feat(security): add per-endpoint API rate limiting with Redis sliding window

Implement @EndpointRateLimit() decorator and EndpointRateLimitGuard for granular per-endpoint rate limiting using a Redis sorted-set sliding window. This prevents brute force attacks on auth endpoints, replay attacks on payment callbacks, and scraping on search endpoints. Applied rate limits: - /auth/login: 5 req/min per IP - /auth/register: 3 req/min per IP - /listings POST: 10 req/min per user - /search: 30 req/min per user - /payments/callback/*: 100 req/min per IP Features: - True sliding window (sorted set) for accurate rate measurement - Configurable key strategy (IP or authenticated user) - Admin bypass support (enabled by default) - Fail-open on Redis errors - Proper 429 response with Retry-After header - Rate limit headers (X-RateLimit-Limit/Remaining/Reset) - 22 unit tests covering all scenarios Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-11 00:36:35 +07:00
parent f27b13f712
commit d824d16760
8 changed files with 777 additions and 4 deletions
--- a/apps/api/src/modules/auth/presentation/controllers/auth.controller.ts
+++ b/apps/api/src/modules/auth/presentation/controllers/auth.controller.ts
@@ -12,7 +12,7 @@ import { type CommandBus, type QueryBus } from '@nestjs/cqrs';
 import { ApiTags, ApiOperation, ApiResponse, ApiBearerAuth, ApiBody } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { type Request, type Response } from 'express';
-import { UnauthorizedException } from '@modules/shared';
+import { EndpointRateLimit, EndpointRateLimitGuard, UnauthorizedException } from '@modules/shared';
 import { LoginUserCommand } from '../../application/commands/login-user/login-user.command';
 import { RefreshTokenCommand } from '../../application/commands/refresh-token/refresh-token.command';
 import { RegisterUserCommand } from '../../application/commands/register-user/register-user.command';
@@ -79,6 +79,8 @@ export class AuthController {
  ) {}
  @Throttle({ default: { ttl: 3_600_000, limit: AUTH_RATE_LIMIT }, auth: { ttl: 3_600_000, limit: AUTH_RATE_LIMIT } })
  @EndpointRateLimit({ limit: IS_TEST ? 10_000 : 3, windowSeconds: 60, keyStrategy: 'ip' })
  @UseGuards(EndpointRateLimitGuard)
  @Post('register')
  @ApiOperation({ summary: 'Register a new user' })
  @ApiResponse({ status: 201, description: 'User registered, auth cookies set' })
@@ -100,7 +102,8 @@ export class AuthController {
  }
  @Throttle({ default: { ttl: 3_600_000, limit: AUTH_RATE_LIMIT }, auth: { ttl: 3_600_000, limit: AUTH_RATE_LIMIT } })
-  @UseGuards(LocalAuthGuard)
+  @EndpointRateLimit({ limit: IS_TEST ? 10_000 : 5, windowSeconds: 60, keyStrategy: 'ip' })
  @UseGuards(EndpointRateLimitGuard, LocalAuthGuard)
  @Post('login')
  @ApiOperation({ summary: 'Login with phone and password' })
  @ApiBody({ type: LoginDto })
--- a/apps/api/src/modules/listings/presentation/controllers/listings.controller.ts
+++ b/apps/api/src/modules/listings/presentation/controllers/listings.controller.ts
@@ -22,7 +22,7 @@ import {
  ApiParam,
 } from '@nestjs/swagger';
 import { type JwtPayload, CurrentUser, Roles, JwtAuthGuard, RolesGuard } from '@modules/auth';
-import { FileValidationPipe, type UploadedFile as ValidatedFile } from '@modules/shared';
+import { EndpointRateLimit, EndpointRateLimitGuard, FileValidationPipe, type UploadedFile as ValidatedFile } from '@modules/shared';
 import { RequireQuota, QuotaGuard } from '@modules/subscriptions';
 import { CreateListingCommand } from '../../application/commands/create-listing/create-listing.command';
 import { type CreateListingResult } from '../../application/commands/create-listing/create-listing.handler';
@@ -53,7 +53,8 @@ export class ListingsController {
  @ApiResponse({ status: 400, description: 'Validation error' })
  @ApiResponse({ status: 401, description: 'Unauthorized' })
  @ApiResponse({ status: 403, description: 'Quota exceeded' })
-  @UseGuards(JwtAuthGuard, QuotaGuard)
+  @UseGuards(EndpointRateLimitGuard, JwtAuthGuard, QuotaGuard)
  @EndpointRateLimit({ limit: 10, windowSeconds: 60, keyStrategy: 'user' })
  @RequireQuota('listings_created')
  @Post()
  async createListing(
--- a/apps/api/src/modules/payments/presentation/controllers/payments.controller.ts
+++ b/apps/api/src/modules/payments/presentation/controllers/payments.controller.ts
@@ -19,6 +19,7 @@ import {
 import { Throttle } from '@nestjs/throttler';
 import { type PaymentProvider } from '@prisma/client';
 import { type JwtPayload, CurrentUser, Roles, JwtAuthGuard, RolesGuard } from '@modules/auth';
 import { EndpointRateLimit, EndpointRateLimitGuard } from '@modules/shared';
 import { CreatePaymentCommand } from '../../application/commands/create-payment/create-payment.command';
 import { type CreatePaymentResult } from '../../application/commands/create-payment/create-payment.handler';
 import { HandleCallbackCommand } from '../../application/commands/handle-callback/handle-callback.command';
@@ -72,6 +73,8 @@ export class PaymentsController {
  @ApiResponse({ status: 201, description: 'Callback processed successfully' })
  @ApiParam({ name: 'provider', enum: ['vnpay', 'momo', 'zalopay'] })
  @Throttle({ 'payment-callback': { ttl: 60_000, limit: 20 } })
  @EndpointRateLimit({ limit: 100, windowSeconds: 60, keyStrategy: 'ip', adminBypass: false })
  @UseGuards(EndpointRateLimitGuard)
  @Post('callback/:provider')
  async handleCallback(
    @Param('provider') provider: string,
--- a/apps/api/src/modules/search/presentation/controllers/search.controller.ts
+++ b/apps/api/src/modules/search/presentation/controllers/search.controller.ts
@@ -13,6 +13,7 @@ import {
  ApiBearerAuth,
 } from '@nestjs/swagger';
 import { Roles, JwtAuthGuard, RolesGuard } from '@modules/auth';
 import { EndpointRateLimit, EndpointRateLimitGuard } from '@modules/shared';
 import { ReindexAllCommand } from '../../application/commands/reindex-all/reindex-all.command';
 import { type ReindexResult } from '../../application/commands/reindex-all/reindex-all.handler';
 import { GeoSearchQuery } from '../../application/queries/geo-search/geo-search.query';
@@ -29,6 +30,8 @@ export class SearchController {
    private readonly queryBus: QueryBus,
  ) {}
  @EndpointRateLimit({ limit: 30, windowSeconds: 60, keyStrategy: 'user' })
  @UseGuards(EndpointRateLimitGuard)
  @Get()
  @ApiOperation({ summary: 'Search properties', description: 'Public full-text and faceted property search' })
  @ApiResponse({ status: 200, description: 'Search results returned successfully' })
@@ -52,6 +55,8 @@ export class SearchController {
    );
  }
  @EndpointRateLimit({ limit: 30, windowSeconds: 60, keyStrategy: 'user' })
  @UseGuards(EndpointRateLimitGuard)
  @Get('geo')
  @ApiOperation({ summary: 'Geo search properties', description: 'Public geographic radius property search' })
  @ApiResponse({ status: 200, description: 'Geo search results returned successfully' })
--- a/apps/api/src/modules/shared/infrastructure/tests/endpoint-rate-limit.guard.spec.ts
+++ b/apps/api/src/modules/shared/infrastructure/tests/endpoint-rate-limit.guard.spec.ts
@@ -0,0 +1,480 @@
 import { HttpException, HttpStatus, type ExecutionContext } from '@nestjs/common';
 import type { Reflector } from '@nestjs/core';
 import { type EndpointRateLimitOptions } from '../decorators/endpoint-rate-limit.decorator';
 import { EndpointRateLimitGuard } from '../guards/endpoint-rate-limit.guard';
 // ── helpers ──────────────────────────────────────────────────────────────────
 function mockRedis(
  overrides: Partial<{
    evalResult: [number, number];
    throwError: boolean;
  }> = {},
 ) {
  const evalFn = overrides.throwError
    ? vi.fn().mockRejectedValue(new Error('Redis connection lost'))
    : vi.fn().mockResolvedValue(overrides.evalResult ?? [1, 0]);
  return {
    getClient: vi.fn().mockReturnValue({ eval: evalFn }),
    isAvailable: vi.fn().mockReturnValue(!overrides.throwError),
    get: vi.fn(),
    set: vi.fn(),
    del: vi.fn(),
    onModuleDestroy: vi.fn(),
  } as any;
 }
 function mockLogger() {
  return {
    log: vi.fn(),
    warn: vi.fn(),
    error: vi.fn(),
    debug: vi.fn(),
  } as any;
 }
 function mockReflector(options?: EndpointRateLimitOptions | undefined) {
  return {
    getAllAndOverride: vi.fn().mockReturnValue(options ?? undefined),
  } as unknown as Reflector;
 }
 interface MockContextOptions {
  user?: { sub: string; role: string } | null;
  method?: string;
  path?: string;
  routePath?: string;
  ip?: string;
  forwarded?: string | string[];
 }
 function buildContext(opts: MockContextOptions = {}): ExecutionContext {
  const headers: Record<string, string | string[] | undefined> = {};
  if (opts.forwarded !== undefined) {
    headers['x-forwarded-for'] = opts.forwarded;
  }
  const response = { setHeader: vi.fn() };
  const user = 'user' in opts ? opts.user : null;
  return {
    switchToHttp: () => ({
      getRequest: () => ({
        user,
        method: opts.method ?? 'GET',
        path: opts.path ?? '/search',
        route: opts.routePath ? { path: opts.routePath } : undefined,
        ip: opts.ip ?? '192.168.1.1',
        headers,
      }),
      getResponse: () => response,
    }),
    getHandler: () => ({ name: 'testHandler' }),
    getClass: () => ({ name: 'TestController' }),
  } as unknown as ExecutionContext;
 }
 // ── tests ────────────────────────────────────────────────────────────────────
 describe('EndpointRateLimitGuard', () => {
  describe('when no @EndpointRateLimit decorator is present', () => {
    it('allows request (skips rate limiting)', async () => {
      const redis = mockRedis();
      const guard = new EndpointRateLimitGuard(redis, mockReflector(), mockLogger());
      const result = await guard.canActivate(buildContext());
      expect(result).toBe(true);
      // Redis should not be called at all
      expect(redis.getClient).not.toHaveBeenCalled();
    });
  });
  describe('when @EndpointRateLimit is present', () => {
    const defaultOptions: EndpointRateLimitOptions = {
      limit: 5,
      windowSeconds: 60,
      keyStrategy: 'ip',
    };
    it('allows request within rate limit', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector(defaultOptions),
        mockLogger(),
      );
      const result = await guard.canActivate(buildContext());
      expect(result).toBe(true);
    });
    it('rejects request with 429 when limit exceeded', async () => {
      // current=5 (at limit), retryAfterMs=30000
      const redis = mockRedis({ evalResult: [5, 30_000] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector(defaultOptions),
        mockLogger(),
      );
      await expect(guard.canActivate(buildContext())).rejects.toThrow(HttpException);
      try {
        await guard.canActivate(buildContext());
      } catch (error) {
        expect(error).toBeInstanceOf(HttpException);
        expect((error as HttpException).getStatus()).toBe(HttpStatus.TOO_MANY_REQUESTS);
        const body = (error as HttpException).getResponse();
        expect(body).toMatchObject({
          statusCode: 429,
          message: 'Too many requests. Please try again later.',
          retryAfter: 30, // 30000ms → 30s
        });
      }
    });
    it('sets rate limit headers on allowed requests', async () => {
      const redis = mockRedis({ evalResult: [3, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector(defaultOptions),
        mockLogger(),
      );
      const ctx = buildContext();
      await guard.canActivate(ctx);
      const response = ctx.switchToHttp().getResponse();
      expect(response.setHeader).toHaveBeenCalledWith('X-RateLimit-Limit', 5);
      expect(response.setHeader).toHaveBeenCalledWith('X-RateLimit-Remaining', 2); // 5 - 3
      expect(response.setHeader).toHaveBeenCalledWith('X-RateLimit-Reset', 60);
    });
    it('sets Retry-After header when limit exceeded', async () => {
      const redis = mockRedis({ evalResult: [5, 45_000] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector(defaultOptions),
        mockLogger(),
      );
      const ctx = buildContext();
      try {
        await guard.canActivate(ctx);
      } catch {
        // expected
      }
      const response = ctx.switchToHttp().getResponse();
      expect(response.setHeader).toHaveBeenCalledWith('Retry-After', 45);
    });
  });
  describe('key strategy', () => {
    it('uses IP-based key by default', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ ip: '10.0.0.1', method: 'POST', routePath: '/auth/login' }),
      );
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      expect(key).toContain('ip:10.0.0.1');
      expect(key).toContain('POST');
      expect(key).toContain('/auth/login');
    });
    it('uses X-Forwarded-For IP when available', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ forwarded: '203.0.113.5, 70.41.3.18', ip: '127.0.0.1' }),
      );
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      expect(key).toContain('ip:203.0.113.5');
    });
    it('uses authenticated user ID when strategy is "user"', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 10, keyStrategy: 'user' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({
          user: { sub: 'user-abc', role: 'BUYER' },
          method: 'POST',
          routePath: '/listings',
        }),
      );
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      expect(key).toContain('user:user-abc');
      expect(key).toContain('POST');
      expect(key).toContain('/listings');
    });
    it('falls back to IP when strategy is "user" but no authenticated user', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 30, keyStrategy: 'user' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ user: null, ip: '10.0.0.5', routePath: '/search' }),
      );
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      expect(key).toContain('ip:10.0.0.5');
    });
  });
  describe('admin bypass', () => {
    it('bypasses rate limit for ADMIN users by default', async () => {
      const redis = mockRedis();
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      const result = await guard.canActivate(
        buildContext({ user: { sub: 'admin-1', role: 'ADMIN' } }),
      );
      expect(result).toBe(true);
      // Redis should not be called — admin bypasses
      expect(redis.getClient).not.toHaveBeenCalled();
    });
    it('does not bypass ADMIN when adminBypass is false', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 100, keyStrategy: 'ip', adminBypass: false }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ user: { sub: 'admin-1', role: 'ADMIN' } }),
      );
      // Redis WAS called — no bypass
      expect(redis.getClient).toHaveBeenCalled();
    });
    it('does not bypass for non-ADMIN roles', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ user: { sub: 'buyer-1', role: 'BUYER' } }),
      );
      expect(redis.getClient).toHaveBeenCalled();
    });
  });
  describe('fail-open behavior', () => {
    it('allows request when Redis throws an error', async () => {
      const redis = mockRedis({ throwError: true });
      const logger = mockLogger();
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        logger,
      );
      const result = await guard.canActivate(buildContext());
      expect(result).toBe(true);
      expect(logger.warn).toHaveBeenCalledWith(
        expect.stringContaining('Endpoint rate limit check failed'),
        'EndpointRateLimitGuard',
      );
    });
    it('re-throws 429 errors (does not swallow intentional rejections)', async () => {
      // Simulate a situation where Redis returns limit exceeded
      const redis = mockRedis({ evalResult: [5, 30_000] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await expect(guard.canActivate(buildContext())).rejects.toThrow(HttpException);
    });
  });
  describe('window seconds', () => {
    it('defaults to 60 seconds when windowSeconds is not specified', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5 }), // no windowSeconds
        mockLogger(),
      );
      await guard.canActivate(buildContext());
      const evalCall = redis.getClient().eval.mock.calls[0];
      // ARGV[2] = windowMs = 60 * 1000
      expect(evalCall[4]).toBe(60_000);
      // ARGV[5] = windowSeconds = 60
      expect(evalCall[7]).toBe(60);
    });
    it('uses custom window seconds when specified', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 10, windowSeconds: 120 }),
        mockLogger(),
      );
      await guard.canActivate(buildContext());
      const evalCall = redis.getClient().eval.mock.calls[0];
      // ARGV[2] = windowMs = 120 * 1000
      expect(evalCall[4]).toBe(120_000);
      // ARGV[5] = windowSeconds = 120
      expect(evalCall[7]).toBe(120);
    });
  });
  describe('logging', () => {
    it('logs warning when rate limit exceeded', async () => {
      const redis = mockRedis({ evalResult: [5, 30_000] });
      const logger = mockLogger();
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        logger,
      );
      try {
        await guard.canActivate(buildContext({ method: 'POST', routePath: '/auth/login' }));
      } catch {
        // expected
      }
      expect(logger.warn).toHaveBeenCalledWith(
        expect.stringContaining('Endpoint rate limit exceeded'),
        'EndpointRateLimitGuard',
      );
    });
    it('logs warning on Redis failure', async () => {
      const redis = mockRedis({ throwError: true });
      const logger = mockLogger();
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        logger,
      );
      await guard.canActivate(buildContext());
      expect(logger.warn).toHaveBeenCalledWith(
        expect.stringContaining('Redis error'),
        'EndpointRateLimitGuard',
      );
    });
  });
  describe('Retry-After computation', () => {
    it('ensures minimum Retry-After of 1 second', async () => {
      // retryAfterMs = 500 → should ceil to 1 second
      const redis = mockRedis({ evalResult: [5, 500] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      const ctx = buildContext();
      try {
        await guard.canActivate(ctx);
      } catch (error) {
        const body = (error as HttpException).getResponse() as any;
        expect(body.retryAfter).toBe(1);
      }
    });
    it('rounds up Retry-After to next second', async () => {
      // retryAfterMs = 15100 → should ceil to 16 seconds
      const redis = mockRedis({ evalResult: [5, 15_100] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 5, keyStrategy: 'ip' }),
        mockLogger(),
      );
      const ctx = buildContext();
      try {
        await guard.canActivate(ctx);
      } catch (error) {
        const body = (error as HttpException).getResponse() as any;
        expect(body.retryAfter).toBe(16);
      }
    });
  });
  describe('endpoint path in key', () => {
    it('uses route path when available', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 100, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await guard.canActivate(
        buildContext({ routePath: '/payments/callback/:provider', path: '/payments/callback/vnpay' }),
      );
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      // Should use the route pattern, not the resolved path
      expect(key).toContain('/payments/callback/:provider');
    });
    it('falls back to request path when no route defined', async () => {
      const redis = mockRedis({ evalResult: [1, 0] });
      const guard = new EndpointRateLimitGuard(
        redis,
        mockReflector({ limit: 30, keyStrategy: 'ip' }),
        mockLogger(),
      );
      await guard.canActivate(buildContext({ path: '/search' }));
      const evalCall = redis.getClient().eval.mock.calls[0];
      const key: string = evalCall[2];
      expect(key).toContain('/search');
    });
  });
 });
--- a/apps/api/src/modules/shared/infrastructure/decorators/endpoint-rate-limit.decorator.ts
+++ b/apps/api/src/modules/shared/infrastructure/decorators/endpoint-rate-limit.decorator.ts
@@ -0,0 +1,57 @@
 import { SetMetadata } from '@nestjs/common';
 /**
 * Metadata key for per-endpoint rate limit configuration.
 * Read by EndpointRateLimitGuard via reflector.
 */
 export const ENDPOINT_RATE_LIMIT_KEY = 'endpoint_rate_limit';
 export interface EndpointRateLimitOptions {
  /**
   * Maximum number of requests allowed within the window.
   * @example 5 (for login: 5 attempts per minute)
   */
  limit: number;
  /**
   * Sliding window duration in seconds.
   * @default 60
   */
  windowSeconds?: number;
  /**
   * Key strategy for identifying the requester:
   * - `'ip'`   — key by client IP (for unauthenticated endpoints like login/register)
   * - `'user'` — key by authenticated user ID (falls back to IP if unauthenticated)
   * @default 'ip'
   */
  keyStrategy?: 'ip' | 'user';
  /**
   * Whether ADMIN users bypass this rate limit.
   * @default true
   */
  adminBypass?: boolean;
 }
 /**
 * Decorator to configure per-endpoint rate limiting with Redis sliding window.
 *
 * Works in conjunction with `EndpointRateLimitGuard`. Apply it to specific
 * controller methods or the entire controller class to enforce granular
 * rate limits keyed by IP or authenticated user + endpoint path.
 *
 * @example
 * // Login: 5 attempts per minute per IP
 * @EndpointRateLimit({ limit: 5, windowSeconds: 60, keyStrategy: 'ip' })
 *
 * @example
 * // Listing creation: 10 per minute per user
 * @EndpointRateLimit({ limit: 10, windowSeconds: 60, keyStrategy: 'user' })
 *
 * @example
 * // Search: 30 per minute per user, admin bypass enabled
 * @EndpointRateLimit({ limit: 30, windowSeconds: 60, keyStrategy: 'user', adminBypass: true })
 */
 export const EndpointRateLimit = (options: EndpointRateLimitOptions) =>
  SetMetadata<string, EndpointRateLimitOptions>(ENDPOINT_RATE_LIMIT_KEY, options);
--- a/apps/api/src/modules/shared/infrastructure/guards/endpoint-rate-limit.guard.ts
+++ b/apps/api/src/modules/shared/infrastructure/guards/endpoint-rate-limit.guard.ts
@@ -0,0 +1,218 @@
 import {
  Injectable,
  type CanActivate,
  type ExecutionContext,
  HttpException,
  HttpStatus,
 } from '@nestjs/common';
 import { type Reflector } from '@nestjs/core';
 import { type Request, type Response } from 'express';
 import {
  ENDPOINT_RATE_LIMIT_KEY,
  type EndpointRateLimitOptions,
 } from '../decorators/endpoint-rate-limit.decorator';
 import { type LoggerService } from '../logger.service';
 import { type RedisService } from '../redis.service';
 /** Express request extended with optional JWT user payload. */
 interface AuthenticatedRequest extends Request {
  user?: { sub: string; role: string };
  route?: { path: string };
 }
 /**
 * Lua script implementing a true sliding-window rate limiter using a Redis sorted set.
 *
 * Algorithm:
 * 1. Remove all entries outside the current window (older than `now - windowMs`).
 * 2. Count remaining entries (= requests within the window).
 * 3. If under the limit, add the current request with score = current timestamp.
 * 4. Set TTL on the key to auto-expire after the window.
 * 5. Return [currentCount, oldestEntryAge] so we can compute Retry-After.
 *
 * This is more precise than a fixed-window counter because it considers
 * the exact timestamp of each request rather than bucketing.
 *
 * KEYS[1] = rate limit key
 * ARGV[1] = now (ms timestamp)
 * ARGV[2] = windowMs (window duration in ms)
 * ARGV[3] = limit (max requests)
 * ARGV[4] = unique request ID (to distinguish concurrent requests)
 * ARGV[5] = windowSeconds (for key TTL)
 */
 const SLIDING_WINDOW_LUA = `
 local key = KEYS[1]
 local now = tonumber(ARGV[1])
 local windowMs = tonumber(ARGV[2])
 local limit = tonumber(ARGV[3])
 local requestId = ARGV[4]
 local windowSec = tonumber(ARGV[5])
 -- Remove entries outside the window
 redis.call('ZREMRANGEBYSCORE', key, 0, now - windowMs)
 -- Count current requests in window
 local current = redis.call('ZCARD', key)
 if current < limit then
  -- Add this request
  redis.call('ZADD', key, now, requestId)
  -- Ensure key expires after the window
  redis.call('EXPIRE', key, windowSec + 1)
  return {current + 1, 0}
 else
  -- Rate limit exceeded — compute time until oldest entry expires
  local oldest = redis.call('ZRANGE', key, 0, 0, 'WITHSCORES')
  local retryAfterMs = 0
  if #oldest >= 2 then
    retryAfterMs = tonumber(oldest[2]) + windowMs - now
    if retryAfterMs < 0 then retryAfterMs = 0 end
  end
  return {current, retryAfterMs}
 end
 `;
 /** Monotonically increasing counter to generate unique request IDs. */
 let requestCounter = 0;
 /**
 * Guard that enforces per-endpoint rate limiting using a Redis sorted-set sliding window.
 *
 * Only activates on routes decorated with `@EndpointRateLimit()`.
 * Routes without the decorator are not affected.
 *
 * Features:
 * - True sliding window (sorted set) for accurate rate measurement
 * - Keys by IP or authenticated user + endpoint path
 * - Proper 429 response with `Retry-After` header
 * - Rate limit headers (`X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`)
 * - Admin bypass support
 * - Fail-open on Redis errors (logs warning, allows request)
 */
@Injectable()
 export class EndpointRateLimitGuard implements CanActivate {
  constructor(
    private readonly redis: RedisService,
    private readonly reflector: Reflector,
    private readonly logger: LoggerService,
  ) {}
  async canActivate(context: ExecutionContext): Promise<boolean> {
    const options = this.reflector.getAllAndOverride<EndpointRateLimitOptions | undefined>(
      ENDPOINT_RATE_LIMIT_KEY,
      [context.getHandler(), context.getClass()],
    );
    // No @EndpointRateLimit decorator → skip
    if (!options) {
      return true;
    }
    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
    const response: Response = context.switchToHttp().getResponse();
    const user = request.user;
    // Admin bypass (default: true)
    const adminBypass = options.adminBypass !== false;
    if (adminBypass && user?.role === 'ADMIN') {
      return true;
    }
    const windowSeconds = options.windowSeconds ?? 60;
    const windowMs = windowSeconds * 1000;
    const limit = options.limit;
    const keyStrategy = options.keyStrategy ?? 'ip';
    // Build the rate limit key: endpoint_rate_limit:{method}:{path}:{identifier}
    const method = request.method;
    const routePath = request.route?.path ?? request.path;
    const identifier = this.resolveIdentifier(request, keyStrategy);
    const key = `endpoint_rate_limit:${method}:${routePath}:${identifier}`;
    try {
      const client = this.redis.getClient();
      const now = Date.now();
      const requestId = `${now}:${process.pid}:${++requestCounter}`;
      const result = await client.eval(
        SLIDING_WINDOW_LUA,
        1,
        key,
        now,
        windowMs,
        limit,
        requestId,
        windowSeconds,
      ) as [number, number];
      const current = result[0];
      const retryAfterMs = result[1];
      // Set rate limit headers for observability
      response.setHeader('X-RateLimit-Limit', limit);
      response.setHeader('X-RateLimit-Remaining', Math.max(0, limit - current));
      response.setHeader('X-RateLimit-Reset', windowSeconds);
      if (current > limit || retryAfterMs > 0) {
        // The request was NOT added (limit reached) — return 429
        const retryAfterSeconds = Math.max(1, Math.ceil(retryAfterMs / 1000));
        response.setHeader('Retry-After', retryAfterSeconds);
        this.logger.warn(
          `Endpoint rate limit exceeded: ${method} ${routePath}, ` +
            `key=${keyStrategy}:${identifier}, current=${current}/${limit}, ` +
            `retryAfter=${retryAfterSeconds}s`,
          'EndpointRateLimitGuard',
        );
        throw new HttpException(
          {
            statusCode: HttpStatus.TOO_MANY_REQUESTS,
            message: 'Too many requests. Please try again later.',
            retryAfter: retryAfterSeconds,
          },
          HttpStatus.TOO_MANY_REQUESTS,
        );
      }
      return true;
    } catch (error) {
      // Re-throw intentional 429 errors
      if (error instanceof HttpException && error.getStatus() === HttpStatus.TOO_MANY_REQUESTS) {
        throw error;
      }
      // Fail open on Redis errors
      this.logger.warn(
        `Endpoint rate limit check failed (Redis error), allowing request: ` +
          `${method} ${routePath}, key=${keyStrategy}:${identifier}, ` +
          `error=${error instanceof Error ? error.message : 'unknown'}`,
        'EndpointRateLimitGuard',
      );
      return true;
    }
  }
  /**
   * Resolve the identifier for the rate limit key based on the strategy.
   */
  private resolveIdentifier(request: AuthenticatedRequest, strategy: 'ip' | 'user'): string {
    if (strategy === 'user') {
      const user = request.user;
      if (user?.sub) {
        return `user:${user.sub}`;
      }
      // Fall back to IP for unauthenticated requests on user-keyed endpoints
    }
    // IP-based: extract real IP behind proxy
    const forwarded = request.headers['x-forwarded-for'];
    const ip =
      typeof forwarded === 'string'
        ? (forwarded.split(',')[0]?.trim() ?? '127.0.0.1')
        : (request.ip ?? '127.0.0.1');
    return `ip:${ip}`;
  }
 }
--- a/apps/api/src/modules/shared/infrastructure/index.ts
+++ b/apps/api/src/modules/shared/infrastructure/index.ts
@@ -20,6 +20,12 @@ export {
  type UserRateLimitOptions,
 } from './guards/user-rate-limit.guard';
 export { UserRateLimit } from './decorators/user-rate-limit.decorator';
 export {
  EndpointRateLimit,
  ENDPOINT_RATE_LIMIT_KEY,
  type EndpointRateLimitOptions,
 } from './decorators/endpoint-rate-limit.decorator';
 export { EndpointRateLimitGuard } from './guards/endpoint-rate-limit.guard';
 export { FileValidationPipe } from './pipes/file-validation.pipe';
 export type { FileValidationOptions, UploadedFile } from './pipes/file-validation.pipe';
 export { validateEnv, validateJwtSecret } from './env-validation';