Andrei
8e3567e3d6
Implemented comprehensive rate limiting for API security: - Created custom Next.js-native rate limiter using in-memory store - Added 5 rate limit configurations: - authLimiter: 5 requests/15min for login/register/password-reset - aiLimiter: 10 requests/hour for AI assistant queries - trackingLimiter: 30 requests/min for activity tracking - readLimiter: 100 requests/min for read-only endpoints - sensitiveLimiter: 3 requests/hour for sensitive operations - Applied rate limiting to endpoints: - /api/auth/login, /api/auth/register, /api/auth/password-reset - /api/ai/chat - /api/tracking/feeding (GET and POST) - Rate limit responses include standard headers: - RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset - Retry-After header with seconds until reset - Tested with 7 sequential requests - first 5 passed, last 2 blocked with 429 Note: Current implementation uses in-memory store. For production with multiple instances, migrate to Redis-backed storage for distributed rate limiting. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
48 lines
1.3 KiB
TypeScript
48 lines
1.3 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { authLimiter } from '@/lib/middleware/rateLimiter';
|
|
|
|
/**
|
|
* Login endpoint with rate limiting
|
|
* Limited to 5 attempts per 15 minutes per IP
|
|
*/
|
|
export async function POST(request: NextRequest) {
|
|
// Apply rate limiting
|
|
const rateLimitResult = await authLimiter(request);
|
|
if (rateLimitResult) return rateLimitResult;
|
|
|
|
try {
|
|
const body = await request.json();
|
|
const { email, password } = body;
|
|
|
|
// TODO: Implement actual authentication logic
|
|
// This is a placeholder - actual auth will be handled by backend
|
|
|
|
// For now, forward to backend API
|
|
const backendUrl = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3020';
|
|
const response = await fetch(`${backendUrl}/api/v1/auth/login`, {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
},
|
|
body: JSON.stringify({ email, password }),
|
|
});
|
|
|
|
const data = await response.json();
|
|
|
|
if (!response.ok) {
|
|
return NextResponse.json(data, { status: response.status });
|
|
}
|
|
|
|
return NextResponse.json(data, { status: 200 });
|
|
} catch (error) {
|
|
console.error('[Auth] Login error:', error);
|
|
return NextResponse.json(
|
|
{
|
|
error: 'AUTH_LOGIN_FAILED',
|
|
message: 'Login failed. Please try again.',
|
|
},
|
|
{ status: 500 }
|
|
);
|
|
}
|
|
}
|