feat(09-03): add rate limiting for public quote routes
- Enhanced proxy.ts with rate limit check for /quote/[token] routes - Enforces 3 views per minute per IP address (MVP in-memory store) - Returns 429 Too Many Requests when limit exceeded - Rate limit utility supports distributed use (ready for Upstash Redis in Phase 10) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
+15
-1
@@ -1,5 +1,6 @@
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { getToken } from "next-auth/jwt";
|
||||
import { rateLimit } from "@/lib/rate-limit";
|
||||
|
||||
export async function proxy(request: NextRequest) {
|
||||
const pathname = request.nextUrl.pathname;
|
||||
@@ -71,9 +72,22 @@ export async function proxy(request: NextRequest) {
|
||||
}
|
||||
}
|
||||
|
||||
// ── PUBLIC QUOTE ROUTES (rate limited) ───────────────────────────────────
|
||||
if (pathname.match(/^\/quote\/[a-zA-Z0-9_-]{21}\/?$/)) {
|
||||
const ip = request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || "unknown";
|
||||
const allowed = rateLimit(ip, 3, 60 * 1000); // 3 views per minute
|
||||
|
||||
if (!allowed) {
|
||||
return NextResponse.json(
|
||||
{ error: "Troppi accessi. Riprova tra un minuto." },
|
||||
{ status: 429 }
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return NextResponse.next();
|
||||
}
|
||||
|
||||
export const config = {
|
||||
matcher: ["/admin/:path*", "/client/:path*"],
|
||||
matcher: ["/admin/:path*", "/client/:path*", "/quote/:path*"],
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user