feat: add rate limiter

Signed-off-by: Raúl Santos <[email protected]>

Author: borfast

frontend/nuxt.config.ts

@@ -8,6 +8,7 @@ import primevue from './setup/primevue';
 import echarts from './setup/echarts';
 import caching from './setup/caching';
 import sitemap from './setup/sitemap';
+import rateLimiter from './setup/rate-limiter';
 
 const isProduction = process.env.NUXT_APP_ENV === 'production';
 const isDevelopment = process.env.NODE_ENV === 'development';
@@ -52,7 +53,7 @@ export default defineNuxtConfig({
   primevue,
   echarts,
   runtimeConfig: {
-    // These are are only available on the server-side and can be overridden by the .env file
+    // These are only available on the server-side and can be overridden by the .env file
     appEnv: process.env.APP_ENV,
     tinybirdBaseUrl: 'https://api.us-west-2.aws.tinybird.co',
     tinybirdToken: '',
@@ -79,6 +80,7 @@ export default defineNuxtConfig({
     cmDbPassword: 'example',
     cmDbDatabase: 'crowd-web',
     dataCopilotDefaultSegmentId: '',
+    rateLimiter: rateLimiter,
     // These are also exposed on the client-side
     public: {
       apiBase: '/api',

frontend/package.json

@@ -39,6 +39,7 @@
     "@pinia/nuxt": "^0.11.2",
     "@popperjs/core": "^2.11.8",
     "@primevue/themes": "^4.4.1",
+    "@redis/client": "^5.9.0",
     "@tanstack/vue-query": "^5.90.5",
     "@types/jsonwebtoken": "^9.0.10",
     "@vuelidate/core": "^2.0.3",

frontend/pnpm-lock.yaml

@@ -0,0 +1,76 @@
+// Copyright (c) 2025 The Linux Foundation and each contributor.
+// SPDX-License-Identifier: MIT
+
+import type { H3Event } from 'h3';
+import { RedisClientType } from '@redis/client';
+import { checkRateLimit } from '../utils/rate-limiter';
+import { getRedisClient } from '../utils/redis-client';
+import { RateLimiterConfig } from '~~/server/types/rate-limiter';
+
+/**
+ * This is a rate-limiting middleware that checks incoming requests against the configured rate
+ * limits and blocks requests that exceed the limits. The defineEventHandler entrypoint is simple
+ * and delegates the actual logic to the handleRateLimiting function for easier testing, allowing
+ * injection of mocked dependencies and configuration.
+ *
+ * Features:
+ * - Uses Redis for distributed rate limiting
+ * - Hashes IP addresses for GDPR compliance
+ * - Supports per-route and per-method limits
+ * - Adds rate limit headers to responses
+ */
+export default defineEventHandler(async (event: H3Event) => {
+  const config = useRuntimeConfig();
+  const rateLimiterConfig = config.rateLimiter as RateLimiterConfig;
+
+  // getRedisClient memoizes the client instance, so it's not a problem to call it multiple times.
+  const redisClient = await getRedisClient(config.redisUrl, rateLimiterConfig.redisDatabase, true);
+
+  await handleRateLimiting(event, rateLimiterConfig, redisClient);
+});
+
+/**
+ * Handles rate limiting for the given event and rate limiter configuration.
+ *
+ * @param event - The H3 event object for the incoming request.
+ * @param rateLimiterConfig - The rate limiter configuration to use.
+ * @param redisClient - The Redis client instance to use for rate limiting.
+ */
+export async function handleRateLimiting(
+  event: H3Event,
+  rateLimiterConfig: RateLimiterConfig,
+  redisClient: RedisClientType,
+) {
+  // Skip rate limiting if disabled
+  if (!rateLimiterConfig.enabled) {
+    return;
+  }
+
+  try {
+    const result = await checkRateLimit(event, rateLimiterConfig, redisClient);
+
+    setResponseHeaders(event, {
+      ['X-RateLimit-Limit']: result.limit.toString(),
+      ['X-RateLimit-Remaining']: result.remaining.toString(),
+      ['X-RateLimit-Reset']: result.resetIn.toString(),
+    });
+
+    // Block request if rate limit exceeded
+    if (!result.allowed) {
+      throw createError({
+        statusCode: 429,
+        statusMessage: 'Too Many Requests',
+        message: `Rate limit exceeded. Please wait ${result.resetIn} seconds before trying again.`,
+      });
+    }
+  } catch (error) {
+    // If it's already a 429 error, re-throw it
+    if (error && typeof error === 'object' && 'statusCode' in error && error.statusCode === 429) {
+      throw error;
+    }
+
+    // Log other errors but don't block the request. This way the app keeps working even if Redis
+    // is down or the rate limiter fails for some other reason.
+    console.error('Rate limiter error:', error);
+  }
+}

frontend/server/middleware/rate-limiter.ts

@@ -0,0 +1,119 @@
+// Copyright (c) 2025 The Linux Foundation and each contributor.
+// SPDX-License-Identifier: MIT
+
+/**
+ * HTTP methods supported by the rate limiter.
+ */
+export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD' | 'OPTIONS';
+
+/**
+ * Rate limit configuration for a specific route.
+ */
+export interface RateLimitRule {
+  /**
+   * The route pattern to match (supports wildcards).
+   * Examples: '/api/*', '/api/report', '/api/auth/*'
+   */
+  route: string;
+
+  /**
+   * HTTP methods this rule applies to. If not specified, it applies to all methods.
+   */
+  methods?: HttpMethod[];
+
+  /**
+   * Maximum number of requests allowed within the window.
+   */
+  maxRequests: number;
+
+  /**
+   * Time window in seconds.
+   */
+  windowSeconds: number;
+}
+
+/**
+ * Exclusion rule for routes that should bypass rate limiting.
+ */
+export interface RateLimitExclusion {
+  /**
+   * The route pattern to exclude (supports wildcards).
+   * Examples: '/api/health', '/api/public/*', '/_nuxt/*'
+   */
+  route: string;
+
+  /**
+   * HTTP methods this exclusion applies to. If not specified, excludes all methods.
+   */
+  methods?: HttpMethod[];
+}
+
+/**
+ * Global rate limiter configuration.
+ */
+export interface RateLimiterConfig {
+  /**
+   * Whether to enable the rate limiter.
+   * @default true
+   */
+  enabled?: boolean;
+
+  /**
+   * Default rate limit applied to all routes not matching specific rules.
+   */
+  defaultLimit: {
+    maxRequests: number;
+    windowSeconds: number;
+  };
+
+  /**
+   * Secret used for hashing IP addresses for GDPR compliance.
+   */
+  secret: string;
+
+  /**
+   * Redis database number to use for rate limiting.
+   */
+  redisDatabase: number;
+
+  /**
+   * Route-specific rate limit rules. Rules are evaluated in order; first match wins.
+   */
+  rules: RateLimitRule[];
+
+  /**
+   * Routes to exclude from rate limiting. Exclusions are checked before rules.
+   * If a request matches an exclusion, it bypasses rate limiting entirely.
+   */
+  exclusions?: RateLimitExclusion[];
+}
+
+/**
+ * Rate limit check result.
+ */
+export interface RateLimitResult {
+  /**
+   * Whether the request is allowed.
+   */
+  allowed: boolean;
+
+  /**
+   * Maximum requests allowed in the window.
+   */
+  limit: number;
+
+  /**
+   * Remaining requests in the current window.
+   */
+  remaining: number;
+
+  /**
+   * Time until the rate limit resets (in seconds).
+   */
+  resetIn: number;
+
+  /**
+   * Total number of requests made in the current window.
+   */
+  current: number;
+}