feat: implement API rate limiting middleware for enhanced security

JoachimLK · JoachimLK · commit 1483cbc0866e · 2026-02-25T12:35:07.000+01:00
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ Most recruiting software holds your candidate data hostage behind per-seat prici
 - **Multi-tenant organizations** — Isolated data per organization with role-based membership
 - **Recruiter dashboard** — At-a-glance stats, pipeline breakdown, recent applications, and top active jobs
 - **Server-proxied documents** — Resumes are never exposed via public URLs; all access is authenticated and streamed
+- **API rate limiting** — Global per-IP limits on all `/api` endpoints with stricter auth/write thresholds
 
 ## Quick Start
 
diff --git a/server/middleware/api-rate-limit.ts b/server/middleware/api-rate-limit.ts
@@ -0,0 +1,56 @@
+import { createRateLimiter } from '../utils/rateLimit'
+
+const SAFE_METHODS = new Set(['GET', 'HEAD'])
+const SKIP_METHODS = new Set(['OPTIONS'])
+
+// Baseline global API limits (per IP)
+const globalReadLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  maxRequests: 300,
+  message: 'Too many API requests. Please try again shortly.',
+})
+
+const globalWriteLimiter = createRateLimiter({
+  windowMs: 60 * 1000,
+  maxRequests: 80,
+  message: 'Too many write requests. Please try again shortly.',
+})
+
+// Auth endpoints get their own buckets to reduce brute-force risk without
+// starving the rest of the API traffic from the same IP.
+const authReadLimiter = createRateLimiter({
+  windowMs: 5 * 60 * 1000,
+  maxRequests: 600,
+  message: 'Too many auth requests. Please try again shortly.',
+})
+
+const authWriteLimiter = createRateLimiter({
+  windowMs: 5 * 60 * 1000,
+  maxRequests: 40,
+  message: 'Too many sign-in attempts. Please wait before trying again.',
+})
+
+export default defineEventHandler(async (event) => {
+  const path = getRequestURL(event).pathname
+  if (!path.startsWith('/api/')) return
+
+  const method = event.method.toUpperCase()
+  if (SKIP_METHODS.has(method)) return
+
+  if (path.startsWith('/api/auth/')) {
+    if (SAFE_METHODS.has(method)) {
+      await authReadLimiter(event)
+      return
+    }
+
+    await authWriteLimiter(event)
+    return
+  }
+
+  if (SAFE_METHODS.has(method)) {
+    await globalReadLimiter(event)
+    return
+  }
+
+  await globalWriteLimiter(event)
+})
