-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
107 lines (86 loc) · 2.97 KB
/
middleware.ts
File metadata and controls
107 lines (86 loc) · 2.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { NextResponse } from "next/server"
import type { NextRequest } from "next/server"
// ===========================================
// Rate Limiting Configuration
// ===========================================
// Simple in-memory rate limiter for demo purposes
// For production, use Redis-based solution like @upstash/ratelimit
const rateLimitMap = new Map<string, { count: number; timestamp: number }>()
const RATE_LIMIT_WINDOW_MS = 60 * 1000 // 1 minute
const RATE_LIMIT_MAX_REQUESTS = 20 // 20 requests per minute per IP
// Clean up old entries periodically (every 5 minutes)
const CLEANUP_INTERVAL_MS = 5 * 60 * 1000
let lastCleanup = Date.now()
function cleanupOldEntries() {
const now = Date.now()
if (now - lastCleanup < CLEANUP_INTERVAL_MS) return
lastCleanup = now
const cutoff = now - RATE_LIMIT_WINDOW_MS
for (const [key, value] of rateLimitMap.entries()) {
if (value.timestamp < cutoff) {
rateLimitMap.delete(key)
}
}
}
function isRateLimited(ip: string): { limited: boolean; remaining: number } {
cleanupOldEntries()
const now = Date.now()
const record = rateLimitMap.get(ip)
if (!record || now - record.timestamp > RATE_LIMIT_WINDOW_MS) {
// New window or first request
rateLimitMap.set(ip, { count: 1, timestamp: now })
return { limited: false, remaining: RATE_LIMIT_MAX_REQUESTS - 1 }
}
if (record.count >= RATE_LIMIT_MAX_REQUESTS) {
return { limited: true, remaining: 0 }
}
record.count++
return { limited: false, remaining: RATE_LIMIT_MAX_REQUESTS - record.count }
}
// ===========================================
// Middleware
// ===========================================
export function middleware(request: NextRequest) {
// Only apply rate limiting to API routes
if (!request.nextUrl.pathname.startsWith("/api/")) {
return NextResponse.next()
}
// Get client IP
const forwarded = request.headers.get("x-forwarded-for")
const ip = forwarded?.split(",")[0]?.trim() ||
request.headers.get("x-real-ip") ||
"unknown"
// Check rate limit
const { limited, remaining } = isRateLimited(ip)
if (limited) {
return new NextResponse(
JSON.stringify({
error: "Too many requests",
message: "Please slow down. Try again in a minute.",
}),
{
status: 429,
headers: {
"Content-Type": "application/json",
"X-RateLimit-Limit": String(RATE_LIMIT_MAX_REQUESTS),
"X-RateLimit-Remaining": "0",
"Retry-After": "60",
},
}
)
}
// Add rate limit headers to response
const response = NextResponse.next()
response.headers.set("X-RateLimit-Limit", String(RATE_LIMIT_MAX_REQUESTS))
response.headers.set("X-RateLimit-Remaining", String(remaining))
return response
}
// ===========================================
// Matcher Configuration
// ===========================================
export const config = {
matcher: [
// Match all API routes
"/api/:path*",
],
}