feat: enforce route-level rate limits for webhook auth and user actions

2026-02-18 13:02:44 +00:00
parent a9ef1e5e23
commit 989b5cf048
4 changed files with 187 additions and 12 deletions
--- a/test/app.test.js
+++ b/test/app.test.js
@@ -6,19 +6,43 @@ const { buildApp } = require("../src/app");
 const { hmacSHA256Hex } = require("../src/lib/signature");

 function createApp(options = {}) {
-  return buildApp({
-    config: {
-      xWebhookSecret: "x-secret",
-      polarWebhookSecret: "polar-secret",
-      credit: {
-        baseCredits: 1,
-        includedChars: 25000,
-        stepChars: 10000,
-        stepCredits: 1,
-        maxCharsPerArticle: 120000,
-      },
+  const baseConfig = {
+    xWebhookSecret: "x-secret",
+    polarWebhookSecret: "polar-secret",
+    rateLimits: {
+      webhookPerMinute: 120,
+      authPerMinute: 30,
+      actionPerMinute: 60,
    },
-    ...options,
+    credit: {
+      baseCredits: 1,
+      includedChars: 25000,
+      stepChars: 10000,
+      stepCredits: 1,
+      maxCharsPerArticle: 120000,
+    },
+  };
+
+  const overrideConfig = options.config || {};
+  const mergedConfig = {
+    ...baseConfig,
+    ...overrideConfig,
+    rateLimits: {
+      ...baseConfig.rateLimits,
+      ...(overrideConfig.rateLimits || {}),
+    },
+    credit: {
+      ...baseConfig.credit,
+      ...(overrideConfig.credit || {}),
+    },
+  };
+
+  const appOptions = { ...options };
+  delete appOptions.config;
+
+  return buildApp({
+    config: mergedConfig,
+    ...appOptions,
  });
 }

@@ -224,3 +248,56 @@ test("emits persistence snapshots on mutating actions", () => {
  assert.equal(typeof latest.updatedAt, "string");
  assert.equal(typeof latest.engine, "object");
 });
+
+test("rate limits repeated webhook calls", () => {
+  const app = createApp({
+    config: {
+      rateLimits: {
+        webhookPerMinute: 1,
+      },
+    },
+  });
+
+  const first = call(app, {
+    method: "POST",
+    path: "/api/webhooks/x",
+    headers: { "x-forwarded-for": "1.2.3.4", "x-signature": "sha256=deadbeef" },
+    body: JSON.stringify({}),
+  });
+  const second = call(app, {
+    method: "POST",
+    path: "/api/webhooks/x",
+    headers: { "x-forwarded-for": "1.2.3.4", "x-signature": "sha256=deadbeef" },
+    body: JSON.stringify({}),
+  });
+
+  assert.equal(first.status, 401);
+  assert.equal(second.status, 429);
+});
+
+test("rate limits repeated login attempts from same IP", () => {
+  const app = createApp({
+    config: {
+      rateLimits: {
+        authPerMinute: 1,
+      },
+    },
+  });
+
+  const first = call(app, {
+    method: "POST",
+    path: "/auth/dev-login",
+    headers: { "x-forwarded-for": "5.5.5.5" },
+    body: "userId=alice&returnTo=%2Fapp",
+  });
+  const second = call(app, {
+    method: "POST",
+    path: "/auth/dev-login",
+    headers: { "x-forwarded-for": "5.5.5.5" },
+    body: "userId=alice&returnTo=%2Fapp",
+  });
+
+  assert.equal(first.status, 303);
+  assert.equal(second.status, 303);
+  assert.match(second.headers.location, /Too%20many%20requests/);
+});
--- a/test/config.test.js
+++ b/test/config.test.js
@@ -7,16 +7,19 @@ test("config uses defaults when env is missing", () => {
  const previous = {
    PORT: process.env.PORT,
    STATE_FILE_PATH: process.env.STATE_FILE_PATH,
+    WEBHOOK_RPM: process.env.WEBHOOK_RPM,
  };

  delete process.env.PORT;
  delete process.env.STATE_FILE_PATH;
+  delete process.env.WEBHOOK_RPM;

  delete require.cache[require.resolve("../src/config")];
  const { config } = require("../src/config");

  assert.equal(config.port, 3000);
  assert.equal(config.stateFilePath, "./data/state.json");
+  assert.equal(config.rateLimits.webhookPerMinute, 120);

  if (previous.PORT === undefined) {
    delete process.env.PORT;
@@ -29,22 +32,31 @@ test("config uses defaults when env is missing", () => {
  } else {
    process.env.STATE_FILE_PATH = previous.STATE_FILE_PATH;
  }
+
+  if (previous.WEBHOOK_RPM === undefined) {
+    delete process.env.WEBHOOK_RPM;
+  } else {
+    process.env.WEBHOOK_RPM = previous.WEBHOOK_RPM;
+  }
 });

 test("config reads state path and numeric env overrides", () => {
  const previous = {
    PORT: process.env.PORT,
    STATE_FILE_PATH: process.env.STATE_FILE_PATH,
+    WEBHOOK_RPM: process.env.WEBHOOK_RPM,
  };

  process.env.PORT = "8080";
  process.env.STATE_FILE_PATH = "/data/prod-state.json";
+  process.env.WEBHOOK_RPM = "77";

  delete require.cache[require.resolve("../src/config")];
  const { config } = require("../src/config");

  assert.equal(config.port, 8080);
  assert.equal(config.stateFilePath, "/data/prod-state.json");
+  assert.equal(config.rateLimits.webhookPerMinute, 77);

  if (previous.PORT === undefined) {
    delete process.env.PORT;
@@ -57,4 +69,9 @@ test("config reads state path and numeric env overrides", () => {
  } else {
    process.env.STATE_FILE_PATH = previous.STATE_FILE_PATH;
  }
+  if (previous.WEBHOOK_RPM === undefined) {
+    delete process.env.WEBHOOK_RPM;
+  } else {
+    process.env.WEBHOOK_RPM = previous.WEBHOOK_RPM;
+  }
 });