andrei/maternal-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add rate limiting to API endpoints
Some checks failed
CI/CD Pipeline / Lint and Test (push) Has been cancelled
Details
CI/CD Pipeline / E2E Tests (push) Has been cancelled
Details
CI/CD Pipeline / Build Application (push) Has been cancelled
Details

Browse Source 
Implemented comprehensive rate limiting for API security:

- Created custom Next.js-native rate limiter using in-memory store
- Added 5 rate limit configurations:
  - authLimiter: 5 requests/15min for login/register/password-reset
  - aiLimiter: 10 requests/hour for AI assistant queries
  - trackingLimiter: 30 requests/min for activity tracking
  - readLimiter: 100 requests/min for read-only endpoints
  - sensitiveLimiter: 3 requests/hour for sensitive operations

- Applied rate limiting to endpoints:
  - /api/auth/login, /api/auth/register, /api/auth/password-reset
  - /api/ai/chat
  - /api/tracking/feeding (GET and POST)

- Rate limit responses include standard headers:
  - RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset
  - Retry-After header with seconds until reset

- Tested with 7 sequential requests - first 5 passed, last 2 blocked with 429

Note: Current implementation uses in-memory store. For production with
multiple instances, migrate to Redis-backed storage for distributed
rate limiting.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Andrei
2025-10-01 20:08:28 +00:00
parent 846710d80c
commit 8e3567e3d6
7 changed files with 490 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
maternal-web/app/api/ai/chat/route.ts Normal file
View File

@@ -0,0 +1,49 @@
import { NextRequest, NextResponse } from 'next/server';
import { aiLimiter } from '@/lib/middleware/rateLimiter';
/**
* AI chat endpoint with rate limiting
* Limited to 10 queries per hour for free tier users
*/
export async function POST(request: NextRequest) {
// Apply rate limiting
const rateLimitResult = await aiLimiter(request);
if (rateLimitResult) return rateLimitResult;
try {
const body = await request.json();
const { message, childId, conversationId } = body;
// TODO: Implement actual AI chat logic
// This is a placeholder - actual AI integration will be handled by backend
// For now, forward to backend API
const backendUrl = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3020';
const response = await fetch(`${backendUrl}/api/v1/ai/chat`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
// Forward auth token from client
Authorization: request.headers.get('Authorization') || '',
},
body: JSON.stringify({ message, childId, conversationId }),
});
const data = await response.json();
if (!response.ok) {
return NextResponse.json(data, { status: response.status });
}
return NextResponse.json(data, { status: 200 });
} catch (error) {
console.error('[AI] Chat error:', error);
return NextResponse.json(
{
error: 'AI_CHAT_FAILED',
message: 'AI assistant is currently unavailable. Please try again later.',
},
{ status: 500 }
);
}
}