security: add rate limiting to /api/user/:username endpoint (#222) (#230)

Install express-rate-limit v8.5.2 and apply a rate limiter (30 req/min per IP, configurable via API_RATE_LIMIT env var) to the API endpoint. Also sets trust proxy for correct client IP detection behind Render.com's reverse proxy. Returns Retry-After header and JSON error on 429.

Author: rishab11250

package-lock.json

@@ -23,6 +23,7 @@
     "axios": "^1.10.0",
     "cors": "^2.8.5",
     "express": "^5.1.0",
+    "express-rate-limit": "^8.5.2",
     "helmet": "^8.2.0"
   },
   "devDependencies": {

package.json

@@ -5,12 +5,16 @@ const path = require("path");
 const fs = require("fs");
 const crypto = require("crypto");
 const fetchUserInfo = require("./scripts/fetch-user-info");
+const { rateLimit } = require("express-rate-limit");
 
 const app = express();
 const PORT = process.env.PORT || 3000;
 
 app.use(cors());
 
+// Trust Render.com proxy so req.ip returns real client IP
+app.set("trust proxy", 1);
+
 // 1. Per-request nonce generator (used by CSP and HTML nonce injection)
 app.use((req, res, next) => {
   res.locals.nonce = crypto.randomBytes(16).toString("base64url");
@@ -124,6 +128,22 @@ app.get("/user/:username", (req, res) => {
   serveHtml(res, path.join(__dirname, "frontend", "user.html"));
 });
 
+// ---- Rate limiter for API endpoint ----
+const apiLimiter = rateLimit({
+  windowMs: 60 * 1000, // 1-minute window
+  limit: parseInt(process.env.API_RATE_LIMIT, 10) || 30,
+  standardHeaders: "draft-8",
+  legacyHeaders: false,
+  message: { error: "Rate limit exceeded", retryAfter: 60 },
+  handler: (req, res, next, options) => {
+    res.status(options.statusCode);
+    res.set("Retry-After", Math.ceil(options.windowMs / 1000));
+    res.json(options.message);
+  },
+});
+
+app.use("/api/user/:username", apiLimiter);
+
 app.get("/api/user/:username", async (req, res) => {
   const username = req.params.username;