feat: add fixed-window rate limiter for abuse protection

test/rate-limit.test.js

@@ -0,0 +1,37 @@
+"use strict";
+
+const test = require("node:test");
+const assert = require("node:assert/strict");
+const { FixedWindowRateLimiter } = require("../src/lib/rate-limit");
+
+test("allows requests within window limit", () => {
+  const limiter = new FixedWindowRateLimiter({ limit: 2, windowMs: 1000 });
+
+  const first = limiter.hit("u1", 0);
+  const second = limiter.hit("u1", 1);
+
+  assert.equal(first.allowed, true);
+  assert.equal(second.allowed, true);
+  assert.equal(second.remaining, 0);
+});
+
+test("blocks request over the limit and reports retry delay", () => {
+  const limiter = new FixedWindowRateLimiter({ limit: 1, windowMs: 1000 });
+
+  limiter.hit("u1", 0);
+  const blocked = limiter.hit("u1", 100);
+
+  assert.equal(blocked.allowed, false);
+  assert.equal(blocked.retryAfterSec > 0, true);
+});
+
+test("resets after window passes", () => {
+  const limiter = new FixedWindowRateLimiter({ limit: 1, windowMs: 1000 });
+
+  limiter.hit("u1", 0);
+  const blocked = limiter.hit("u1", 500);
+  const afterWindow = limiter.hit("u1", 1001);
+
+  assert.equal(blocked.allowed, false);
+  assert.equal(afterWindow.allowed, true);
+});