Implement Rate Limiting and Abuse Prevention

[yusuftomilola]

Implement Rate Limiting on PDF Generation API

Details

• Use middleware such as express-rate-limit or Redis-based limiter for distributed environments.
• Configure limits as follows:
  • Max 20 requests per minute per user/IP for PDF generation endpoint.
  • On limit exceeded, respond with HTTP 429 Too Many Requests and a descriptive message.
  • Log rate limit violations with user ID or IP address for audit purposes.
  • Provide configurable limits via environment variables.
  • Write tests simulating multiple rapid requests to verify enforcement.

Subtasks

• Implement rate limiting middleware configuration.
• Add logging for limit breaches.
• Add test cases for rate limiting.

Acceptance Criteria

• Rate limits enforced accurately per user or IP.
• Clients receive correct HTTP 429 status when limit is hit.
• Logs generated for abuse attempts.
• Tests validate limit enforcement.

[clintjeff2]

Hello, I'm Jefferson, a backend engineer based in Cameroon with expertise in developing scalable and secure APIs. My tech stack includes NestJS, Express, TypeScript, Node.js, PostgreSQL, TypeORM, and JWT authentication. I adhere to clean architecture principles and emphasize performance, maintainability, and security in all solutions.

I’m available to implement rate limiting on the PDF generation API using a robust, middleware-based approach. Here’s how I plan to proceed:

Implementation Plan

1. Middleware Integration

   • Integrate express-rate-limit for quick local testing and optionally use rate-limit-redis for a distributed environment.
   • Configure a global or route-specific limiter with a cap of 20 requests per minute per user or IP, depending on authentication status.
   • Use @Injectable() middleware with NestJS or plug directly into Express if the PDF route is handled outside the framework.

2. Environment-Based Configuration

   • Rate limit values (WINDOW_MS, MAX_REQUESTS) will be managed through .env variables for flexibility across environments (e.g., staging, production).

3. Custom Response Handling

   • Return HTTP 429 Too Many Requests on exceeding the limit, with a clear JSON error message: {"message": "Too many requests, please try again later."}.
   • Set appropriate Retry-After headers based on the configured window.

4. Audit Logging

   • Log all rate limit violations with the associated user ID (if authenticated) or IP address.
   • Use a centralized logger (e.g., winston or NestJS Logger) and flag rate-limited attempts with severity for easy filtering.

5. Testing

   • Write integration tests simulating burst traffic to the endpoint using tools like supertest or axios inside a Jest test suite.
   • Assert for HTTP 429 after the 20th request and verify rate limiting resets after the time window.
   • Mock Redis where necessary to simulate a distributed environment.

Deliverables

• Middleware enforcing per-user/IP rate limits on PDF generation.
• Environment-driven configuration for limit values.
• Logging of limit breaches with identifier context.
• Comprehensive tests validating the rate limiter behavior.

Timeline

Estimated completion: 36 hours
Telegram: @JeffersonYouashi

Looking forward to your assignment.