BillTracker/middleware/rateLimiter.js

'use strict';

const rateLimit = require('express-rate-limit');

function makeLimiter(max, windowMs, message) {
  return rateLimit({
    windowMs,
    max,
    standardHeaders: 'draft-7',
    legacyHeaders: false,
    // Override default handler so the response is always JSON, not HTML
    handler(req, res) {
      res.status(429).json({ error: message });
    },
  });
}

// 10 login attempts per 15 minutes per IP — brute-force protection
const loginLimiter = makeLimiter(
  10, 15 * 60 * 1000,
  'Too many login attempts. Please try again in 15 minutes.',
);

// 5 password-change attempts per 15 minutes per IP
const passwordLimiter = makeLimiter(
  5, 15 * 60 * 1000,
  'Too many password change attempts. Please try again in 15 minutes.',
);

// 20 import preview/apply requests per 15 minutes per IP
const importLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many import requests. Please try again in 15 minutes.',
);

// 30 export requests per 15 minutes per IP
const exportLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many export requests. Please try again in 15 minutes.',
);

// 30 admin mutation actions per 15 minutes per IP (backup/restore/cleanup)
const adminActionLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many admin actions. Please try again in 15 minutes.',
);

// 20 OIDC login/callback requests per 15 minutes per IP
const oidcLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many authentication requests. Please try again in 15 minutes.',
);

module.exports = {
  loginLimiter,
  passwordLimiter,
  importLimiter,
  exportLimiter,
  adminActionLimiter,
  oidcLimiter,
};
initial commit 2026-05-03 19:51:57 -05:00			`'use strict';`

			`const rateLimit = require('express-rate-limit');`

			`function makeLimiter(max, windowMs, message) {`
			`return rateLimit({`
			`windowMs,`
			`max,`
			`standardHeaders: 'draft-7',`
			`legacyHeaders: false,`
			`// Override default handler so the response is always JSON, not HTML`
			`handler(req, res) {`
			`res.status(429).json({ error: message });`
			`},`
			`});`
			`}`

			`// 10 login attempts per 15 minutes per IP — brute-force protection`
			`const loginLimiter = makeLimiter(`
			`10, 15 * 60 * 1000,`
			`'Too many login attempts. Please try again in 15 minutes.',`
			`);`

			`// 5 password-change attempts per 15 minutes per IP`
			`const passwordLimiter = makeLimiter(`
			`5, 15 * 60 * 1000,`
			`'Too many password change attempts. Please try again in 15 minutes.',`
			`);`

			`// 20 import preview/apply requests per 15 minutes per IP`
			`const importLimiter = makeLimiter(`
			`20, 15 * 60 * 1000,`
			`'Too many import requests. Please try again in 15 minutes.',`
			`);`

			`// 30 export requests per 15 minutes per IP`
			`const exportLimiter = makeLimiter(`
			`30, 15 * 60 * 1000,`
			`'Too many export requests. Please try again in 15 minutes.',`
			`);`

			`// 30 admin mutation actions per 15 minutes per IP (backup/restore/cleanup)`
			`const adminActionLimiter = makeLimiter(`
			`30, 15 * 60 * 1000,`
			`'Too many admin actions. Please try again in 15 minutes.',`
			`);`

			`// 20 OIDC login/callback requests per 15 minutes per IP`
			`const oidcLimiter = makeLimiter(`
			`20, 15 * 60 * 1000,`
			`'Too many authentication requests. Please try again in 15 minutes.',`
			`);`

			`module.exports = {`
			`loginLimiter,`
			`passwordLimiter,`
			`importLimiter,`
			`exportLimiter,`
			`adminActionLimiter,`
			`oidcLimiter,`
			`};`