feat(api): add helmet security headers and rate limiting

- Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers
2026-04-23 11:13:11 +02:00 · 2026-04-23 11:13:11 +02:00 · 9893ead689
commit 9893ead689
parent 1dfe391233
6 changed files with 300 additions and 1 deletions
--- a/apps/api/src/middleware/rateLimiters.ts
+++ b/apps/api/src/middleware/rateLimiters.ts
@ -0,0 +1,44 @@
+import rateLimit from "express-rate-limit";
+import type { Request } from "express";
+
+// TODO: When Valkey is wired up, swap the default in-memory store for
+// rate-limit-redis to persist limits across restarts:
+//
+// import { RedisStore } from "rate-limit-redis";
+// import { valkey } from "../lib/valkey.js";
+// Then add to each limiter: store: new RedisStore({ sendCommand: (...args) => valkey.call(...args) })
+
+export const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  limit: 20,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  message: {
+    success: false,
+    error: "Too many requests, please try again later.",
+  },
+});
+
+export const gameLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  limit: 150,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  keyGenerator: (req: Request) => req.session!.user.id,
+  message: {
+    success: false,
+    error: "Too many requests, please try again later.",
+  },
+});
+
+export const lobbyLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  limit: 20,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  keyGenerator: (req: Request) => req.session!.user.id,
+  message: {
+    success: false,
+    error: "Too many requests, please try again later.",
+  },
+});