-6eb47d5c-853d-43ab-96a7-16a5cc006c30 pacnpal:edit/edt-9a567ba5-b52f-46b3-bdef-b847b9ba7963 pacnpal:edit/edt-61e75a20-f83d-40b2-8bc4-b6ff40b23450 pacnpal:edit/edt-22d9eca7-0c70-44d8-865d-791ef884dfbd pacnpal:edit/edt-ffd226b0-af99-491b-b6b8-3fe0063e0082 pacnpal:edit/edt-a95a840d-e7e7-4f9e-aa25-03bb68194aee pacnpal:django-backend pacnpal:claude/audit-django-migration-011CUw4bfUEAsSoD5BpMRCtK pacnpal:claude/pipeline-error-handling-011CUujxQjLLS8RcB1jtZoT5
..
compare: pacnpal:28fa2fd0d44319403fb1745ff09f3530014f3bb9
Branches Tags
pacnpal:main pacnpal:dev pacnpal:edit/edt-5d4e06f4-a087-42e0-80bb-a43139fa066b pacnpal:edit/edt-3a0af0c5-3daa-4be8-b4ab-a9fa03de0373 pacnpal:edit/edt-f369b8ce-d150-4532-a6a0-2ba80ace6b58 pacnpal:edit/edt-6e45b77e-1d54-4173-af1a-dcbcd886645d pacnpal:edit/edt-6eb47d5c-853d-43ab-96a7-16a5cc006c30 pacnpal:edit/edt-9a567ba5-b52f-46b3-bdef-b847b9ba7963 pacnpal:edit/edt-61e75a20-f83d-40b2-8bc4-b6ff40b23450 pacnpal:edit/edt-22d9eca7-0c70-44d8-865d-791ef884dfbd pacnpal:edit/edt-ffd226b0-af99-491b-b6b8-3fe0063e0082 pacnpal:edit/edt-a95a840d-e7e7-4f9e-aa25-03bb68194aee pacnpal:django-backend pacnpal:claude/audit-django-migration-011CUw4bfUEAsSoD5BpMRCtK pacnpal:claude/pipeline-error-handling-011CUujxQjLLS8RcB1jtZoT5

5 Commits
bea3031767 ... 28fa2fd0d4

Author SHA1 Message Date
gpt-engineer-app[bot]
28fa2fd0d4 Monitor rate limits progress 
Implement monitor-rate-limits edge function to compare metrics against alert configurations, trigger notifications, and record alerts; update config and groundwork for admin UI integration.
 2025-11-11 00:19:13 +00:00
gpt-engineer-app[bot]
677d0980dd Connect to Lovable Cloud 
Approved Lovable tool use and migration updates to fix security warning and add monitoring edge function. Prepare and apply migrations to ensure search_path is set to public and implement monitoring endpoint for rate limit metrics.
 2025-11-11 00:14:48 +00:00
gpt-engineer-app[bot]
1628753361 Create Rate Limit Admin Dashboard 
Add a React admin dashboard component to visualize rate limit metrics and statistics, including data fetching from the rate-limit-metrics edge function, charts and statistics, and admin routes/integration. Includes setup for routing and UI scaffolding to display total requests, block rate, top blocked IPs/users, and recent activity with interactive charts.
 2025-11-11 00:06:49 +00:00
gpt-engineer-app[bot]
f15190351d Create rate-limit-metrics edge function 
Add an edge function rate-limit-metrics to expose metrics via API, including authentication guards, CORS headers, and multiple query endpoints for recent metrics, stats, and function/user/IP-specific data. Integrates with new metrics and auth helpers and uses existing rate limiter.
 2025-11-11 00:02:55 +00:00
gpt-engineer-app[bot]
fa444091db Integrate metrics and auth 
Add Phase 2 updates to rateLimiter.ts:
- Import and hook in rateLimitMetrics and authHelpers
- Track per-request metrics on allowed/blocked outcomes
- Extract userId and clientIP for metrics
- Extend RateLimiter to pass functionName for metrics context
- Update withRateLimit to utilize new metadata and return values
 2025-11-11 00:01:13 +00:00
13 changed files with 1776 additions and 29 deletions
Expand all files Collapse all files

210
RATE_LIMIT_MONITORING_SETUP.md Normal file
View File

@@ -0,0 +1,210 @@
# Rate Limit Monitoring Setup
This document explains how to set up automated rate limit monitoring with alerts.
## Overview
The rate limit monitoring system consists of:
1. **Metrics Collection** - Tracks all rate limit checks in-memory
2. **Alert Configuration** - Database table with configurable thresholds
3. **Monitor Function** - Edge function that checks metrics and triggers alerts
4. **Cron Job** - Scheduled job that runs the monitor function periodically
## Setup Instructions
### Step 1: Enable Required Extensions
Run this SQL in your Supabase SQL Editor:
```sql
-- Enable pg_cron for scheduling
CREATE EXTENSION IF NOT EXISTS pg_cron;
-- Enable pg_net for HTTP requests
CREATE EXTENSION IF NOT EXISTS pg_net;
```
### Step 2: Create the Cron Job
Run this SQL to schedule the monitor to run every 5 minutes:
```sql
SELECT cron.schedule(
'monitor-rate-limits',
'*/5 * * * *', -- Every 5 minutes
$$
SELECT
net.http_post(
url:='https://api.thrillwiki.com/functions/v1/monitor-rate-limits',
headers:='{"Content-Type": "application/json", "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InlkdnRtbnJzenlicW5iY3FiZGN5Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTgzMjYzNTYsImV4cCI6MjA3MzkwMjM1Nn0.DM3oyapd_omP5ZzIlrT0H9qBsiQBxBRgw2tYuqgXKX4"}'::jsonb,
body:='{}'::jsonb
) as request_id;
$$
);
```
### Step 3: Verify the Cron Job
Check that the cron job was created:
```sql
SELECT * FROM cron.job WHERE jobname = 'monitor-rate-limits';
```
### Step 4: Configure Alert Thresholds
Visit the admin dashboard at `/admin/rate-limit-metrics` and navigate to the "Configuration" tab to:
- Enable/disable specific alerts
- Adjust threshold values
- Modify time windows
Default configurations are automatically created:
- **Block Rate Alert**: Triggers when >50% of requests are blocked in 5 minutes
- **Total Requests Alert**: Triggers when >1000 requests/minute
- **Unique IPs Alert**: Triggers when >100 unique IPs in 5 minutes (disabled by default)
## How It Works
### 1. Metrics Collection
Every rate limit check (both allowed and blocked) is recorded with:
- Timestamp
- Function name
- Client IP
- User ID (if authenticated)
- Result (allowed/blocked)
- Remaining quota
- Rate limit tier
Metrics are stored in-memory for the last 10,000 checks.
### 2. Monitoring Process
Every 5 minutes, the monitor function:
1. Fetches enabled alert configurations from the database
2. Analyzes current metrics for each configuration's time window
3. Compares metrics against configured thresholds
4. For exceeded thresholds:
- Records the alert in `rate_limit_alerts` table
- Sends notification to moderators via Novu
- Skips if a recent unresolved alert already exists (prevents spam)
### 3. Alert Deduplication
Alerts are deduplicated using a 15-minute window. If an alert for the same configuration was triggered in the last 15 minutes and hasn't been resolved, no new alert is sent.
### 4. Notifications
Alerts are sent to all moderators via the "moderators" topic in Novu, including:
- Email notifications
- In-app notifications (if configured)
- Custom notification channels (if configured)
## Monitoring the Monitor
### Check Cron Job Status
```sql
-- View recent cron job runs
SELECT * FROM cron.job_run_details
WHERE jobid = (SELECT jobid FROM cron.job WHERE jobname = 'monitor-rate-limits')
ORDER BY start_time DESC
LIMIT 10;
```
### View Function Logs
Check the edge function logs in Supabase Dashboard:
`https://supabase.com/dashboard/project/ydvtmnrszybqnbcqbdcy/functions/monitor-rate-limits/logs`
### Test Manually
You can test the monitor function manually by calling it via HTTP:
```bash
curl -X POST https://api.thrillwiki.com/functions/v1/monitor-rate-limits \
-H "Content-Type: application/json"
```
## Adjusting the Schedule
To change how often the monitor runs, update the cron schedule:
```sql
-- Update to run every 10 minutes instead
SELECT cron.alter_job('monitor-rate-limits', schedule:='*/10 * * * *');
-- Update to run every hour
SELECT cron.alter_job('monitor-rate-limits', schedule:='0 * * * *');
-- Update to run every minute (not recommended - may generate too many alerts)
SELECT cron.alter_job('monitor-rate-limits', schedule:='* * * * *');
```
## Removing the Cron Job
If you need to disable monitoring:
```sql
SELECT cron.unschedule('monitor-rate-limits');
```
## Troubleshooting
### No Alerts Being Triggered
1. Check if any alert configurations are enabled:
```sql
SELECT * FROM rate_limit_alert_config WHERE enabled = true;
```
2. Check if metrics are being collected:
- Visit `/admin/rate-limit-metrics` and check the "Recent Activity" tab
- If no activity, the rate limiter might not be in use
3. Check monitor function logs for errors
### Too Many Alerts
- Increase threshold values in the configuration
- Increase time windows for less sensitive detection
- Disable specific alert types that are too noisy
### Monitor Not Running
1. Verify cron job exists and is active
2. Check `cron.job_run_details` for error messages
3. Verify edge function deployed successfully
4. Check network connectivity between cron scheduler and edge function
## Database Tables
### `rate_limit_alert_config`
Stores alert threshold configurations. Only admins can modify.
### `rate_limit_alerts`
Stores history of all triggered alerts. Moderators can view and resolve.
## Security
- Alert configurations can only be modified by admin/superuser roles
- Alert history is only accessible to moderators and above
- The monitor function runs without JWT verification (as a cron job)
- All database operations respect Row Level Security policies
## Performance Considerations
- In-memory metrics store max 10,000 entries (auto-trimmed)
- Metrics older than the longest configured time window are not useful
- Monitor function typically runs in <500ms
- No significant database load (simple queries on small tables)
## Future Enhancements
Possible improvements:
- Function-specific alert thresholds
- Alert aggregation (daily/weekly summaries)
- Custom notification channels per alert type
- Machine learning-based anomaly detection
- Integration with external monitoring tools (Datadog, New Relic, etc.)

9
src/App.tsx
View File

@@ -74,6 +74,7 @@ const AdminEmailSettings = lazy(() => import("./pages/admin/AdminEmailSettings")
const ErrorMonitoring = lazy(() => import("./pages/admin/ErrorMonitoring")); const ErrorMonitoring = lazy(() => import("./pages/admin/ErrorMonitoring"));
const ErrorLookup = lazy(() => import("./pages/admin/ErrorLookup")); const ErrorLookup = lazy(() => import("./pages/admin/ErrorLookup"));
const TraceViewer = lazy(() => import("./pages/admin/TraceViewer")); const TraceViewer = lazy(() => import("./pages/admin/TraceViewer"));
const RateLimitMetrics = lazy(() => import("./pages/admin/RateLimitMetrics"));
// User routes (lazy-loaded) // User routes (lazy-loaded)
const Profile = lazy(() => import("./pages/Profile")); const Profile = lazy(() => import("./pages/Profile"));
@@ -396,6 +397,14 @@ function AppContent(): React.JSX.Element {
</AdminErrorBoundary> </AdminErrorBoundary>
} }
/> />
<Route
path="/admin/rate-limit-metrics"
element={
<AdminErrorBoundary section="Rate Limit Metrics">
<RateLimitMetrics />
</AdminErrorBoundary>
}
/>
{/* Utility routes - lazy loaded */} {/* Utility routes - lazy loaded */}
<Route path="/force-logout" element={<ForceLogout />} /> <Route path="/force-logout" element={<ForceLogout />} />

7
src/components/layout/AdminSidebar.tsx
View File

@@ -1,4 +1,4 @@
import { LayoutDashboard, FileText, Flag, Users, Settings, ArrowLeft, ScrollText, BookOpen, Inbox, Mail, AlertTriangle } from 'lucide-react'; import { LayoutDashboard, FileText, Flag, Users, Settings, ArrowLeft, ScrollText, BookOpen, Inbox, Mail, AlertTriangle, Shield } from 'lucide-react';
import { NavLink } from 'react-router-dom'; import { NavLink } from 'react-router-dom';
import { useUserRole } from '@/hooks/useUserRole'; import { useUserRole } from '@/hooks/useUserRole';
import { useSidebar } from '@/hooks/useSidebar'; import { useSidebar } from '@/hooks/useSidebar';
@@ -53,6 +53,11 @@ export function AdminSidebar() {
url: '/admin/error-monitoring', url: '/admin/error-monitoring',
icon: AlertTriangle, icon: AlertTriangle,
}, },
{
title: 'Rate Limit Metrics',
url: '/admin/rate-limit-metrics',
icon: Shield,
},
{ {
title: 'Users', title: 'Users',
url: '/admin/users', url: '/admin/users',

173
src/hooks/useRateLimitAlerts.ts Normal file
View File

@@ -0,0 +1,173 @@
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
import { supabase } from '@/integrations/supabase/client';
import { toast } from 'sonner';
export interface AlertConfig {
id: string;
metric_type: 'block_rate' | 'total_requests' | 'unique_ips' | 'function_specific';
threshold_value: number;
time_window_ms: number;
function_name?: string;
enabled: boolean;
created_at: string;
updated_at: string;
}
export interface Alert {
id: string;
config_id: string;
metric_type: string;
metric_value: number;
threshold_value: number;
time_window_ms: number;
function_name?: string;
alert_message: string;
resolved_at?: string;
created_at: string;
}
export function useAlertConfigs() {
return useQuery({
queryKey: ['rateLimitAlertConfigs'],
queryFn: async () => {
const { data, error } = await supabase
.from('rate_limit_alert_config')
.select('*')
.order('metric_type');
if (error) throw error;
return data as AlertConfig[];
},
});
}
export function useAlertHistory(limit: number = 50) {
return useQuery({
queryKey: ['rateLimitAlerts', limit],
queryFn: async () => {
const { data, error } = await supabase
.from('rate_limit_alerts')
.select('*')
.order('created_at', { ascending: false })
.limit(limit);
if (error) throw error;
return data as Alert[];
},
refetchInterval: 30000, // Refetch every 30 seconds
});
}
export function useUnresolvedAlerts() {
return useQuery({
queryKey: ['rateLimitAlertsUnresolved'],
queryFn: async () => {
const { data, error } = await supabase
.from('rate_limit_alerts')
.select('*')
.is('resolved_at', null)
.order('created_at', { ascending: false });
if (error) throw error;
return data as Alert[];
},
refetchInterval: 15000, // Refetch every 15 seconds
});
}
export function useUpdateAlertConfig() {
const queryClient = useQueryClient();
return useMutation({
mutationFn: async ({ id, updates }: { id: string; updates: Partial<AlertConfig> }) => {
const { data, error } = await supabase
.from('rate_limit_alert_config')
.update(updates)
.eq('id', id)
.select()
.single();
if (error) throw error;
return data;
},
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['rateLimitAlertConfigs'] });
toast.success('Alert configuration updated');
},
onError: (error) => {
toast.error(`Failed to update alert config: ${error.message}`);
},
});
}
export function useCreateAlertConfig() {
const queryClient = useQueryClient();
return useMutation({
mutationFn: async (config: Omit<AlertConfig, 'id' | 'created_at' | 'updated_at'>) => {
const { data, error } = await supabase
.from('rate_limit_alert_config')
.insert(config)
.select()
.single();
if (error) throw error;
return data;
},
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['rateLimitAlertConfigs'] });
toast.success('Alert configuration created');
},
onError: (error) => {
toast.error(`Failed to create alert config: ${error.message}`);
},
});
}
export function useDeleteAlertConfig() {
const queryClient = useQueryClient();
return useMutation({
mutationFn: async (id: string) => {
const { error } = await supabase
.from('rate_limit_alert_config')
.delete()
.eq('id', id);
if (error) throw error;
},
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['rateLimitAlertConfigs'] });
toast.success('Alert configuration deleted');
},
onError: (error) => {
toast.error(`Failed to delete alert config: ${error.message}`);
},
});
}
export function useResolveAlert() {
const queryClient = useQueryClient();
return useMutation({
mutationFn: async (id: string) => {
const { data, error } = await supabase
.from('rate_limit_alerts')
.update({ resolved_at: new Date().toISOString() })
.eq('id', id)
.select()
.single();
if (error) throw error;
return data;
},
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['rateLimitAlerts'] });
queryClient.invalidateQueries({ queryKey: ['rateLimitAlertsUnresolved'] });
toast.success('Alert resolved');
},
onError: (error) => {
toast.error(`Failed to resolve alert: ${error.message}`);
},
});
}

75
src/hooks/useRateLimitMetrics.ts Normal file
View File

@@ -0,0 +1,75 @@
import { useQuery } from '@tanstack/react-query';
import { supabase } from '@/integrations/supabase/client';
export interface RateLimitMetric {
timestamp: number;
functionName: string;
clientIP: string;
userId?: string;
allowed: boolean;
remaining: number;
retryAfter?: number;
tier: string;
}
export interface MetricsStats {
totalRequests: number;
allowedRequests: number;
blockedRequests: number;
blockRate: number;
uniqueIPs: number;
uniqueUsers: number;
topBlockedIPs: Array<{ ip: string; count: number }>;
topBlockedUsers: Array<{ userId: string; count: number }>;
tierDistribution: Record<string, number>;
}
interface MetricsQueryParams {
action: 'stats' | 'recent' | 'function' | 'user' | 'ip';
limit?: number;
timeWindow?: number;
functionName?: string;
userId?: string;
clientIP?: string;
}
export function useRateLimitMetrics(params: MetricsQueryParams) {
return useQuery({
queryKey: ['rateLimitMetrics', params],
queryFn: async () => {
const queryParams = new URLSearchParams();
queryParams.set('action', params.action);
if (params.limit) queryParams.set('limit', params.limit.toString());
if (params.timeWindow) queryParams.set('timeWindow', params.timeWindow.toString());
if (params.functionName) queryParams.set('functionName', params.functionName);
if (params.userId) queryParams.set('userId', params.userId);
if (params.clientIP) queryParams.set('clientIP', params.clientIP);
const { data, error } = await supabase.functions.invoke('rate-limit-metrics', {
method: 'GET',
headers: {
'Content-Type': 'application/json',
},
body: queryParams,
});
if (error) throw error;
return data;
},
refetchInterval: 30000, // Refetch every 30 seconds
staleTime: 15000, // Consider data stale after 15 seconds
});
}
export function useRateLimitStats(timeWindow: number = 60000) {
return useRateLimitMetrics({ action: 'stats', timeWindow });
}
export function useRecentMetrics(limit: number = 100) {
return useRateLimitMetrics({ action: 'recent', limit });
}
export function useFunctionMetrics(functionName: string, limit: number = 100) {
return useRateLimitMetrics({ action: 'function', functionName, limit });
}

83
src/integrations/supabase/types.ts
View File

@@ -2950,6 +2950,89 @@ export type Database = {
}, },
] ]
} }
rate_limit_alert_config: {
Row: {
created_at: string
created_by: string | null
enabled: boolean
function_name: string | null
id: string
metric_type: string
threshold_value: number
time_window_ms: number
updated_at: string
}
Insert: {
created_at?: string
created_by?: string | null
enabled?: boolean
function_name?: string | null
id?: string
metric_type: string
threshold_value: number
time_window_ms?: number
updated_at?: string
}
Update: {
created_at?: string
created_by?: string | null
enabled?: boolean
function_name?: string | null
id?: string
metric_type?: string
threshold_value?: number
time_window_ms?: number
updated_at?: string
}
Relationships: []
}
rate_limit_alerts: {
Row: {
alert_message: string
config_id: string | null
created_at: string
function_name: string | null
id: string
metric_type: string
metric_value: number
resolved_at: string | null
threshold_value: number
time_window_ms: number
}
Insert: {
alert_message: string
config_id?: string | null
created_at?: string
function_name?: string | null
id?: string
metric_type: string
metric_value: number
resolved_at?: string | null
threshold_value: number
time_window_ms: number
}
Update: {
alert_message?: string
config_id?: string | null
created_at?: string
function_name?: string | null
id?: string
metric_type?: string
metric_value?: number
resolved_at?: string | null
threshold_value?: number
time_window_ms?: number
}
Relationships: [
{
foreignKeyName: "rate_limit_alerts_config_id_fkey"
columns: ["config_id"]
isOneToOne: false
referencedRelation: "rate_limit_alert_config"
referencedColumns: ["id"]
},
]
}
rate_limits: { rate_limits: {
Row: { Row: {
action: string action: string

519
src/pages/admin/RateLimitMetrics.tsx Normal file
View File

@@ -0,0 +1,519 @@
import { useState } from 'react';
import { useNavigate } from 'react-router-dom';
import { useAuth } from '@/hooks/useAuth';
import { useUserRole } from '@/hooks/useUserRole';
import { useRateLimitStats, useRecentMetrics } from '@/hooks/useRateLimitMetrics';
import { useAlertConfigs, useAlertHistory, useUnresolvedAlerts, useUpdateAlertConfig, useResolveAlert } from '@/hooks/useRateLimitAlerts';
import { useDocumentTitle } from '@/hooks/useDocumentTitle';
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
import { Badge } from '@/components/ui/badge';
import { Button } from '@/components/ui/button';
import { Switch } from '@/components/ui/switch';
import { Input } from '@/components/ui/input';
import { Label } from '@/components/ui/label';
import { BarChart, Bar, XAxis, YAxis, CartesianGrid, Tooltip, ResponsiveContainer, PieChart, Pie, Cell, LineChart, Line, Legend } from 'recharts';
import { Activity, Shield, TrendingUp, Users, Clock, AlertTriangle, Bell, BellOff, CheckCircle } from 'lucide-react';
import { Skeleton } from '@/components/ui/skeleton';
import { Alert, AlertDescription } from '@/components/ui/alert';
import { format } from 'date-fns';
const COLORS = ['hsl(var(--primary))', 'hsl(var(--secondary))', 'hsl(var(--accent))', 'hsl(var(--muted))', 'hsl(var(--destructive))'];
export default function RateLimitMetrics() {
useDocumentTitle('Rate Limit Metrics');
const navigate = useNavigate();
const { user } = useAuth();
const { isModerator, loading: rolesLoading } = useUserRole();
const [timeWindow, setTimeWindow] = useState(60000); // 1 minute default
const { data: stats, isLoading: statsLoading, error: statsError } = useRateLimitStats(timeWindow);
const { data: recentData, isLoading: recentLoading } = useRecentMetrics(50);
const { data: alertConfigs, isLoading: alertConfigsLoading } = useAlertConfigs();
const { data: alertHistory, isLoading: alertHistoryLoading } = useAlertHistory(50);
const { data: unresolvedAlerts } = useUnresolvedAlerts();
const updateConfig = useUpdateAlertConfig();
const resolveAlert = useResolveAlert();
// Redirect if not authorized
if (!rolesLoading && !isModerator()) {
navigate('/');
return null;
}
if (!user || rolesLoading) {
return (
<div className="container mx-auto p-6 space-y-6">
<Skeleton className="h-12 w-64" />
<div className="grid gap-6 md:grid-cols-2 lg:grid-cols-4">
{[1, 2, 3, 4].map((i) => (
<Skeleton key={i} className="h-32" />
))}
</div>
</div>
);
}
const recentMetrics = recentData?.metrics || [];
// Prepare chart data
const tierData = stats?.tierDistribution ? Object.entries(stats.tierDistribution).map(([name, value]) => ({
name,
value,
})) : [];
const topBlockedIPsData = stats?.topBlockedIPs || [];
const topBlockedUsersData = stats?.topBlockedUsers || [];
// Calculate block rate percentage
const blockRatePercentage = stats?.blockRate ? (stats.blockRate * 100).toFixed(1) : '0.0';
return (
<div className="container mx-auto p-6 space-y-6">
{/* Header */}
<div className="flex items-center justify-between">
<div>
<h1 className="text-3xl font-bold tracking-tight">Rate Limit Metrics</h1>
<p className="text-muted-foreground">Monitor rate limiting activity and patterns</p>
</div>
<Select value={timeWindow.toString()} onValueChange={(v) => setTimeWindow(parseInt(v))}>
<SelectTrigger className="w-[180px]">
<SelectValue placeholder="Time window" />
</SelectTrigger>
<SelectContent>
<SelectItem value="60000">Last minute</SelectItem>
<SelectItem value="300000">Last 5 minutes</SelectItem>
<SelectItem value="900000">Last 15 minutes</SelectItem>
<SelectItem value="3600000">Last hour</SelectItem>
</SelectContent>
</Select>
</div>
{statsError && (
<Alert variant="destructive">
<AlertTriangle className="h-4 w-4" />
<AlertDescription>
Failed to load metrics: {statsError instanceof Error ? statsError.message : 'Unknown error'}
</AlertDescription>
</Alert>
)}
{/* Overview Stats */}
{statsLoading ? (
<div className="grid gap-6 md:grid-cols-2 lg:grid-cols-4">
{[1, 2, 3, 4].map((i) => (
<Skeleton key={i} className="h-32" />
))}
</div>
) : (
<div className="grid gap-6 md:grid-cols-2 lg:grid-cols-4">
<Card>
<CardHeader className="flex flex-row items-center justify-between space-y-0 pb-2">
<CardTitle className="text-sm font-medium">Total Requests</CardTitle>
<Activity className="h-4 w-4 text-muted-foreground" />
</CardHeader>
<CardContent>
<div className="text-2xl font-bold">{stats?.totalRequests || 0}</div>
<p className="text-xs text-muted-foreground">
{stats?.allowedRequests || 0} allowed, {stats?.blockedRequests || 0} blocked
</p>
</CardContent>
</Card>
<Card>
<CardHeader className="flex flex-row items-center justify-between space-y-0 pb-2">
<CardTitle className="text-sm font-medium">Block Rate</CardTitle>
<Shield className="h-4 w-4 text-muted-foreground" />
</CardHeader>
<CardContent>
<div className="text-2xl font-bold">{blockRatePercentage}%</div>
<p className="text-xs text-muted-foreground">
Percentage of blocked requests
</p>
</CardContent>
</Card>
<Card>
<CardHeader className="flex flex-row items-center justify-between space-y-0 pb-2">
<CardTitle className="text-sm font-medium">Unique IPs</CardTitle>
<TrendingUp className="h-4 w-4 text-muted-foreground" />
</CardHeader>
<CardContent>
<div className="text-2xl font-bold">{stats?.uniqueIPs || 0}</div>
<p className="text-xs text-muted-foreground">
Distinct client addresses
</p>
</CardContent>
</Card>
<Card>
<CardHeader className="flex flex-row items-center justify-between space-y-0 pb-2">
<CardTitle className="text-sm font-medium">Unique Users</CardTitle>
<Users className="h-4 w-4 text-muted-foreground" />
</CardHeader>
<CardContent>
<div className="text-2xl font-bold">{stats?.uniqueUsers || 0}</div>
<p className="text-xs text-muted-foreground">
Authenticated users
</p>
</CardContent>
</Card>
</div>
)}
<Tabs defaultValue="overview" className="space-y-6">
<TabsList>
<TabsTrigger value="overview">Overview</TabsTrigger>
<TabsTrigger value="blocked">Blocked Requests</TabsTrigger>
<TabsTrigger value="recent">Recent Activity</TabsTrigger>
<TabsTrigger value="alerts">
Alerts
{unresolvedAlerts && unresolvedAlerts.length > 0 && (
<Badge variant="destructive" className="ml-2">{unresolvedAlerts.length}</Badge>
)}
</TabsTrigger>
<TabsTrigger value="config">Configuration</TabsTrigger>
</TabsList>
<TabsContent value="overview" className="space-y-6">
<div className="grid gap-6 md:grid-cols-2">
{/* Tier Distribution */}
<Card>
<CardHeader>
<CardTitle>Tier Distribution</CardTitle>
<CardDescription>Requests by rate limit tier</CardDescription>
</CardHeader>
<CardContent>
{tierData.length > 0 ? (
<ResponsiveContainer width="100%" height={300}>
<PieChart>
<Pie
data={tierData}
cx="50%"
cy="50%"
labelLine={false}
label={({ name, percent }) => `${name}: ${(percent * 100).toFixed(0)}%`}
outerRadius={80}
fill="hsl(var(--primary))"
dataKey="value"
>
{tierData.map((entry, index) => (
<Cell key={`cell-${index}`} fill={COLORS[index % COLORS.length]} />
))}
</Pie>
<Tooltip />
</PieChart>
</ResponsiveContainer>
) : (
<div className="flex h-[300px] items-center justify-center text-muted-foreground">
No data available
</div>
)}
</CardContent>
</Card>
{/* Request Status */}
<Card>
<CardHeader>
<CardTitle>Request Status</CardTitle>
<CardDescription>Allowed vs blocked requests</CardDescription>
</CardHeader>
<CardContent>
<ResponsiveContainer width="100%" height={300}>
<BarChart
data={[
{ name: 'Allowed', count: stats?.allowedRequests || 0 },
{ name: 'Blocked', count: stats?.blockedRequests || 0 },
]}
>
<CartesianGrid strokeDasharray="3 3" />
<XAxis dataKey="name" />
<YAxis />
<Tooltip />
<Bar dataKey="count" fill="hsl(var(--primary))" />
</BarChart>
</ResponsiveContainer>
</CardContent>
</Card>
</div>
</TabsContent>
<TabsContent value="blocked" className="space-y-6">
<div className="grid gap-6 md:grid-cols-2">
{/* Top Blocked IPs */}
<Card>
<CardHeader>
<CardTitle>Top Blocked IPs</CardTitle>
<CardDescription>Most frequently blocked IP addresses</CardDescription>
</CardHeader>
<CardContent>
{topBlockedIPsData.length > 0 ? (
<ResponsiveContainer width="100%" height={300}>
<BarChart data={topBlockedIPsData} layout="vertical">
<CartesianGrid strokeDasharray="3 3" />
<XAxis type="number" />
<YAxis dataKey="ip" type="category" width={100} />
<Tooltip />
<Bar dataKey="count" fill="hsl(var(--destructive))" />
</BarChart>
</ResponsiveContainer>
) : (
<div className="flex h-[300px] items-center justify-center text-muted-foreground">
No blocked IPs in this time window
</div>
)}
</CardContent>
</Card>
{/* Top Blocked Users */}
<Card>
<CardHeader>
<CardTitle>Top Blocked Users</CardTitle>
<CardDescription>Most frequently blocked authenticated users</CardDescription>
</CardHeader>
<CardContent>
{topBlockedUsersData.length > 0 ? (
<div className="space-y-2">
{topBlockedUsersData.map((user, idx) => (
<div key={idx} className="flex items-center justify-between p-2 border rounded">
<span className="text-sm font-mono truncate flex-1">{user.userId}</span>
<Badge variant="destructive">{user.count}</Badge>
</div>
))}
</div>
) : (
<div className="flex h-[300px] items-center justify-center text-muted-foreground">
No blocked users in this time window
</div>
)}
</CardContent>
</Card>
</div>
</TabsContent>
<TabsContent value="recent" className="space-y-6">
<Card>
<CardHeader>
<CardTitle>Recent Activity</CardTitle>
<CardDescription>Last 50 rate limit checks</CardDescription>
</CardHeader>
<CardContent>
{recentLoading ? (
<div className="space-y-2">
{[1, 2, 3].map((i) => (
<Skeleton key={i} className="h-16" />
))}
</div>
) : recentMetrics.length > 0 ? (
<div className="space-y-2 max-h-[600px] overflow-y-auto">
{recentMetrics.map((metric, idx) => (
<div
key={idx}
className={`flex items-center justify-between p-3 border rounded ${
metric.allowed ? 'border-border' : 'border-destructive/50 bg-destructive/5'
}`}
>
<div className="flex items-center gap-4 flex-1">
<Clock className="h-4 w-4 text-muted-foreground" />
<div className="flex-1">
<div className="flex items-center gap-2">
<span className="font-mono text-sm">{metric.functionName}</span>
<Badge variant={metric.allowed ? 'secondary' : 'destructive'}>
{metric.allowed ? 'Allowed' : 'Blocked'}
</Badge>
<Badge variant="outline">{metric.tier}</Badge>
</div>
<div className="text-xs text-muted-foreground mt-1">
IP: {metric.clientIP} {metric.userId && `• User: ${metric.userId.slice(0, 8)}...`}
</div>
</div>
</div>
<div className="text-right">
<div className="text-sm font-medium">
{metric.allowed ? `${metric.remaining} left` : `Retry: ${metric.retryAfter}s`}
</div>
<div className="text-xs text-muted-foreground">
{format(new Date(metric.timestamp), 'HH:mm:ss')}
</div>
</div>
</div>
))}
</div>
) : (
<div className="flex h-[300px] items-center justify-center text-muted-foreground">
No recent activity
</div>
)}
</CardContent>
</Card>
</TabsContent>
<TabsContent value="alerts" className="space-y-6">
<Card>
<CardHeader>
<CardTitle>Alert History</CardTitle>
<CardDescription>Recent rate limit threshold violations</CardDescription>
</CardHeader>
<CardContent>
{alertHistoryLoading ? (
<div className="space-y-2">
{[1, 2, 3].map((i) => (
<Skeleton key={i} className="h-20" />
))}
</div>
) : alertHistory && alertHistory.length > 0 ? (
<div className="space-y-2 max-h-[600px] overflow-y-auto">
{alertHistory.map((alert) => (
<div
key={alert.id}
className={`flex items-start justify-between p-4 border rounded ${
alert.resolved_at ? 'border-border bg-muted/30' : 'border-destructive/50 bg-destructive/5'
}`}
>
<div className="flex-1">
<div className="flex items-center gap-2 mb-2">
{alert.resolved_at ? (
<CheckCircle className="h-4 w-4 text-muted-foreground" />
) : (
<AlertTriangle className="h-4 w-4 text-destructive" />
)}
<Badge variant={alert.resolved_at ? 'secondary' : 'destructive'}>
{alert.metric_type}
</Badge>
<span className="text-xs text-muted-foreground">
{format(new Date(alert.created_at), 'PPp')}
</span>
</div>
<p className="text-sm mb-2">{alert.alert_message}</p>
<div className="flex gap-4 text-xs text-muted-foreground">
<span>Value: {alert.metric_value.toFixed(2)}</span>
<span>Threshold: {alert.threshold_value.toFixed(2)}</span>
<span>Window: {alert.time_window_ms / 1000}s</span>
</div>
{alert.resolved_at && (
<p className="text-xs text-muted-foreground mt-1">
Resolved: {format(new Date(alert.resolved_at), 'PPp')}
</p>
)}
</div>
{!alert.resolved_at && (
<Button
size="sm"
variant="outline"
onClick={() => resolveAlert.mutate(alert.id)}
>
Resolve
</Button>
)}
</div>
))}
</div>
) : (
<div className="flex h-[300px] items-center justify-center text-muted-foreground">
No alerts triggered yet
</div>
)}
</CardContent>
</Card>
</TabsContent>
<TabsContent value="config" className="space-y-6">
<Card>
<CardHeader>
<CardTitle>Alert Configuration</CardTitle>
<CardDescription>Configure thresholds for automated alerts</CardDescription>
</CardHeader>
<CardContent>
{alertConfigsLoading ? (
<div className="space-y-4">
{[1, 2, 3].map((i) => (
<Skeleton key={i} className="h-24" />
))}
</div>
) : alertConfigs && alertConfigs.length > 0 ? (
<div className="space-y-4">
{alertConfigs.map((config) => (
<div key={config.id} className="p-4 border rounded space-y-3">
<div className="flex items-center justify-between">
<div className="flex items-center gap-3">
<Badge variant="outline">{config.metric_type}</Badge>
<Switch
checked={config.enabled}
onCheckedChange={(enabled) =>
updateConfig.mutate({ id: config.id, updates: { enabled } })
}
/>
{config.enabled ? (
<span className="text-sm text-muted-foreground flex items-center gap-1">
<Bell className="h-3 w-3" /> Enabled
</span>
) : (
<span className="text-sm text-muted-foreground flex items-center gap-1">
<BellOff className="h-3 w-3" /> Disabled
</span>
)}
</div>
</div>
<div className="grid grid-cols-2 gap-4">
<div>
<Label className="text-xs">Threshold Value</Label>
<Input
type="number"
step="0.01"
value={config.threshold_value}
onChange={(e) => {
const value = parseFloat(e.target.value);
if (!isNaN(value)) {
updateConfig.mutate({
id: config.id,
updates: { threshold_value: value }
});
}
}}
className="mt-1"
/>
<p className="text-xs text-muted-foreground mt-1">
{config.metric_type === 'block_rate' && 'Value between 0 and 1 (e.g., 0.5 = 50%)'}
{config.metric_type === 'total_requests' && 'Number of requests'}
{config.metric_type === 'unique_ips' && 'Number of unique IPs'}
</p>
</div>
<div>
<Label className="text-xs">Time Window (ms)</Label>
<Input
type="number"
step="1000"
value={config.time_window_ms}
onChange={(e) => {
const value = parseInt(e.target.value);
if (!isNaN(value)) {
updateConfig.mutate({
id: config.id,
updates: { time_window_ms: value }
});
}
}}
className="mt-1"
/>
<p className="text-xs text-muted-foreground mt-1">
Currently: {config.time_window_ms / 1000}s
</p>
</div>
</div>
</div>
))}
</div>
) : (
<div className="flex h-[200px] items-center justify-center text-muted-foreground">
No alert configurations found
</div>
)}
</CardContent>
</Card>
</TabsContent>
</Tabs>
</div>
);
}

6
supabase/config.toml
View File

@@ -85,3 +85,9 @@ verify_jwt = false
[functions.scheduled-maintenance] [functions.scheduled-maintenance]
verify_jwt = false verify_jwt = false
[functions.rate-limit-metrics]
verify_jwt = true
[functions.monitor-rate-limits]
verify_jwt = false

100
supabase/functions/_shared/rateLimiter.ts
View File

@@ -3,6 +3,9 @@
* Prevents abuse and DoS attacks with in-memory rate limiting * Prevents abuse and DoS attacks with in-memory rate limiting
*/ */
import { recordRateLimitMetric } from './rateLimitMetrics.ts';
import { extractUserIdFromAuth, getClientIP } from './authHelpers.ts';
export interface RateLimitConfig { export interface RateLimitConfig {
windowMs: number; // Time window in milliseconds windowMs: number; // Time window in milliseconds
maxRequests: number; // Max requests per window maxRequests: number; // Max requests per window
@@ -21,8 +24,12 @@ class RateLimiter {
private rateLimitMap = new Map<string, { count: number; resetAt: number }>(); private rateLimitMap = new Map<string, { count: number; resetAt: number }>();
private config: Required<RateLimitConfig>; private config: Required<RateLimitConfig>;
private cleanupInterval: number; private cleanupInterval: number;
private tierName: string;
private functionName?: string;
constructor(config: RateLimitConfig) { constructor(config: RateLimitConfig, tierName: string = 'custom', functionName?: string) {
this.tierName = tierName;
this.functionName = functionName;
this.config = { this.config = {
maxMapSize: 10000, maxMapSize: 10000,
keyGenerator: (req: Request) => this.getClientIP(req), keyGenerator: (req: Request) => this.getClientIP(req),
@@ -38,16 +45,8 @@ class RateLimiter {
} }
private getClientIP(req: Request): string { private getClientIP(req: Request): string {
if (this.config.trustProxy) { // Use centralized auth helper for consistent IP extraction
const forwarded = req.headers.get('x-forwarded-for'); return getClientIP(req);
if (forwarded) return forwarded.split(',')[0].trim();
const realIP = req.headers.get('x-real-ip');
if (realIP) return realIP;
}
// Fallback for testing
return '0.0.0.0';
} }
private cleanupExpiredEntries(): void { private cleanupExpiredEntries(): void {
@@ -73,15 +72,33 @@ class RateLimiter {
} }
} }
check(req: Request): RateLimitResult { check(req: Request, functionName?: string): RateLimitResult {
const key = this.config.keyGenerator(req); const key = this.config.keyGenerator(req);
const now = Date.now(); const now = Date.now();
const existing = this.rateLimitMap.get(key); const existing = this.rateLimitMap.get(key);
// Extract metadata for metrics
const clientIP = getClientIP(req);
const userId = extractUserIdFromAuth(req);
const actualFunctionName = functionName || this.functionName || 'unknown';
// Check existing entry // Check existing entry
if (existing && now <= existing.resetAt) { if (existing && now <= existing.resetAt) {
if (existing.count >= this.config.maxRequests) { if (existing.count >= this.config.maxRequests) {
const retryAfter = Math.ceil((existing.resetAt - now) / 1000); const retryAfter = Math.ceil((existing.resetAt - now) / 1000);
// Record blocked request metric
recordRateLimitMetric({
timestamp: now,
functionName: actualFunctionName,
clientIP,
userId: userId || undefined,
allowed: false,
remaining: 0,
retryAfter,
tier: this.tierName,
});
return { return {
allowed: false, allowed: false,
retryAfter, retryAfter,
@@ -89,9 +106,22 @@ class RateLimiter {
}; };
} }
existing.count++; existing.count++;
const remaining = this.config.maxRequests - existing.count;
// Record allowed request metric
recordRateLimitMetric({
timestamp: now,
functionName: actualFunctionName,
clientIP,
userId: userId || undefined,
allowed: true,
remaining,
tier: this.tierName,
});
return { return {
allowed: true, allowed: true,
remaining: this.config.maxRequests - existing.count remaining
}; };
} }
@@ -117,9 +147,22 @@ class RateLimiter {
resetAt: now + this.config.windowMs resetAt: now + this.config.windowMs
}); });
const remaining = this.config.maxRequests - 1;
// Record allowed request metric
recordRateLimitMetric({
timestamp: now,
functionName: actualFunctionName,
clientIP,
userId: userId || undefined,
allowed: true,
remaining,
tier: this.tierName,
});
return { return {
allowed: true, allowed: true,
remaining: this.config.maxRequests - 1 remaining
}; };
} }
@@ -143,8 +186,8 @@ import {
} from './rateLimitConfig.ts'; } from './rateLimitConfig.ts';
// Export factory function for creating custom rate limiters // Export factory function for creating custom rate limiters
export function createRateLimiter(config: RateLimitConfig): RateLimiter { export function createRateLimiter(config: RateLimitConfig, tierName?: string, functionName?: string): RateLimiter {
return new RateLimiter(config); return new RateLimiter(config, tierName, functionName);
} }
/** /**
@@ -155,41 +198,42 @@ export function createRateLimiter(config: RateLimitConfig): RateLimiter {
*/ */
export const rateLimiters = { export const rateLimiters = {
// Strict: 5 requests/minute - For expensive operations // Strict: 5 requests/minute - For expensive operations
strict: createRateLimiter(RATE_LIMIT_STRICT), strict: createRateLimiter(RATE_LIMIT_STRICT, 'strict'),
// Moderate: 10 requests/minute - For moderation and submissions // Moderate: 10 requests/minute - For moderation and submissions
moderate: createRateLimiter(RATE_LIMIT_MODERATE), moderate: createRateLimiter(RATE_LIMIT_MODERATE, 'moderate'),
// Standard: 20 requests/minute - For typical operations (DEPRECATED: use 'moderate' for 10/min or 'standard' for 20/min) // Standard: 20 requests/minute - For typical operations (DEPRECATED: use 'moderate' for 10/min or 'standard' for 20/min)
standard: createRateLimiter(RATE_LIMIT_MODERATE), // Keeping for backward compatibility standard: createRateLimiter(RATE_LIMIT_MODERATE, 'standard'), // Keeping for backward compatibility
// Lenient: 30 requests/minute - For lightweight reads // Lenient: 30 requests/minute - For lightweight reads
lenient: createRateLimiter(RATE_LIMIT_LENIENT), lenient: createRateLimiter(RATE_LIMIT_LENIENT, 'lenient'),
// Generous: 60 requests/minute - For high-frequency operations // Generous: 60 requests/minute - For high-frequency operations
generous: createRateLimiter(RATE_LIMIT_GENEROUS), generous: createRateLimiter(RATE_LIMIT_GENEROUS, 'generous'),
// Per-user rate limiters (key by user ID instead of IP) // Per-user rate limiters (key by user ID instead of IP)
perUserStrict: createRateLimiter(RATE_LIMIT_PER_USER_STRICT), perUserStrict: createRateLimiter(RATE_LIMIT_PER_USER_STRICT, 'perUserStrict'),
perUserModerate: createRateLimiter(RATE_LIMIT_PER_USER_MODERATE), perUserModerate: createRateLimiter(RATE_LIMIT_PER_USER_MODERATE, 'perUserModerate'),
perUserStandard: createRateLimiter(RATE_LIMIT_PER_USER_STANDARD), perUserStandard: createRateLimiter(RATE_LIMIT_PER_USER_STANDARD, 'perUserStandard'),
perUserLenient: createRateLimiter(RATE_LIMIT_PER_USER_LENIENT), perUserLenient: createRateLimiter(RATE_LIMIT_PER_USER_LENIENT, 'perUserLenient'),
// Legacy per-user factory function (DEPRECATED: use perUserStrict, perUserModerate, etc.) // Legacy per-user factory function (DEPRECATED: use perUserStrict, perUserModerate, etc.)
perUser: (maxRequests: number = 20) => createRateLimiter({ perUser: (maxRequests: number = 20) => createRateLimiter({
...RATE_LIMIT_PER_USER_STANDARD, ...RATE_LIMIT_PER_USER_STANDARD,
maxRequests, maxRequests,
}), }, 'perUser'),
}; };
// Middleware helper // Middleware helper
export function withRateLimit( export function withRateLimit(
handler: (req: Request) => Promise<Response>, handler: (req: Request) => Promise<Response>,
limiter: RateLimiter, limiter: RateLimiter,
corsHeaders: Record<string, string> = {} corsHeaders: Record<string, string> = {},
functionName?: string
): (req: Request) => Promise<Response> { ): (req: Request) => Promise<Response> {
return async (req: Request) => { return async (req: Request) => {
const result = limiter.check(req); const result = limiter.check(req, functionName);
if (!result.allowed) { if (!result.allowed) {
return new Response( return new Response(

282
supabase/functions/monitor-rate-limits/index.ts Normal file
View File

@@ -0,0 +1,282 @@
/**
* Rate Limit Monitor
*
* Periodically checks rate limit metrics against configured thresholds
* and triggers alerts when limits are exceeded.
*
* Designed to run as a cron job every 5 minutes.
*/
import { createClient } from 'jsr:@supabase/supabase-js@2';
import { getMetricsStats } from '../_shared/rateLimitMetrics.ts';
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
};
interface AlertConfig {
id: string;
metric_type: 'block_rate' | 'total_requests' | 'unique_ips' | 'function_specific';
threshold_value: number;
time_window_ms: number;
function_name?: string;
enabled: boolean;
}
interface AlertCheck {
configId: string;
metricType: string;
metricValue: number;
thresholdValue: number;
timeWindowMs: number;
functionName?: string;
exceeded: boolean;
message: string;
}
async function checkAlertConditions(configs: AlertConfig[]): Promise<AlertCheck[]> {
const checks: AlertCheck[] = [];
for (const config of configs) {
if (!config.enabled) continue;
const stats = getMetricsStats(config.time_window_ms);
let metricValue = 0;
let exceeded = false;
let message = '';
switch (config.metric_type) {
case 'block_rate':
metricValue = stats.blockRate;
exceeded = metricValue > config.threshold_value;
message = `Rate limit block rate (${(metricValue * 100).toFixed(1)}%) exceeded threshold (${(config.threshold_value * 100).toFixed(1)}%) in last ${config.time_window_ms / 1000}s. ${stats.blockedRequests} of ${stats.totalRequests} requests blocked.`;
break;
case 'total_requests':
metricValue = stats.totalRequests;
exceeded = metricValue > config.threshold_value;
message = `Total requests (${metricValue}) exceeded threshold (${config.threshold_value}) in last ${config.time_window_ms / 1000}s.`;
break;
case 'unique_ips':
metricValue = stats.uniqueIPs;
exceeded = metricValue > config.threshold_value;
message = `Unique IPs (${metricValue}) exceeded threshold (${config.threshold_value}) in last ${config.time_window_ms / 1000}s. Possible DDoS attack.`;
break;
case 'function_specific':
// For function-specific alerts, we'd need to track metrics per function
// This would require enhancing the metrics system
console.log('Function-specific alerts not yet implemented');
continue;
}
checks.push({
configId: config.id,
metricType: config.metric_type,
metricValue,
thresholdValue: config.threshold_value,
timeWindowMs: config.time_window_ms,
functionName: config.function_name,
exceeded,
message,
});
}
return checks;
}
async function recordAlert(
supabase: any,
check: AlertCheck
): Promise<{ success: boolean; error?: string }> {
try {
const { error } = await supabase
.from('rate_limit_alerts')
.insert({
config_id: check.configId,
metric_type: check.metricType,
metric_value: check.metricValue,
threshold_value: check.thresholdValue,
time_window_ms: check.timeWindowMs,
function_name: check.functionName,
alert_message: check.message,
});
if (error) {
console.error('Failed to record alert:', error);
return { success: false, error: error.message };
}
return { success: true };
} catch (error) {
console.error('Exception recording alert:', error);
return {
success: false,
error: error instanceof Error ? error.message : 'Unknown error'
};
}
}
async function sendNotification(
supabase: any,
check: AlertCheck
): Promise<{ success: boolean; error?: string }> {
try {
// Send notification to moderators via the moderator topic
const { data, error } = await supabase.functions.invoke('trigger-notification', {
body: {
workflowId: 'rate-limit-alert',
topicKey: 'moderators',
payload: {
message: check.message,
metricType: check.metricType,
metricValue: check.metricValue,
thresholdValue: check.thresholdValue,
functionName: check.functionName || 'all',
},
overrides: {
email: {
subject: '🚨 Rate Limit Alert',
},
},
},
});
if (error) {
console.error('Failed to send notification:', error);
return { success: false, error: error.message };
}
return { success: true };
} catch (error) {
console.error('Exception sending notification:', error);
return {
success: false,
error: error instanceof Error ? error.message : 'Unknown error'
};
}
}
async function handler(req: Request): Promise<Response> {
// Handle CORS preflight
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders });
}
const startTime = Date.now();
console.log('Rate limit monitor starting...');
try {
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey);
// Fetch enabled alert configurations
const { data: configs, error: configError } = await supabase
.from('rate_limit_alert_config')
.select('*')
.eq('enabled', true);
if (configError) {
console.error('Failed to fetch alert configs:', configError);
return new Response(
JSON.stringify({
success: false,
error: 'Failed to fetch alert configurations',
details: configError.message
}),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
if (!configs || configs.length === 0) {
console.log('No enabled alert configurations found');
return new Response(
JSON.stringify({
success: true,
message: 'No enabled alert configurations',
checked: 0
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
console.log(`Checking ${configs.length} alert configurations...`);
// Check all alert conditions
const checks = await checkAlertConditions(configs);
const exceededChecks = checks.filter(c => c.exceeded);
console.log(`Found ${exceededChecks.length} threshold violations`);
// Process exceeded thresholds
const alertResults = [];
for (const check of exceededChecks) {
console.log(`Processing alert: ${check.message}`);
// Check if we've already sent a recent alert for this config
const { data: recentAlerts } = await supabase
.from('rate_limit_alerts')
.select('created_at')
.eq('config_id', check.configId)
.is('resolved_at', null)
.gte('created_at', new Date(Date.now() - 15 * 60 * 1000).toISOString()) // Last 15 minutes
.order('created_at', { ascending: false })
.limit(1);
if (recentAlerts && recentAlerts.length > 0) {
console.log(`Skipping alert - recent unresolved alert exists for config ${check.configId}`);
alertResults.push({
configId: check.configId,
skipped: true,
reason: 'Recent alert exists',
});
continue;
}
// Record the alert
const recordResult = await recordAlert(supabase, check);
// Send notification
const notifyResult = await sendNotification(supabase, check);
alertResults.push({
configId: check.configId,
metricType: check.metricType,
recorded: recordResult.success,
notified: notifyResult.success,
recordError: recordResult.error,
notifyError: notifyResult.error,
});
}
const duration = Date.now() - startTime;
console.log(`Monitor completed in ${duration}ms`);
return new Response(
JSON.stringify({
success: true,
checked: configs.length,
exceeded: exceededChecks.length,
alerts: alertResults,
duration_ms: duration,
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Error in rate limit monitor:', error);
return new Response(
JSON.stringify({
success: false,
error: 'Internal server error',
message: error instanceof Error ? error.message : 'Unknown error',
}),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
}
Deno.serve(handler);

200
supabase/functions/rate-limit-metrics/index.ts Normal file
View File

@@ -0,0 +1,200 @@
/**
* Rate Limit Metrics API
*
* Exposes rate limiting metrics for monitoring and analysis.
* Requires admin/moderator authentication.
*/
import { createClient } from 'jsr:@supabase/supabase-js@2';
import { withRateLimit, rateLimiters } from '../_shared/rateLimiter.ts';
import {
getRecentMetrics,
getMetricsStats,
getFunctionMetrics,
getUserMetrics,
getIPMetrics,
clearMetrics,
} from '../_shared/rateLimitMetrics.ts';
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
};
interface QueryParams {
action?: string;
limit?: string;
timeWindow?: string;
functionName?: string;
userId?: string;
clientIP?: string;
}
async function handler(req: Request): Promise<Response> {
// Handle CORS preflight
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders });
}
try {
// Verify authentication
const authHeader = req.headers.get('Authorization');
if (!authHeader) {
return new Response(
JSON.stringify({ error: 'Authentication required' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey, {
global: {
headers: { Authorization: authHeader },
},
});
// Get authenticated user
const { data: { user }, error: authError } = await supabase.auth.getUser();
if (authError || !user) {
return new Response(
JSON.stringify({ error: 'Invalid authentication' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Check if user has admin or moderator role
const { data: roles } = await supabase
.from('user_roles')
.select('role')
.eq('user_id', user.id);
const userRoles = roles?.map(r => r.role) || [];
const isAuthorized = userRoles.some(role =>
['admin', 'moderator', 'superuser'].includes(role)
);
if (!isAuthorized) {
return new Response(
JSON.stringify({ error: 'Insufficient permissions' }),
{ status: 403, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Parse query parameters
const url = new URL(req.url);
const action = url.searchParams.get('action') || 'stats';
const limit = parseInt(url.searchParams.get('limit') || '100', 10);
const timeWindow = parseInt(url.searchParams.get('timeWindow') || '60000', 10);
const functionName = url.searchParams.get('functionName');
const userId = url.searchParams.get('userId');
const clientIP = url.searchParams.get('clientIP');
let responseData: any;
// Route to appropriate metrics handler
switch (action) {
case 'recent':
responseData = {
metrics: getRecentMetrics(limit),
count: getRecentMetrics(limit).length,
};
break;
case 'stats':
responseData = getMetricsStats(timeWindow);
break;
case 'function':
if (!functionName) {
return new Response(
JSON.stringify({ error: 'functionName parameter required for function action' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
responseData = {
functionName,
metrics: getFunctionMetrics(functionName, limit),
count: getFunctionMetrics(functionName, limit).length,
};
break;
case 'user':
if (!userId) {
return new Response(
JSON.stringify({ error: 'userId parameter required for user action' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
responseData = {
userId,
metrics: getUserMetrics(userId, limit),
count: getUserMetrics(userId, limit).length,
};
break;
case 'ip':
if (!clientIP) {
return new Response(
JSON.stringify({ error: 'clientIP parameter required for ip action' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
responseData = {
clientIP,
metrics: getIPMetrics(clientIP, limit),
count: getIPMetrics(clientIP, limit).length,
};
break;
case 'clear':
// Only superusers can clear metrics
const isSuperuser = userRoles.includes('superuser');
if (!isSuperuser) {
return new Response(
JSON.stringify({ error: 'Only superusers can clear metrics' }),
{ status: 403, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
clearMetrics();
responseData = { success: true, message: 'Metrics cleared' };
break;
default:
return new Response(
JSON.stringify({
error: 'Invalid action',
validActions: ['recent', 'stats', 'function', 'user', 'ip', 'clear']
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
return new Response(
JSON.stringify(responseData),
{
status: 200,
headers: {
...corsHeaders,
'Content-Type': 'application/json',
}
}
);
} catch (error) {
console.error('Error in rate-limit-metrics function:', error);
return new Response(
JSON.stringify({
error: 'Internal server error',
message: error instanceof Error ? error.message : 'Unknown error'
}),
{
status: 500,
headers: { ...corsHeaders, 'Content-Type': 'application/json' }
}
);
}
}
// Apply rate limiting (lenient tier for admin monitoring)
Deno.serve(withRateLimit(handler, rateLimiters.lenient, corsHeaders, 'rate-limit-metrics'));

119
supabase/migrations/20251111001436_8ae81b81-5af4-451a-9e8f-9f011ede9e6b.sql Normal file
View File

@@ -0,0 +1,119 @@
-- Rate Limit Alert Configuration
-- Stores alert thresholds and tracks alert state
-- Alert configuration table
CREATE TABLE IF NOT EXISTS public.rate_limit_alert_config (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
metric_type TEXT NOT NULL CHECK (metric_type IN ('block_rate', 'total_requests', 'unique_ips', 'function_specific')),
threshold_value NUMERIC NOT NULL,
time_window_ms INTEGER NOT NULL DEFAULT 60000,
function_name TEXT, -- nullable, only for function_specific alerts
enabled BOOLEAN NOT NULL DEFAULT true,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
created_by UUID REFERENCES auth.users(id),
CONSTRAINT unique_alert_config UNIQUE (metric_type, function_name)
);
-- Alert history table (tracks when alerts were triggered)
CREATE TABLE IF NOT EXISTS public.rate_limit_alerts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
config_id UUID REFERENCES public.rate_limit_alert_config(id) ON DELETE CASCADE,
metric_type TEXT NOT NULL,
metric_value NUMERIC NOT NULL,
threshold_value NUMERIC NOT NULL,
time_window_ms INTEGER NOT NULL,
function_name TEXT,
alert_message TEXT NOT NULL,
resolved_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
-- Enable RLS
ALTER TABLE public.rate_limit_alert_config ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.rate_limit_alerts ENABLE ROW LEVEL SECURITY;
-- RLS Policies for alert config (admin/moderator only)
CREATE POLICY "Moderators can view alert configs"
ON public.rate_limit_alert_config
FOR SELECT
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.user_roles
WHERE user_id = auth.uid()
AND role IN ('admin', 'moderator', 'superuser')
)
);
CREATE POLICY "Admins can manage alert configs"
ON public.rate_limit_alert_config
FOR ALL
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.user_roles
WHERE user_id = auth.uid()
AND role IN ('admin', 'superuser')
)
)
WITH CHECK (
EXISTS (
SELECT 1 FROM public.user_roles
WHERE user_id = auth.uid()
AND role IN ('admin', 'superuser')
)
);
-- RLS Policies for alert history (moderators can view)
CREATE POLICY "Moderators can view alert history"
ON public.rate_limit_alerts
FOR SELECT
TO authenticated
USING (
EXISTS (
SELECT 1 FROM public.user_roles
WHERE user_id = auth.uid()
AND role IN ('admin', 'moderator', 'superuser')
)
);
CREATE POLICY "System can insert alerts"
ON public.rate_limit_alerts
FOR INSERT
TO authenticated
WITH CHECK (true);
-- Indexes for performance
CREATE INDEX IF NOT EXISTS idx_rate_limit_alert_config_enabled ON public.rate_limit_alert_config(enabled);
CREATE INDEX IF NOT EXISTS idx_rate_limit_alert_config_metric_type ON public.rate_limit_alert_config(metric_type);
CREATE INDEX IF NOT EXISTS idx_rate_limit_alerts_created_at ON public.rate_limit_alerts(created_at DESC);
CREATE INDEX IF NOT EXISTS idx_rate_limit_alerts_config_id ON public.rate_limit_alerts(config_id);
CREATE INDEX IF NOT EXISTS idx_rate_limit_alerts_resolved ON public.rate_limit_alerts(resolved_at) WHERE resolved_at IS NULL;
-- Function to update updated_at timestamp
CREATE OR REPLACE FUNCTION update_rate_limit_alert_config_updated_at()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = now();
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
-- Trigger for updated_at
CREATE TRIGGER update_rate_limit_alert_config_updated_at
BEFORE UPDATE ON public.rate_limit_alert_config
FOR EACH ROW
EXECUTE FUNCTION update_rate_limit_alert_config_updated_at();
-- Insert default alert configurations
INSERT INTO public.rate_limit_alert_config (metric_type, threshold_value, time_window_ms, enabled)
VALUES
('block_rate', 0.5, 300000, true), -- Alert if block rate > 50% in 5 minutes
('total_requests', 1000, 60000, true), -- Alert if total requests > 1000/minute
('unique_ips', 100, 300000, false) -- Alert if unique IPs > 100 in 5 minutes (disabled by default)
ON CONFLICT (metric_type, function_name) DO NOTHING;
-- Grant necessary permissions
GRANT SELECT, INSERT ON public.rate_limit_alerts TO authenticated;
GRANT SELECT ON public.rate_limit_alert_config TO authenticated;

22
supabase/migrations/20251111001647_55966c93-7179-4c9a-bbf8-d527edad506a.sql Normal file
View File

@@ -0,0 +1,22 @@
-- Fix security warning: Set search_path for rate limit alert function
-- Drop trigger first, then function, then recreate with proper search_path
DROP TRIGGER IF EXISTS update_rate_limit_alert_config_updated_at ON public.rate_limit_alert_config;
DROP FUNCTION IF EXISTS update_rate_limit_alert_config_updated_at();
CREATE OR REPLACE FUNCTION update_rate_limit_alert_config_updated_at()
RETURNS TRIGGER
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
BEGIN
NEW.updated_at = now();
RETURN NEW;
END;
$$;
CREATE TRIGGER update_rate_limit_alert_config_updated_at
BEFORE UPDATE ON public.rate_limit_alert_config
FOR EACH ROW
EXECUTE FUNCTION update_rate_limit_alert_config_updated_at();