feat: add rate limiter

Signed-off-by: Raúl Santos <[email protected]>

Author: borfast

frontend/nuxt.config.ts

@@ -8,6 +8,7 @@ import primevue from './setup/primevue';
 import echarts from './setup/echarts';
 import caching from './setup/caching';
 import sitemap from './setup/sitemap';
+import rateLimiter from './setup/rate-limiter';
 
 const isProduction = process.env.NUXT_APP_ENV === 'production';
 const isDevelopment = process.env.NODE_ENV === 'development';
@@ -52,7 +53,7 @@ export default defineNuxtConfig({
   primevue,
   echarts,
   runtimeConfig: {
-    // These are are only available on the server-side and can be overridden by the .env file
+    // These are only available on the server-side and can be overridden by the .env file
     appEnv: process.env.APP_ENV,
     tinybirdBaseUrl: 'https://api.us-west-2.aws.tinybird.co',
     tinybirdToken: '',
@@ -78,6 +79,7 @@ export default defineNuxtConfig({
     cmDbPassword: 'example',
     cmDbDatabase: 'crowd-web',
     dataCopilotDefaultSegmentId: '',
+    rateLimiter: rateLimiter,
     // These are also exposed on the client-side
     public: {
       apiBase: '/api',

frontend/package.json

@@ -28,6 +28,7 @@
     "@ai-sdk/amazon-bedrock": "^2.2.12",
     "@ai-sdk/openai": "^2.0.53",
     "@ai-sdk/vue": "^2.0.78",
+    "@crowd/redis": "workspace:*",
     "@linuxfoundation/lfx-ui-core": "^0.0.20",
     "@modelcontextprotocol/sdk": "^1.20.2",
     "@nuxt/eslint": "^1.9.0",
@@ -39,6 +40,7 @@
     "@pinia/nuxt": "^0.11.2",
     "@popperjs/core": "^2.11.8",
     "@primevue/themes": "^4.4.1",
+    "@redis/client": "^5.9.0",
     "@tanstack/vue-query": "^5.90.5",
     "@types/jsonwebtoken": "^9.0.10",
     "@vuelidate/core": "^2.0.3",

frontend/server/middleware/rate-limiter.ts

@@ -0,0 +1,57 @@
+// Copyright (c) 2025 The Linux Foundation and each contributor.
+// SPDX-License-Identifier: MIT
+
+import type { H3Event } from 'h3';
+import { checkRateLimit, setRateLimitHeaders } from '../utils/rate-limiter';
+import { RateLimiterConfig } from '~~/server/types/rate-limiter';
+
+/**
+ * This is a rate-limiting middleware that checks incoming requests against the configured rate limits and blocks
+ * requests that exceed the limits.
+ *
+ * Features:
+ * - Uses Redis for distributed rate limiting
+ * - Hashes IP addresses for GDPR compliance
+ * - Supports per-route and per-method limits
+ * - Adds rate limit headers to responses
+ */
+export default defineEventHandler(async (event: H3Event) => {
+  const config = useRuntimeConfig();
+  const rateLimiterConfig = config.rateLimiter as RateLimiterConfig;
+
+  // Skip rate limiting if disabled
+  if (!rateLimiterConfig.enabled) {
+    return;
+  }
+
+  try {
+    // Check rate limit
+    const result = await checkRateLimit(
+      event,
+      rateLimiterConfig.rules,
+      rateLimiterConfig.defaultLimit.maxRequests,
+      rateLimiterConfig.defaultLimit.windowSeconds,
+    );
+
+    // Set rate limit headers
+    setRateLimitHeaders(event, result);
+
+    // Block request if rate limit exceeded
+    if (!result.allowed) {
+      throw createError({
+        statusCode: 429,
+        statusMessage: 'Too Many Requests',
+        message: `Rate limit exceeded. Please wait ${result.resetIn} seconds before trying again.`,
+      });
+    }
+  } catch (error) {
+    // If it's already a 429 error, re-throw it
+    if (error && typeof error === 'object' && 'statusCode' in error && error.statusCode === 429) {
+      throw error;
+    }
+
+    // Log other errors but don't block the request.
+    // This ensures the app keeps working even if Redis is down.
+    console.error('Rate limiter error:', error);
+  }
+});

frontend/server/types/rate-limiter.ts

@@ -0,0 +1,92 @@
+// Copyright (c) 2025 The Linux Foundation and each contributor.
+// SPDX-License-Identifier: MIT
+
+/**
+ * HTTP methods supported by the rate limiter.
+ */
+export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD' | 'OPTIONS';
+
+/**
+ * Rate limit configuration for a specific route.
+ */
+export interface RateLimitRule {
+  /**
+   * The route pattern to match (supports wildcards).
+   * Examples: '/api/*', '/api/report', '/api/auth/*'
+   */
+  route: string;
+
+  /**
+   * HTTP methods this rule applies to. If not specified, it applies to all methods.
+   */
+  methods?: HttpMethod[];
+
+  /**
+   * Maximum number of requests allowed within the window.
+   */
+  maxRequests: number;
+
+  /**
+   * Time window in seconds.
+   */
+  windowSeconds: number;
+}
+
+/**
+ * Global rate limiter configuration.
+ */
+export interface RateLimiterConfig {
+  /**
+   * Whether to enable the rate limiter.
+   * @default true
+   */
+  enabled?: boolean;
+
+  /**
+   * Default rate limit applied to all routes not matching specific rules.
+   */
+  defaultLimit: {
+    maxRequests: number;
+    windowSeconds: number;
+  };
+
+  /**
+   * Secret used for hashing IP addresses for GDPR compliance.
+   */
+  secret: string;
+
+  /**
+   * Route-specific rate limit rules. Rules are evaluated in order; first match wins.
+   */
+  rules: RateLimitRule[];
+}
+
+/**
+ * Rate limit check result.
+ */
+export interface RateLimitResult {
+  /**
+   * Whether the request is allowed.
+   */
+  allowed: boolean;
+
+  /**
+   * Maximum requests allowed in the window.
+   */
+  limit: number;
+
+  /**
+   * Remaining requests in the current window.
+   */
+  remaining: number;
+
+  /**
+   * Time until the rate limit resets (in seconds).
+   */
+  resetIn: number;
+
+  /**
+   * Total number of requests made in the current window.
+   */
+  current: number;
+}