BillTracker/middleware/rateLimiter.js

'use strict';

const rateLimit = require('express-rate-limit');

function makeLimiter(max, windowMs, message) {
  return rateLimit({
    windowMs,
    max,
    standardHeaders: 'draft-7',
    legacyHeaders: false,
    // Override default handler so the response is always JSON, not HTML
    handler(req, res) {
      res.status(429).json({ error: message });
    },
  });
}

// 10 login attempts per 15 minutes per IP — brute-force protection
const loginLimiter = makeLimiter(
  10, 15 * 60 * 1000,
  'Too many login attempts. Please try again in 15 minutes.',
);

// 5 password-change attempts per 15 minutes per IP
const passwordLimiter = makeLimiter(
  5, 15 * 60 * 1000,
  'Too many password change attempts. Please try again in 15 minutes.',
);

// 20 import preview/apply requests per 15 minutes per IP
const importLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many import requests. Please try again in 15 minutes.',
);

// 30 export requests per 15 minutes per IP
const exportLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many export requests. Please try again in 15 minutes.',
);

// 30 admin mutation actions per 15 minutes per IP (backup/restore/cleanup)
const adminActionLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many admin actions. Please try again in 15 minutes.',
);

// 20 OIDC login/callback requests per 15 minutes per IP
const oidcLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many authentication requests. Please try again in 15 minutes.',
);

// 5 backup operations per 60 minutes per IP (backup creation, restore, import)
const backupOperationLimiter = makeLimiter(
  5, 60 * 60 * 1000,
  'Too many backup operations. Please try again in 60 minutes.',
);

// 3 demo data clear operations per 15 minutes per IP
const demoDataLimiter = makeLimiter(
  3, 15 * 60 * 1000,
  'Too many demo data clear operations. Please try again in 15 minutes.',
);

// ── Export all limiters plus reset function ────────────────────────────────────
const allLimiters = [
  loginLimiter,
  passwordLimiter,
  importLimiter,
  exportLimiter,
  adminActionLimiter,
  oidcLimiter,
  backupOperationLimiter,
  demoDataLimiter,
];

function resetStores() {
  for (const limiter of allLimiters) {
    if (limiter.store.reset) {
      limiter.store.reset();
    }
  }
}

module.exports = {
  loginLimiter,
  passwordLimiter,
  importLimiter,
  exportLimiter,
  adminActionLimiter,
  oidcLimiter,
  backupOperationLimiter,
  demoDataLimiter,
  resetStores,
};
initial commit 2026-05-03 19:51:57 -05:00			`'use strict';`

			`const rateLimit = require('express-rate-limit');`

			`function makeLimiter(max, windowMs, message) {`
			`return rateLimit({`
			`windowMs,`
			`max,`
			`standardHeaders: 'draft-7',`
			`legacyHeaders: false,`
			`// Override default handler so the response is always JSON, not HTML`
			`handler(req, res) {`
			`res.status(429).json({ error: message });`
			`},`
			`});`
			`}`

			`// 10 login attempts per 15 minutes per IP — brute-force protection`
			`const loginLimiter = makeLimiter(`
			`10, 15 * 60 * 1000,`
			`'Too many login attempts. Please try again in 15 minutes.',`
			`);`

			`// 5 password-change attempts per 15 minutes per IP`
			`const passwordLimiter = makeLimiter(`
			`5, 15 * 60 * 1000,`
			`'Too many password change attempts. Please try again in 15 minutes.',`
			`);`

			`// 20 import preview/apply requests per 15 minutes per IP`
			`const importLimiter = makeLimiter(`
			`20, 15 * 60 * 1000,`
			`'Too many import requests. Please try again in 15 minutes.',`
			`);`

			`// 30 export requests per 15 minutes per IP`
			`const exportLimiter = makeLimiter(`
			`30, 15 * 60 * 1000,`
			`'Too many export requests. Please try again in 15 minutes.',`
			`);`

			`// 30 admin mutation actions per 15 minutes per IP (backup/restore/cleanup)`
			`const adminActionLimiter = makeLimiter(`
			`30, 15 * 60 * 1000,`
			`'Too many admin actions. Please try again in 15 minutes.',`
			`);`

			`// 20 OIDC login/callback requests per 15 minutes per IP`
			`const oidcLimiter = makeLimiter(`
			`20, 15 * 60 * 1000,`
			`'Too many authentication requests. Please try again in 15 minutes.',`
			`);`

push 2026-05-09 13:03:36 -05:00			`// 5 backup operations per 60 minutes per IP (backup creation, restore, import)`
			`const backupOperationLimiter = makeLimiter(`
			`5, 60 * 60 * 1000,`
			`'Too many backup operations. Please try again in 60 minutes.',`
			`);`

			`// 3 demo data clear operations per 15 minutes per IP`
			`const demoDataLimiter = makeLimiter(`
			`3, 15 * 60 * 1000,`
			`'Too many demo data clear operations. Please try again in 15 minutes.',`
			`);`

			`// ── Export all limiters plus reset function ────────────────────────────────────`
			`const allLimiters = [`
			`loginLimiter,`
			`passwordLimiter,`
			`importLimiter,`
			`exportLimiter,`
			`adminActionLimiter,`
			`oidcLimiter,`
			`backupOperationLimiter,`
			`demoDataLimiter,`
			`];`

			`function resetStores() {`
			`for (const limiter of allLimiters) {`
			`if (limiter.store.reset) {`
			`limiter.store.reset();`
			`}`
			`}`
			`}`

initial commit 2026-05-03 19:51:57 -05:00			`module.exports = {`
			`loginLimiter,`
			`passwordLimiter,`
			`importLimiter,`
			`exportLimiter,`
			`adminActionLimiter,`
			`oidcLimiter,`
push 2026-05-09 13:03:36 -05:00			`backupOperationLimiter,`
			`demoDataLimiter,`
			`resetStores,`
initial commit 2026-05-03 19:51:57 -05:00			`};`