admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add per-endpoint API rate limiting with Redis sliding window

Browse Source 
Implement @EndpointRateLimit() decorator and EndpointRateLimitGuard for
granular per-endpoint rate limiting using a Redis sorted-set sliding window.
This prevents brute force attacks on auth endpoints, replay attacks on
payment callbacks, and scraping on search endpoints.

Applied rate limits:
- /auth/login: 5 req/min per IP
- /auth/register: 3 req/min per IP
- /listings POST: 10 req/min per user
- /search: 30 req/min per user
- /payments/callback/*: 100 req/min per IP

Features:
- True sliding window (sorted set) for accurate rate measurement
- Configurable key strategy (IP or authenticated user)
- Admin bypass support (enabled by default)
- Fail-open on Redis errors
- Proper 429 response with Retry-After header
- Rate limit headers (X-RateLimit-Limit/Remaining/Reset)
- 22 unit tests covering all scenarios

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-11 00:36:35 +07:00
parent f27b13f712
commit d824d16760
8 changed files with 777 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/api/src/modules/listings/presentation/controllers/listings.controller.ts
View File

@@ -22,7 +22,7 @@ import {
ApiParam,
} from '@nestjs/swagger';
import { type JwtPayload, CurrentUser, Roles, JwtAuthGuard, RolesGuard } from '@modules/auth';
import { FileValidationPipe, type UploadedFile as ValidatedFile } from '@modules/shared';
import { EndpointRateLimit, EndpointRateLimitGuard, FileValidationPipe, type UploadedFile as ValidatedFile } from '@modules/shared';
import { RequireQuota, QuotaGuard } from '@modules/subscriptions';
import { CreateListingCommand } from '../../application/commands/create-listing/create-listing.command';
import { type CreateListingResult } from '../../application/commands/create-listing/create-listing.handler';
@@ -53,7 +53,8 @@ export class ListingsController {
@ApiResponse({ status: 400, description: 'Validation error' })
@ApiResponse({ status: 401, description: 'Unauthorized' })
@ApiResponse({ status: 403, description: 'Quota exceeded' })
@UseGuards(JwtAuthGuard, QuotaGuard)
@UseGuards(EndpointRateLimitGuard, JwtAuthGuard, QuotaGuard)
@EndpointRateLimit({ limit: 10, windowSeconds: 60, keyStrategy: 'user' })
@RequireQuota('listings_created')
@Post()
async createListing(