feat: enforce route-level rate limits for webhook auth and user actions

2026-02-18 13:02:44 +00:00
parent a9ef1e5e23
commit 989b5cf048
4 changed files with 187 additions and 12 deletions
--- a/src/config.js
+++ b/src/config.js
@@ -20,6 +20,11 @@ const config = {
  stateFilePath: strFromEnv("STATE_FILE_PATH", "./data/state.json"),
  xWebhookSecret: process.env.X_WEBHOOK_SECRET || "dev-x-secret",
  polarWebhookSecret: process.env.POLAR_WEBHOOK_SECRET || "dev-polar-secret",
+  rateLimits: {
+    webhookPerMinute: intFromEnv("WEBHOOK_RPM", 120),
+    authPerMinute: intFromEnv("AUTH_RPM", 30),
+    actionPerMinute: intFromEnv("ACTION_RPM", 60),
+  },
  credit: {
    baseCredits: intFromEnv("BASE_CREDITS", 1),
    includedChars: intFromEnv("INCLUDED_CHARS", 25000),