feat: enforce route-level rate limits for webhook auth and user actions

2026-02-18 13:02:44 +00:00
parent a9ef1e5e23
commit 989b5cf048
4 changed files with 187 additions and 12 deletions
--- a/test/config.test.js
+++ b/test/config.test.js
@@ -7,16 +7,19 @@ test("config uses defaults when env is missing", () => {
  const previous = {
    PORT: process.env.PORT,
    STATE_FILE_PATH: process.env.STATE_FILE_PATH,
+    WEBHOOK_RPM: process.env.WEBHOOK_RPM,
  };

  delete process.env.PORT;
  delete process.env.STATE_FILE_PATH;
+  delete process.env.WEBHOOK_RPM;

  delete require.cache[require.resolve("../src/config")];
  const { config } = require("../src/config");

  assert.equal(config.port, 3000);
  assert.equal(config.stateFilePath, "./data/state.json");
+  assert.equal(config.rateLimits.webhookPerMinute, 120);

  if (previous.PORT === undefined) {
    delete process.env.PORT;
@@ -29,22 +32,31 @@ test("config uses defaults when env is missing", () => {
  } else {
    process.env.STATE_FILE_PATH = previous.STATE_FILE_PATH;
  }
+
+  if (previous.WEBHOOK_RPM === undefined) {
+    delete process.env.WEBHOOK_RPM;
+  } else {
+    process.env.WEBHOOK_RPM = previous.WEBHOOK_RPM;
+  }
 });

 test("config reads state path and numeric env overrides", () => {
  const previous = {
    PORT: process.env.PORT,
    STATE_FILE_PATH: process.env.STATE_FILE_PATH,
+    WEBHOOK_RPM: process.env.WEBHOOK_RPM,
  };

  process.env.PORT = "8080";
  process.env.STATE_FILE_PATH = "/data/prod-state.json";
+  process.env.WEBHOOK_RPM = "77";

  delete require.cache[require.resolve("../src/config")];
  const { config } = require("../src/config");

  assert.equal(config.port, 8080);
  assert.equal(config.stateFilePath, "/data/prod-state.json");
+  assert.equal(config.rateLimits.webhookPerMinute, 77);

  if (previous.PORT === undefined) {
    delete process.env.PORT;
@@ -57,4 +69,9 @@ test("config reads state path and numeric env overrides", () => {
  } else {
    process.env.STATE_FILE_PATH = previous.STATE_FILE_PATH;
  }
+  if (previous.WEBHOOK_RPM === undefined) {
+    delete process.env.WEBHOOK_RPM;
+  } else {
+    process.env.WEBHOOK_RPM = previous.WEBHOOK_RPM;
+  }
 });