/** * Shared Rate Limiting Middleware for Edge Functions * Prevents abuse and DoS attacks with in-memory rate limiting */ export interface RateLimitConfig { windowMs: number; // Time window in milliseconds maxRequests: number; // Max requests per window maxMapSize?: number; // Max IPs to track (default: 10000) keyGenerator?: (req: Request) => string; // Custom key generator trustProxy?: boolean; // Trust X-Forwarded-For header } export interface RateLimitResult { allowed: boolean; retryAfter?: number; remaining?: number; } class RateLimiter { private rateLimitMap = new Map(); private config: Required; private cleanupInterval: number; constructor(config: RateLimitConfig) { this.config = { maxMapSize: 10000, keyGenerator: (req: Request) => this.getClientIP(req), trustProxy: true, ...config }; // Setup periodic cleanup this.cleanupInterval = setInterval( () => this.cleanupExpiredEntries(), Math.min(this.config.windowMs / 2, 30000) ); } private getClientIP(req: Request): string { if (this.config.trustProxy) { const forwarded = req.headers.get('x-forwarded-for'); if (forwarded) return forwarded.split(',')[0].trim(); const realIP = req.headers.get('x-real-ip'); if (realIP) return realIP; } // Fallback for testing return '0.0.0.0'; } private cleanupExpiredEntries(): void { try { const now = Date.now(); let deletedCount = 0; for (const [key, data] of this.rateLimitMap.entries()) { if (now > data.resetAt) { this.rateLimitMap.delete(key); deletedCount++; } } // Cleanup runs silently unless there are issues } catch (error) { // Emergency: Clear oldest 30% if cleanup fails if (this.rateLimitMap.size > this.config.maxMapSize) { const toClear = Math.floor(this.rateLimitMap.size * 0.3); const keys = Array.from(this.rateLimitMap.keys()).slice(0, toClear); keys.forEach(key => this.rateLimitMap.delete(key)); } } } check(req: Request): RateLimitResult { const key = this.config.keyGenerator(req); const now = Date.now(); const existing = this.rateLimitMap.get(key); // Check existing entry if (existing && now <= existing.resetAt) { if (existing.count >= this.config.maxRequests) { const retryAfter = Math.ceil((existing.resetAt - now) / 1000); return { allowed: false, retryAfter, remaining: 0 }; } existing.count++; return { allowed: true, remaining: this.config.maxRequests - existing.count }; } // Handle capacity if (!existing && this.rateLimitMap.size >= this.config.maxMapSize) { this.cleanupExpiredEntries(); // LRU eviction if still at capacity if (this.rateLimitMap.size >= this.config.maxMapSize) { const toDelete = Math.floor(this.config.maxMapSize * 0.3); const sortedEntries = Array.from(this.rateLimitMap.entries()) .sort((a, b) => a[1].resetAt - b[1].resetAt); for (let i = 0; i < toDelete && i < sortedEntries.length; i++) { this.rateLimitMap.delete(sortedEntries[i][0]); } } } // Create new entry this.rateLimitMap.set(key, { count: 1, resetAt: now + this.config.windowMs }); return { allowed: true, remaining: this.config.maxRequests - 1 }; } destroy(): void { clearInterval(this.cleanupInterval); this.rateLimitMap.clear(); } } // Export factory function for different rate limit tiers export function createRateLimiter(config: RateLimitConfig): RateLimiter { return new RateLimiter(config); } // Pre-configured rate limiters for common use cases export const rateLimiters = { // Strict: For expensive operations (file uploads, data exports) strict: createRateLimiter({ windowMs: 60000, // 1 minute maxRequests: 5, // 5 requests per minute }), // Standard: For most API endpoints standard: createRateLimiter({ windowMs: 60000, // 1 minute maxRequests: 10, // 10 requests per minute }), // Lenient: For read-only, cached endpoints lenient: createRateLimiter({ windowMs: 60000, // 1 minute maxRequests: 30, // 30 requests per minute }), // Per-user: For authenticated endpoints (uses user ID as key) perUser: (maxRequests: number = 20) => createRateLimiter({ windowMs: 60000, maxRequests, keyGenerator: (req: Request) => { // Extract user ID from Authorization header JWT const authHeader = req.headers.get('Authorization'); if (authHeader) { try { const token = authHeader.replace('Bearer ', ''); const payload = JSON.parse(atob(token.split('.')[1])); return `user:${payload.sub}`; } catch { // Fall back to IP if JWT parsing fails return req.headers.get('x-forwarded-for')?.split(',')[0] || '0.0.0.0'; } } return req.headers.get('x-forwarded-for')?.split(',')[0] || '0.0.0.0'; } }), }; // Middleware helper export function withRateLimit( handler: (req: Request) => Promise, limiter: RateLimiter, corsHeaders: Record = {} ): (req: Request) => Promise { return async (req: Request) => { const result = limiter.check(req); if (!result.allowed) { return new Response( JSON.stringify({ error: 'Rate limit exceeded', message: 'Too many requests. Please try again later.', retryAfter: result.retryAfter }), { status: 429, headers: { ...corsHeaders, 'Content-Type': 'application/json', 'Retry-After': String(result.retryAfter || 60), 'X-RateLimit-Limit': String(limiter['config'].maxRequests), 'X-RateLimit-Remaining': String(result.remaining || 0), } } ); } const response = await handler(req); // Add rate limit headers to successful responses if (result.remaining !== undefined) { response.headers.set('X-RateLimit-Limit', String(limiter['config'].maxRequests)); response.headers.set('X-RateLimit-Remaining', String(result.remaining)); } return response; }; }