🔒 feat(security): Implement comprehensive rate limiting to prevent DoS attacks - Resolves #53

README.md

@@ -82,6 +82,13 @@ The project follows a modular, feature-based architecture. All source code is lo
     # Set to 'true' to enable multiplexing SSE transport (handles multiple clients with a single transport)
     # Set to 'false' to use individual SSE transport for each client (legacy behavior)
     USE_MULTIPLEXING_SSE=false
+
+    # Rate Limiting Configuration
+    RATE_LIMIT_WINDOW_MS=900000 # Time window for rate limiting in milliseconds (e.g., 900000 for 15 minutes)
+    RATE_LIMIT_MAX_REQUESTS=100 # Maximum number of requests allowed per window per IP
+    RATE_LIMIT_SSE_MAX=5 # Maximum number of SSE connections allowed per minute per IP
+    RATE_LIMIT_MESSAGES_MAX=30 # Maximum number of messages allowed per minute per IP
+    DEFAULT_USER_RATE_LIMIT=1000 # Default number of requests allowed per hour for a user
     ```
 
 4.  Build the project:
@@ -251,6 +258,18 @@ The server provides the following GitHub API tools:
 
 -   `get_me` - Get details of the authenticated user
 
+### Rate Limiting
+
+This server implements a robust rate limiting strategy to ensure fair usage and protect against abuse. The rate limiting is configured in `src/server.ts` and includes several layers of protection:
+
+-   **General Limiter**: A global rate limit is applied to all incoming requests to prevent excessive traffic from a single IP address.
+-   **SSE Limiter**: A specific rate limit for Server-Sent Events (SSE) connections to manage real-time communication resources.
+-   **Message Limiter**: A rate limit on the number of messages that can be sent to the server to prevent spam and overload.
+-   **User-Specific Limiter**: A dynamic rate limit that can be customized for individual users, providing more flexible and granular control.
+-   **Critical Operations Limiter**: A stricter rate limit for critical operations such as creating repositories or merging pull requests to prevent accidental or malicious use of sensitive features.
+
+The rate limiting is implemented using the `express-rate-limit` library, which provides a flexible and easy-to-configure solution for Express-based applications. The configuration is managed through environment variables, allowing for easy adjustments without modifying the code.
+
 ## Troubleshooting
 
 ### Connection Issues
@@ -300,4 +319,4 @@ If you're experiencing issues with the multiplexing SSE transport:
 
 ## License
 
-MIT
+MIT

package.json

@@ -53,12 +53,15 @@
     "@types/cors": "^2.8.19",
     "@types/dompurify": "^3.0.5",
     "@types/express": "^5.0.1",
+    "@types/express-rate-limit": "^5.1.3",
     "@types/jest": "^30.0.0",
     "@types/jsdom": "^21.1.7",
     "@types/node": "^22.14.1",
     "eventsource": "^4.0.0",
+    "express-rate-limit": "^8.1.0",
     "jest": "^30.0.5",
     "node-fetch": "^3.3.2",
+    "supertest": "^7.1.4",
     "ts-jest": "^29.4.1",
     "typescript": "^5.9.2"
   }

src/config/index.ts

@@ -23,4 +23,10 @@ export const config = {
     sseTimeout: process.env.SSE_TIMEOUT ? parseInt(process.env.SSE_TIMEOUT, 10) : 1800000,
     corsAllowOrigin: process.env.CORS_ALLOW_ORIGIN ?? '',
     useMultiplexing: process.env.USE_MULTIPLEXING_SSE === 'true',
+    // Rate Limiting Configuration
+    rateLimitWindowMs: process.env.RATE_LIMIT_WINDOW_MS ? parseInt(process.env.RATE_LIMIT_WINDOW_MS, 10) : 15 * 60 * 1000, // 15 minutes
+    rateLimitMaxRequests: process.env.RATE_LIMIT_MAX_REQUESTS ? parseInt(process.env.RATE_LIMIT_MAX_REQUESTS, 10) : 100, // 100 requests
+    rateLimitSseMax: process.env.RATE_LIMIT_SSE_MAX ? parseInt(process.env.RATE_LIMIT_SSE_MAX, 10) : 5, // 5 SSE connections per minute
+    rateLimitMessagesMax: process.env.RATE_LIMIT_MESSAGES_MAX ? parseInt(process.env.RATE_LIMIT_MESSAGES_MAX, 10) : 30, // 30 messages per minute
+    defaultUserRateLimit: process.env.DEFAULT_USER_RATE_LIMIT ? parseInt(process.env.DEFAULT_USER_RATE_LIMIT, 10) : 1000, // 1000 requests per hour per user
 };