andrei/url_tracker_tool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-7): Advanced rate limiting with Redis and header redaction

Browse Source 
- Implement tier-based rate limiting with rate-limiter-flexible
- Add Redis-backed rate limiters for different user tiers (free/pro/enterprise)
- Create comprehensive header redaction service for security
- Implement burst protection with per-minute limits
- Add organization and project-based rate limiting keys
- Create rate limiting middleware with proper error handling
- Integrate rate limits with tracking, bulk, and export endpoints
- Add header redaction to redirect tracking service
- Implement request logging with redacted sensitive headers
- Add comprehensive rate limit headers (limit, remaining, reset, tier)
- Support for anonymous vs authenticated rate limits
- Legacy endpoint rate limiting preserved for backward compatibility
- Admin functions for rate limit management and statistics
- Comprehensive test suite for all rate limiting scenarios

Security improvements:
- Sensitive header redaction (auth tokens, cookies, secrets)
- Partial redaction for debugging (admin mode)
- URL parameter redaction for sensitive data
- Request/response body redaction
- Configurable redaction levels

Backward compatibility: Maintained 100/hr rate limit for legacy endpoints
This commit is contained in:
Andrei
2025-08-18 14:40:31 +00:00
parent 9626863917
commit c34de838f4
9 changed files with 1635 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/api/package.json
View File

@@ -39,7 +39,9 @@
"mime-types": "^2.1.35",
"csv-parser": "^3.0.0",
"csv-writer": "^1.6.0",
"multer": "^1.4.5-lts.1"
"multer": "^1.4.5-lts.1",
"rate-limiter-flexible": "^5.0.3",
"ioredis": "^5.3.2"
},
"devDependencies": {
"@types/express": "^4.17.21",
@@ -60,6 +62,7 @@
"@types/markdown-it": "^13.0.7",
"@types/mime-types": "^2.1.4",
"@types/multer": "^1.4.11",
"@types/csv-parser": "^3.0.0"
"@types/csv-parser": "^3.0.0",
"@types/ioredis": "^5.0.0"
}
}

13
apps/api/src/index.ts
View File

@@ -20,6 +20,7 @@ import trackingRoutes from './routes/tracking.routes';
import analysisRoutes from './routes/analysis.routes';
import exportRoutes from './routes/export.routes';
import bulkRoutes from './routes/bulk.routes';
import { legacyRateLimit, requestLogger, rateLimitErrorHandler } from './middleware/rate-limit.middleware';
const app = express();
const PORT = process.env.PORT || 3333;
@@ -39,6 +40,9 @@ app.use(helmet({
// Compression middleware
app.use(compression());
// Request logging with header redaction
app.use(requestLogger({ redactionLevel: 'partial' }));
// CORS middleware
app.use(cors({
origin: process.env.WEB_URL || 'http://localhost:3000',
@@ -95,7 +99,7 @@ app.get('/health', (req, res) => {
// ============================================================================
// Original endpoint (deprecated but maintained for backward compatibility)
app.post('/api/track', async (req, res) => {
app.post('/api/track', legacyRateLimit, async (req, res) => {
const { url, method = 'GET', userAgent } = req.body;
if (!url) {
@@ -124,7 +128,7 @@ app.post('/api/track', async (req, res) => {
});
// API v1 track endpoint (POST)
app.post('/api/v1/track', apiLimiter, async (req, res) => {
app.post('/api/v1/track', legacyRateLimit, async (req, res) => {
const { url, method = 'GET', userAgent } = req.body;
if (!url) {
@@ -175,7 +179,7 @@ app.post('/api/v1/track', apiLimiter, async (req, res) => {
});
// API v1 track endpoint with GET method support (for easy browser/curl usage)
app.get('/api/v1/track', apiLimiter, async (req, res) => {
app.get('/api/v1/track', legacyRateLimit, async (req, res) => {
const { url, method = 'GET', userAgent } = req.query;
if (!url) {
@@ -344,6 +348,9 @@ process.on('SIGINT', () => {
process.exit(0);
});
// Rate limiting error handler
app.use(rateLimitErrorHandler);
app.listen(PORT, () => {
logger.info(`🚀 Redirect Intelligence v2 API Server running on http://localhost:${PORT}`);
logger.info(`📖 API Documentation: http://localhost:${PORT}/api/docs`);

282
apps/api/src/middleware/rate-limit.middleware.ts Normal file
View File

@@ -0,0 +1,282 @@
/**
* Rate Limiting Middleware for Redirect Intelligence v2
*
* Integrates advanced rate limiting with Express middleware
*/
import { Request, Response, NextFunction } from 'express';
import { rateLimitService, RateLimitError, BurstLimitError } from '../services/rate-limit.service';
import { headerRedactionService } from '../services/header-redaction.service';
import { logger } from '../lib/logger';
import { AuthenticatedRequest } from './auth.middleware';
export interface RateLimitMiddlewareOptions {
type: 'tracking' | 'bulk' | 'export' | 'legacy';
keyGenerator?: (req: AuthenticatedRequest) => string;
skipSuccessfulRequests?: boolean;
skipFailedRequests?: boolean;
onLimitReached?: (req: AuthenticatedRequest, res: Response) => void;
}
/**
* Create rate limiting middleware for specific endpoint types
*/
export function createRateLimitMiddleware(options: RateLimitMiddlewareOptions) {
const {
type,
keyGenerator = defaultKeyGenerator,
skipSuccessfulRequests = false,
skipFailedRequests = false,
onLimitReached,
} = options;
return async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
try {
const key = keyGenerator(req);
const userId = req.user?.id;
// Check rate limits
const rateLimitInfo = await rateLimitService.checkRateLimit(type, key, userId);
// Set rate limit headers
res.set({
'X-RateLimit-Limit': rateLimitInfo.limit.toString(),
'X-RateLimit-Remaining': rateLimitInfo.remaining.toString(),
'X-RateLimit-Reset': rateLimitInfo.reset.toISOString(),
'X-RateLimit-Tier': rateLimitInfo.tier,
});
// Check burst limits for authenticated users
if (userId && (type === 'tracking' || type === 'bulk')) {
await rateLimitService.checkBurstLimit(userId);
}
// Log rate limit usage (with redacted headers)
logger.debug('Rate limit check passed', {
type,
key: headerRedactionService.partiallyRedactValue(key),
userId: userId ? headerRedactionService.partiallyRedactValue(userId) : undefined,
remaining: rateLimitInfo.remaining,
tier: rateLimitInfo.tier,
userAgent: req.get('User-Agent'),
ip: req.ip,
});
next();
} catch (error) {
if (error instanceof RateLimitError) {
// Set rate limit headers even when limit is exceeded
res.set({
'X-RateLimit-Limit': '0',
'X-RateLimit-Remaining': '0',
'X-RateLimit-Reset': error.reset.toISOString(),
'X-RateLimit-Tier': error.tier,
'Retry-After': Math.ceil((error.reset.getTime() - Date.now()) / 1000).toString(),
});
logger.warn('Rate limit exceeded', {
type,
tier: error.tier,
userId: req.user?.id,
ip: req.ip,
userAgent: req.get('User-Agent'),
});
if (onLimitReached) {
onLimitReached(req, res);
return;
}
return res.status(429).json({
success: false,
error: 'Rate limit exceeded',
message: `Too many requests for ${error.tier} tier. Please try again later.`,
retryAfter: error.reset.toISOString(),
tier: error.tier,
});
}
if (error instanceof BurstLimitError) {
res.set({
'X-RateLimit-Type': 'burst',
'X-RateLimit-Tier': error.tier,
'Retry-After': '60', // 1 minute for burst limits
});
logger.warn('Burst limit exceeded', {
type,
tier: error.tier,
limit: error.limit,
userId: req.user?.id,
ip: req.ip,
});
return res.status(429).json({
success: false,
error: 'Burst limit exceeded',
message: `Too many requests per minute for ${error.tier} tier (limit: ${error.limit}/min).`,
retryAfter: new Date(Date.now() + 60000).toISOString(),
tier: error.tier,
});
}
// Other errors
logger.error('Rate limit middleware error:', error);
next(error);
}
};
}
/**
* Default key generator function
*/
function defaultKeyGenerator(req: AuthenticatedRequest): string {
// Use user ID for authenticated requests, IP for anonymous
return req.user ? `user:${req.user.id}` : `ip:${req.ip}`;
}
/**
* Key generator for organization-based limits
*/
export function organizationKeyGenerator(req: AuthenticatedRequest): string {
if (req.user?.memberships?.[0]?.organizationId) {
return `org:${req.user.memberships[0].organizationId}`;
}
return defaultKeyGenerator(req);
}
/**
* Key generator for project-based limits
*/
export function projectKeyGenerator(req: AuthenticatedRequest): string {
const projectId = req.body?.projectId || req.params?.projectId || req.query?.projectId;
if (projectId) {
return `project:${projectId}`;
}
return defaultKeyGenerator(req);
}
/**
* Middleware to add rate limit status to response headers
*/
export function addRateLimitStatus(type: 'tracking' | 'bulk' | 'export' | 'legacy') {
return async (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
try {
const key = defaultKeyGenerator(req);
const userId = req.user?.id;
const status = await rateLimitService.getRateLimitStatus(type, key, userId);
res.set({
'X-RateLimit-Limit': status.limit.toString(),
'X-RateLimit-Remaining': status.remaining.toString(),
'X-RateLimit-Reset': status.reset.toISOString(),
'X-RateLimit-Tier': status.tier,
});
next();
} catch (error) {
logger.warn('Failed to add rate limit status headers:', error);
next(); // Continue even if we can't add headers
}
};
}
/**
* Predefined middleware instances for common use cases
*/
// Legacy endpoints (maintain existing behavior)
export const legacyRateLimit = createRateLimitMiddleware({
type: 'legacy',
});
// Tracking endpoints
export const trackingRateLimit = createRateLimitMiddleware({
type: 'tracking',
});
// Bulk processing endpoints
export const bulkRateLimit = createRateLimitMiddleware({
type: 'bulk',
});
// Export endpoints
export const exportRateLimit = createRateLimitMiddleware({
type: 'export',
});
// Organization-based tracking limits
export const orgTrackingRateLimit = createRateLimitMiddleware({
type: 'tracking',
keyGenerator: organizationKeyGenerator,
});
// Project-based tracking limits
export const projectTrackingRateLimit = createRateLimitMiddleware({
type: 'tracking',
keyGenerator: projectKeyGenerator,
});
/**
* Middleware to log requests with redacted headers
*/
export function requestLogger(options: { includeBody?: boolean; redactionLevel?: 'full' | 'partial' } = {}) {
const { includeBody = false, redactionLevel = 'full' } = options;
return (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
const startTime = Date.now();
// Redact request data for logging
const redactedRequest = headerRedactionService.redactLogData({
method: req.method,
url: req.url,
headers: req.headers,
body: includeBody ? req.body : undefined,
user: req.user ? {
id: req.user.id,
email: headerRedactionService.partiallyRedactValue(req.user.email),
} : undefined,
ip: req.ip,
userAgent: req.get('User-Agent'),
}, { redactionLevel });
// Override res.end to log response
const originalEnd = res.end;
res.end = function(chunk?: any, encoding?: any) {
const duration = Date.now() - startTime;
logger.info('Request completed', {
...redactedRequest,
statusCode: res.statusCode,
duration,
contentLength: res.get('Content-Length'),
});
originalEnd.call(this, chunk, encoding);
};
next();
};
}
/**
* Error handler for rate limiting errors
*/
export function rateLimitErrorHandler(
error: Error,
req: AuthenticatedRequest,
res: Response,
next: NextFunction
) {
if (error instanceof RateLimitError || error instanceof BurstLimitError) {
// These should have been handled by the middleware, but just in case
return res.status(429).json({
success: false,
error: 'Rate limit exceeded',
message: error.message,
});
}
next(error);
}

7
apps/api/src/routes/bulk.routes.ts
View File

@@ -10,6 +10,7 @@ import path from 'path';
import fs from 'fs/promises';
import { z } from 'zod';
import { requireAuth } from '../middleware/auth.middleware';
import { bulkRateLimit, addRateLimitStatus } from '../middleware/rate-limit.middleware';
import { BulkProcessorService } from '../services/bulk-processor.service';
import { logger } from '../lib/logger';
@@ -66,7 +67,7 @@ const GetJobsQuerySchema = z.object({
* POST /api/v2/bulk/upload
* Upload CSV file and create bulk tracking job
*/
router.post('/upload', requireAuth, upload.single('file'), async (req, res) => {
router.post('/upload', requireAuth, bulkRateLimit, upload.single('file'), async (req, res) => {
try {
if (!req.file) {
return res.status(400).json({
@@ -123,7 +124,7 @@ router.post('/upload', requireAuth, upload.single('file'), async (req, res) => {
* POST /api/v2/bulk/jobs
* Create bulk tracking job with URL array
*/
router.post('/jobs', requireAuth, async (req, res) => {
router.post('/jobs', requireAuth, bulkRateLimit, async (req, res) => {
try {
const userId = req.user!.id;
const organizationId = req.user!.memberships?.[0]?.organizationId;
@@ -172,7 +173,7 @@ router.post('/jobs', requireAuth, async (req, res) => {
* GET /api/v2/bulk/jobs
* Get user's bulk jobs with pagination
*/
router.get('/jobs', requireAuth, async (req, res) => {
router.get('/jobs', requireAuth, addRateLimitStatus('bulk'), async (req, res) => {
try {
const userId = req.user!.id;
const query = GetJobsQuerySchema.parse(req.query);

4
apps/api/src/routes/tracking.routes.ts
View File

@@ -9,6 +9,7 @@ import { z } from 'zod';
import rateLimit from 'express-rate-limit';
import { RedirectTrackerService } from '../services/redirect-tracker.service';
import { optionalAuth, requireAuth, AuthenticatedRequest } from '../middleware/auth.middleware';
import { trackingRateLimit, addRateLimitStatus } from '../middleware/rate-limit.middleware';
import { logger } from '../lib/logger';
const router = express.Router();
@@ -69,8 +70,7 @@ const listChecksSchema = z.object({
*/
router.post('/track',
optionalAuth,
trackingLimiter,
anonymousTrackingLimiter,
trackingRateLimit,
async (req: AuthenticatedRequest, res) => {
try {
// Validate input

439
apps/api/src/services/header-redaction.service.ts Normal file
View File

@@ -0,0 +1,439 @@
/**
* Header Redaction Service for Redirect Intelligence v2
*
* Sanitizes and redacts sensitive headers for security and privacy
*/
import { logger } from '../lib/logger';
/**
* Headers that should be completely removed from storage/logs
*/
const SENSITIVE_HEADERS = new Set([
// Authentication headers
'authorization',
'x-api-key',
'x-auth-token',
'x-access-token',
'bearer',
'token',
// Session headers
'cookie',
'set-cookie',
'session',
'session-id',
'sessionid',
'jsessionid',
'phpsessid',
// Personal information
'x-real-ip',
'x-forwarded-for',
'x-client-ip',
'x-remote-addr',
'x-user-email',
'x-user-id',
'x-username',
// Security tokens
'x-csrf-token',
'x-xsrf-token',
'x-csrftoken',
'csrf-token',
'xsrf-token',
// Custom application headers that might contain sensitive data
'x-api-secret',
'x-private-key',
'x-secret',
'x-password',
'x-token',
'x-auth',
'x-authentication',
// Server internal headers
'x-forwarded-proto',
'x-forwarded-host',
'x-forwarded-server',
'x-original-forwarded-for',
'x-cluster-client-ip',
'cf-connecting-ip',
'true-client-ip',
// Application-specific sensitive headers
'stripe-signature',
'paypal-auth-version',
'x-hub-signature',
'x-github-event',
'x-slack-signature',
]);
/**
* Headers that should be partially redacted (show first/last few characters)
*/
const PARTIALLY_REDACTABLE_HEADERS = new Set([
'user-agent',
'referer',
'origin',
'x-forwarded-by',
'via',
]);
/**
* Headers that are safe to store as-is
*/
const SAFE_HEADERS = new Set([
'accept',
'accept-encoding',
'accept-language',
'cache-control',
'connection',
'content-type',
'content-length',
'content-encoding',
'date',
'etag',
'expires',
'host',
'last-modified',
'location',
'pragma',
'server',
'vary',
'www-authenticate',
'x-powered-by',
'x-frame-options',
'x-content-type-options',
'strict-transport-security',
'content-security-policy',
'x-ratelimit-limit',
'x-ratelimit-remaining',
'x-ratelimit-reset',
'retry-after',
'age',
'allow',
'access-control-allow-origin',
'access-control-allow-methods',
'access-control-allow-headers',
'access-control-expose-headers',
'access-control-max-age',
'access-control-allow-credentials',
]);
export interface RedactionOptions {
/** Include headers that are normally filtered out for debugging (admin only) */
includeDebugHeaders?: boolean;
/** Level of redaction: 'full' removes sensitive headers, 'partial' redacts them */
redactionLevel?: 'full' | 'partial';
/** Custom headers to redact */
customSensitiveHeaders?: string[];
/** Headers to preserve even if they're normally redacted */
preserveHeaders?: string[];
}
export interface RedactionResult {
headers: Record<string, string>;
redactedCount: number;
redactedHeaders: string[];
partiallyRedactedHeaders: string[];
}
export class HeaderRedactionService {
/**
* Redact sensitive headers from a headers object
*/
redactHeaders(
headers: Record<string, string | string[]>,
options: RedactionOptions = {}
): RedactionResult {
const {
includeDebugHeaders = false,
redactionLevel = 'full',
customSensitiveHeaders = [],
preserveHeaders = [],
} = options;
const result: RedactionResult = {
headers: {},
redactedCount: 0,
redactedHeaders: [],
partiallyRedactedHeaders: [],
};
// Combine default sensitive headers with custom ones
const allSensitiveHeaders = new Set([
...SENSITIVE_HEADERS,
...customSensitiveHeaders.map(h => h.toLowerCase()),
]);
// Headers to preserve
const preserveSet = new Set(preserveHeaders.map(h => h.toLowerCase()));
for (const [key, value] of Object.entries(headers)) {
const lowerKey = key.toLowerCase();
const stringValue = Array.isArray(value) ? value.join(', ') : value;
// Skip empty headers
if (!stringValue || stringValue.trim() === '') {
continue;
}
// Preserve headers that are explicitly marked for preservation
if (preserveSet.has(lowerKey)) {
result.headers[key] = stringValue;
continue;
}
// Handle sensitive headers
if (allSensitiveHeaders.has(lowerKey)) {
result.redactedCount++;
result.redactedHeaders.push(key);
if (redactionLevel === 'partial' || includeDebugHeaders) {
result.headers[key] = this.partiallyRedactValue(stringValue);
}
// If redactionLevel is 'full', we don't include the header at all
continue;
}
// Handle partially redactable headers
if (PARTIALLY_REDACTABLE_HEADERS.has(lowerKey)) {
result.headers[key] = this.partiallyRedactValue(stringValue);
result.partiallyRedactedHeaders.push(key);
continue;
}
// Handle safe headers
if (SAFE_HEADERS.has(lowerKey)) {
result.headers[key] = stringValue;
continue;
}
// For unknown headers, be conservative and redact them unless in debug mode
if (includeDebugHeaders) {
result.headers[key] = this.partiallyRedactValue(stringValue);
result.partiallyRedactedHeaders.push(key);
} else {
result.redactedCount++;
result.redactedHeaders.push(key);
}
}
logger.debug('Headers redacted', {
originalCount: Object.keys(headers).length,
finalCount: Object.keys(result.headers).length,
redactedCount: result.redactedCount,
redactionLevel,
includeDebugHeaders,
});
return result;
}
/**
* Partially redact a header value (show first and last few characters)
*/
private partiallyRedactValue(value: string): string {
if (value.length <= 8) {
return '*'.repeat(value.length);
}
const start = value.substring(0, 3);
const end = value.substring(value.length - 3);
const middle = '*'.repeat(Math.min(value.length - 6, 10));
return `${start}${middle}${end}`;
}
/**
* Redact sensitive data from request/response logs
*/
redactLogData(data: any, options: RedactionOptions = {}): any {
if (!data || typeof data !== 'object') {
return data;
}
const redacted = { ...data };
// Redact headers if present
if (redacted.headers) {
const result = this.redactHeaders(redacted.headers, options);
redacted.headers = result.headers;
}
// Redact request headers
if (redacted.request && redacted.request.headers) {
const result = this.redactHeaders(redacted.request.headers, options);
redacted.request.headers = result.headers;
}
// Redact response headers
if (redacted.response && redacted.response.headers) {
const result = this.redactHeaders(redacted.response.headers, options);
redacted.response.headers = result.headers;
}
// Redact common sensitive fields in request/response bodies
if (redacted.body || redacted.data) {
const bodyData = redacted.body || redacted.data;
if (typeof bodyData === 'object') {
redacted.body = this.redactObjectData(bodyData);
redacted.data = this.redactObjectData(bodyData);
}
}
// Redact URL parameters that might contain sensitive data
if (redacted.url && typeof redacted.url === 'string') {
redacted.url = this.redactSensitiveUrlParams(redacted.url);
}
if (redacted.originalUrl && typeof redacted.originalUrl === 'string') {
redacted.originalUrl = this.redactSensitiveUrlParams(redacted.originalUrl);
}
return redacted;
}
/**
* Redact sensitive fields from object data
*/
private redactObjectData(obj: any): any {
if (!obj || typeof obj !== 'object') {
return obj;
}
const sensitiveFields = new Set([
'password',
'secret',
'token',
'key',
'authorization',
'auth',
'apikey',
'api_key',
'access_token',
'refresh_token',
'session',
'cookie',
'csrf',
'xsrf',
]);
const redacted = Array.isArray(obj) ? [] : {};
for (const [key, value] of Object.entries(obj)) {
const lowerKey = key.toLowerCase();
if (sensitiveFields.has(lowerKey) || lowerKey.includes('password') || lowerKey.includes('secret')) {
redacted[key] = typeof value === 'string' ? this.partiallyRedactValue(value) : '[REDACTED]';
} else if (typeof value === 'object' && value !== null) {
redacted[key] = this.redactObjectData(value);
} else {
redacted[key] = value;
}
}
return redacted;
}
/**
* Redact sensitive URL parameters
*/
private redactSensitiveUrlParams(url: string): string {
try {
const urlObj = new URL(url);
const sensitiveParams = new Set([
'token',
'key',
'secret',
'password',
'auth',
'authorization',
'api_key',
'apikey',
'access_token',
'session',
'csrf',
'xsrf',
]);
for (const [key, value] of urlObj.searchParams.entries()) {
if (sensitiveParams.has(key.toLowerCase()) ||
key.toLowerCase().includes('password') ||
key.toLowerCase().includes('secret') ||
key.toLowerCase().includes('token')) {
urlObj.searchParams.set(key, this.partiallyRedactValue(value));
}
}
return urlObj.toString();
} catch (error) {
// If URL parsing fails, return original URL
logger.warn('Failed to parse URL for redaction:', { url, error: error.message });
return url;
}
}
/**
* Check if a header should be considered sensitive
*/
isSensitiveHeader(headerName: string, customSensitive: string[] = []): boolean {
const lowerName = headerName.toLowerCase();
return SENSITIVE_HEADERS.has(lowerName) ||
customSensitive.map(h => h.toLowerCase()).includes(lowerName);
}
/**
* Get list of all headers that would be redacted
*/
getSensitiveHeadersList(): string[] {
return Array.from(SENSITIVE_HEADERS).sort();
}
/**
* Validate redaction configuration
*/
validateRedactionConfig(options: RedactionOptions): { valid: boolean; errors: string[] } {
const errors: string[] = [];
if (options.redactionLevel && !['full', 'partial'].includes(options.redactionLevel)) {
errors.push('redactionLevel must be either "full" or "partial"');
}
if (options.customSensitiveHeaders) {
if (!Array.isArray(options.customSensitiveHeaders)) {
errors.push('customSensitiveHeaders must be an array');
} else {
for (const header of options.customSensitiveHeaders) {
if (typeof header !== 'string') {
errors.push('All customSensitiveHeaders must be strings');
break;
}
}
}
}
if (options.preserveHeaders) {
if (!Array.isArray(options.preserveHeaders)) {
errors.push('preserveHeaders must be an array');
} else {
for (const header of options.preserveHeaders) {
if (typeof header !== 'string') {
errors.push('All preserveHeaders must be strings');
break;
}
}
}
}
return {
valid: errors.length === 0,
errors,
};
}
}
// Singleton instance
export const headerRedactionService = new HeaderRedactionService();

427
apps/api/src/services/rate-limit.service.ts Normal file
View File

@@ -0,0 +1,427 @@
/**
* Advanced Rate Limiting Service for Redirect Intelligence v2
*
* Implements user-tier rate limiting with organization-based quotas
* and Redis-backed rate limiting with rate-limiter-flexible
*/
import { RateLimiterRedis, RateLimiterMemory } from 'rate-limiter-flexible';
import IORedis from 'ioredis';
import { Request, Response, NextFunction } from 'express';
import { z } from 'zod';
import { logger } from '../lib/logger';
import { prisma } from '../lib/prisma';
import { AuthenticatedRequest } from '../middleware/auth.middleware';
// Rate limit tiers based on organization plan
export interface RateLimitTier {
name: string;
requestsPerHour: number;
requestsPerMinute: number;
bulkJobsPerDay: number;
maxUrls: number;
exportLimit: number;
}
export const RATE_LIMIT_TIERS: Record<string, RateLimitTier> = {
free: {
name: 'Free',
requestsPerHour: 100,
requestsPerMinute: 10,
bulkJobsPerDay: 2,
maxUrls: 50,
exportLimit: 5,
},
pro: {
name: 'Pro',
requestsPerHour: 1000,
requestsPerMinute: 50,
bulkJobsPerDay: 20,
maxUrls: 1000,
exportLimit: 100,
},
enterprise: {
name: 'Enterprise',
requestsPerHour: 10000,
requestsPerMinute: 200,
bulkJobsPerDay: 100,
maxUrls: 10000,
exportLimit: 1000,
},
};
export const ANONYMOUS_TIER: RateLimitTier = {
name: 'Anonymous',
requestsPerHour: 50,
requestsPerMinute: 5,
bulkJobsPerDay: 0,
maxUrls: 10,
exportLimit: 0,
};
export interface RateLimitInfo {
limit: number;
remaining: number;
reset: Date;
tier: string;
}
export class RateLimitService {
private redis: IORedis;
private rateLimiters: Map<string, RateLimiterRedis | RateLimiterMemory>;
constructor() {
// Initialize Redis connection
this.redis = new IORedis({
host: process.env.REDIS_HOST || 'localhost',
port: parseInt(process.env.REDIS_PORT || '6379'),
retryDelayOnFailover: 100,
enableReadyCheck: false,
maxRetriesPerRequest: null,
lazyConnect: true,
});
this.rateLimiters = new Map();
this.initializeRateLimiters();
}
/**
* Initialize rate limiters for different endpoints and tiers
*/
private initializeRateLimiters(): void {
// Legacy endpoints (preserve existing behavior)
this.rateLimiters.set('legacy', new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: 'rl_legacy',
points: 100, // requests
duration: 3600, // per hour
blockDuration: 3600, // block for 1 hour
execEvenly: true,
}));
// Anonymous users
this.rateLimiters.set('anonymous', new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: 'rl_anon',
points: ANONYMOUS_TIER.requestsPerHour,
duration: 3600,
blockDuration: 3600,
execEvenly: true,
}));
// Authenticated users by tier
Object.keys(RATE_LIMIT_TIERS).forEach(tier => {
const config = RATE_LIMIT_TIERS[tier];
// Hourly limits
this.rateLimiters.set(`user_${tier}_hour`, new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: `rl_user_${tier}_h`,
points: config.requestsPerHour,
duration: 3600,
blockDuration: 900, // 15 minutes
execEvenly: true,
}));
// Per-minute limits (burst protection)
this.rateLimiters.set(`user_${tier}_minute`, new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: `rl_user_${tier}_m`,
points: config.requestsPerMinute,
duration: 60,
blockDuration: 60,
execEvenly: true,
}));
// Bulk job limits (daily)
this.rateLimiters.set(`bulk_${tier}_day`, new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: `rl_bulk_${tier}_d`,
points: config.bulkJobsPerDay,
duration: 86400, // 24 hours
blockDuration: 86400,
execEvenly: false,
}));
// Export limits (daily)
this.rateLimiters.set(`export_${tier}_day`, new RateLimiterRedis({
storeClient: this.redis,
keyPrefix: `rl_export_${tier}_d`,
points: config.exportLimit,
duration: 86400,
blockDuration: 86400,
execEvenly: false,
}));
});
}
/**
* Get user's rate limit tier based on organization plan
*/
async getUserTier(userId?: string): Promise<RateLimitTier> {
if (!userId) {
return ANONYMOUS_TIER;
}
try {
const user = await prisma.user.findUnique({
where: { id: userId },
include: {
memberships: {
include: {
organization: true,
},
},
},
});
if (!user || !user.memberships.length) {
return RATE_LIMIT_TIERS.free;
}
// Use the highest tier from all organizations
const plans = user.memberships.map(m => m.organization.plan);
if (plans.includes('enterprise')) return RATE_LIMIT_TIERS.enterprise;
if (plans.includes('pro')) return RATE_LIMIT_TIERS.pro;
return RATE_LIMIT_TIERS.free;
} catch (error) {
logger.error('Failed to get user tier:', error);
return RATE_LIMIT_TIERS.free;
}
}
/**
* Check if request is allowed under rate limits
*/
async checkRateLimit(
type: 'tracking' | 'bulk' | 'export' | 'legacy',
key: string,
userId?: string
): Promise<RateLimitInfo> {
try {
const tier = await this.getUserTier(userId);
let limiterKey: string;
let limit: number;
if (type === 'legacy') {
limiterKey = 'legacy';
limit = 100;
} else if (!userId) {
limiterKey = 'anonymous';
limit = ANONYMOUS_TIER.requestsPerHour;
} else {
const tierName = tier.name.toLowerCase();
switch (type) {
case 'tracking':
limiterKey = `user_${tierName}_hour`;
limit = tier.requestsPerHour;
break;
case 'bulk':
limiterKey = `bulk_${tierName}_day`;
limit = tier.bulkJobsPerDay;
break;
case 'export':
limiterKey = `export_${tierName}_day`;
limit = tier.exportLimit;
break;
default:
throw new Error(`Unknown rate limit type: ${type}`);
}
}
const rateLimiter = this.rateLimiters.get(limiterKey);
if (!rateLimiter) {
throw new Error(`Rate limiter not found: ${limiterKey}`);
}
const result = await rateLimiter.consume(key, 1);
return {
limit,
remaining: result.remainingPoints || 0,
reset: new Date(Date.now() + (result.msBeforeNext || 0)),
tier: tier.name,
};
} catch (error) {
if (error instanceof Error && error.message.includes('Rate limit')) {
// This is a rate limit exceeded error
const tier = await this.getUserTier(userId);
throw new RateLimitError(tier.name, 0, new Date(Date.now() + 3600000));
}
logger.error('Rate limit check failed:', error);
throw error;
}
}
/**
* Check burst protection (per-minute limits for authenticated users)
*/
async checkBurstLimit(userId: string): Promise<void> {
const tier = await this.getUserTier(userId);
if (tier === ANONYMOUS_TIER) return;
const tierName = tier.name.toLowerCase();
const limiterKey = `user_${tierName}_minute`;
const rateLimiter = this.rateLimiters.get(limiterKey);
if (!rateLimiter) {
logger.warn(`Burst rate limiter not found: ${limiterKey}`);
return;
}
try {
await rateLimiter.consume(userId, 1);
} catch (error) {
throw new BurstLimitError(tier.name, tier.requestsPerMinute);
}
}
/**
* Get current rate limit status without consuming points
*/
async getRateLimitStatus(
type: 'tracking' | 'bulk' | 'export' | 'legacy',
key: string,
userId?: string
): Promise<RateLimitInfo> {
const tier = await this.getUserTier(userId);
let limiterKey: string;
let limit: number;
if (type === 'legacy') {
limiterKey = 'legacy';
limit = 100;
} else if (!userId) {
limiterKey = 'anonymous';
limit = ANONYMOUS_TIER.requestsPerHour;
} else {
const tierName = tier.name.toLowerCase();
switch (type) {
case 'tracking':
limiterKey = `user_${tierName}_hour`;
limit = tier.requestsPerHour;
break;
case 'bulk':
limiterKey = `bulk_${tierName}_day`;
limit = tier.bulkJobsPerDay;
break;
case 'export':
limiterKey = `export_${tierName}_day`;
limit = tier.exportLimit;
break;
default:
throw new Error(`Unknown rate limit type: ${type}`);
}
}
const rateLimiter = this.rateLimiters.get(limiterKey);
if (!rateLimiter) {
throw new Error(`Rate limiter not found: ${limiterKey}`);
}
try {
const result = await rateLimiter.get(key);
return {
limit,
remaining: result ? result.remainingPoints || 0 : limit,
reset: result ? new Date(Date.now() + (result.msBeforeNext || 0)) : new Date(),
tier: tier.name,
};
} catch (error) {
logger.error('Failed to get rate limit status:', error);
return {
limit,
remaining: limit,
reset: new Date(),
tier: tier.name,
};
}
}
/**
* Reset rate limits for a specific key (admin function)
*/
async resetRateLimit(key: string, type?: string): Promise<void> {
try {
if (type) {
const rateLimiter = this.rateLimiters.get(type);
if (rateLimiter) {
await rateLimiter.delete(key);
}
} else {
// Reset all rate limiters for this key
for (const rateLimiter of this.rateLimiters.values()) {
await rateLimiter.delete(key).catch(() => {}); // Ignore errors
}
}
logger.info(`Rate limit reset for key: ${key}`, { type });
} catch (error) {
logger.error('Failed to reset rate limit:', error);
throw error;
}
}
/**
* Get rate limit statistics
*/
async getStatistics(): Promise<{
totalRequests: number;
activeKeys: number;
tierDistribution: Record<string, number>;
}> {
try {
// This is a simplified version - in production you'd want more detailed stats
const keys = await this.redis.keys('rl_*');
return {
totalRequests: keys.length, // Simplified metric
activeKeys: keys.length,
tierDistribution: {
anonymous: keys.filter(k => k.includes('anon')).length,
free: keys.filter(k => k.includes('free')).length,
pro: keys.filter(k => k.includes('pro')).length,
enterprise: keys.filter(k => k.includes('enterprise')).length,
},
};
} catch (error) {
logger.error('Failed to get rate limit statistics:', error);
return {
totalRequests: 0,
activeKeys: 0,
tierDistribution: {},
};
}
}
}
/**
* Custom error classes for rate limiting
*/
export class RateLimitError extends Error {
constructor(
public tier: string,
public remaining: number,
public reset: Date
) {
super(`Rate limit exceeded for ${tier} tier`);
this.name = 'RateLimitError';
}
}
export class BurstLimitError extends Error {
constructor(
public tier: string,
public limit: number
) {
super(`Burst limit exceeded for ${tier} tier (${limit} requests per minute)`);
this.name = 'BurstLimitError';
}
}
// Singleton instance
export const rateLimitService = new RateLimitService();

13
apps/api/src/services/redirect-tracker.service.ts
View File

@@ -14,6 +14,7 @@ import { CheckStatus, RedirectType } from '@prisma/client';
import { SSLAnalyzerService } from './ssl-analyzer.service';
import { SEOAnalyzerService } from './seo-analyzer.service';
import { SecurityAnalyzerService } from './security-analyzer.service';
import { headerRedactionService } from './header-redaction.service';
// Input validation schemas
const trackRequestSchema = z.object({
@@ -272,7 +273,13 @@ export class RedirectTrackerService {
// Extract response details
const statusCode = response.status;
const contentType = response.headers['content-type'];
const responseHeaders = response.headers as Record<string, string>;
// Redact sensitive headers before storing
const redactionResult = headerRedactionService.redactHeaders(
response.headers as Record<string, string>,
{ redactionLevel: 'partial' }
);
const responseHeaders = redactionResult.headers;
// Determine redirect type and next URL
let redirectType: RedirectType;
@@ -332,7 +339,9 @@ export class RedirectTrackerService {
redirectType: RedirectType.OTHER,
latencyMs,
reason: `Error: ${error.message}`,
responseHeaders: error.response?.headers || {},
responseHeaders: error.response?.headers ?
headerRedactionService.redactHeaders(error.response.headers, { redactionLevel: 'partial' }).headers :
{},
statusCode: error.response?.status,
});