@alliance-droid/svelte-auth-core 1.0.0

package/src/rate-limit.test.ts

@@ -0,0 +1,308 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+	checkRateLimit,
+	resetRateLimit,
+	getRateLimitStatus,
+	clearAllRateLimits,
+	extractClientIp,
+	type RateLimitConfig
+} from './rate-limit';
+
+describe('Rate Limiting', () => {
+	const loginConfig: RateLimitConfig = {
+		maxAttempts: 5,
+		windowMs: 10 * 60 * 1000 // 10 minutes
+	};
+
+	const registrationConfig: RateLimitConfig = {
+		maxAttempts: 3,
+		windowMs: 60 * 60 * 1000 // 1 hour
+	};
+
+	const passwordResetConfig: RateLimitConfig = {
+		maxAttempts: 2,
+		windowMs: 60 * 60 * 1000 // 1 hour
+	};
+
+	beforeEach(() => {
+		clearAllRateLimits();
+	});
+
+	describe('checkRateLimit', () => {
+		it('should allow requests under the limit', () => {
+			const result1 = checkRateLimit('user@example.com', loginConfig);
+			expect(result1.allowed).toBe(true);
+			expect(result1.remaining).toBe(4);
+
+			const result2 = checkRateLimit('user@example.com', loginConfig);
+			expect(result2.allowed).toBe(true);
+			expect(result2.remaining).toBe(3);
+		});
+
+		it('should block requests exceeding the limit', () => {
+			// Make max attempts
+			for (let i = 0; i < loginConfig.maxAttempts; i++) {
+				checkRateLimit('user@example.com', loginConfig);
+			}
+
+			// Next attempt should be blocked
+			const result = checkRateLimit('user@example.com', loginConfig);
+			expect(result.allowed).toBe(false);
+			expect(result.remaining).toBe(0);
+		});
+
+		it('should enforce login rate limits (5 attempts/10 min)', () => {
+			const key = 'test@example.com';
+
+			for (let i = 0; i < 5; i++) {
+				const result = checkRateLimit(key, loginConfig);
+				expect(result.allowed).toBe(true);
+			}
+
+			// 6th attempt should fail
+			const result = checkRateLimit(key, loginConfig);
+			expect(result.allowed).toBe(false);
+		});
+
+		it('should enforce registration rate limits (3/hour per IP)', () => {
+			const key = '192.168.1.1';
+
+			for (let i = 0; i < 3; i++) {
+				const result = checkRateLimit(key, registrationConfig);
+				expect(result.allowed).toBe(true);
+			}
+
+			// 4th attempt should fail
+			const result = checkRateLimit(key, registrationConfig);
+			expect(result.allowed).toBe(false);
+		});
+
+		it('should enforce password reset rate limits (2/hour)', () => {
+			const key = 'reset@example.com';
+
+			for (let i = 0; i < 2; i++) {
+				const result = checkRateLimit(key, passwordResetConfig);
+				expect(result.allowed).toBe(true);
+			}
+
+			// 3rd attempt should fail
+			const result = checkRateLimit(key, passwordResetConfig);
+			expect(result.allowed).toBe(false);
+		});
+
+		it('should track resetAt timestamp', () => {
+			const now = Date.now();
+			const result = checkRateLimit('user@example.com', loginConfig);
+
+			expect(result.resetAt).toBeGreaterThan(now);
+			expect(result.resetAt).toBeLessThanOrEqual(now + loginConfig.windowMs);
+		});
+
+		it('should maintain separate limits for different keys', () => {
+			const result1 = checkRateLimit('user1@example.com', loginConfig);
+			const result2 = checkRateLimit('user2@example.com', loginConfig);
+
+			expect(result1.allowed).toBe(true);
+			expect(result1.remaining).toBe(4);
+
+			expect(result2.allowed).toBe(true);
+			expect(result2.remaining).toBe(4);
+		});
+	});
+
+	describe('resetRateLimit', () => {
+		it('should reset rate limit for a key', () => {
+			const key = 'user@example.com';
+
+			// Hit rate limit
+			for (let i = 0; i < loginConfig.maxAttempts; i++) {
+				checkRateLimit(key, loginConfig);
+			}
+
+			const blockedResult = checkRateLimit(key, loginConfig);
+			expect(blockedResult.allowed).toBe(false);
+
+			// Reset the limit
+			resetRateLimit(key);
+
+			// Should be able to attempt again
+			const allowedResult = checkRateLimit(key, loginConfig);
+			expect(allowedResult.allowed).toBe(true);
+		});
+
+		it('should allow resetting before hitting limit', () => {
+			const key = 'user@example.com';
+
+			checkRateLimit(key, loginConfig);
+			checkRateLimit(key, loginConfig);
+
+			// Reset early
+			resetRateLimit(key);
+
+			// Status should be reset
+			const status = getRateLimitStatus(key, loginConfig);
+			expect(status.attempts).toBe(0);
+			expect(status.remaining).toBe(loginConfig.maxAttempts);
+		});
+	});
+
+	describe('getRateLimitStatus', () => {
+		it('should return correct status for a key', () => {
+			const key = 'user@example.com';
+
+			checkRateLimit(key, loginConfig);
+			checkRateLimit(key, loginConfig);
+
+			const status = getRateLimitStatus(key, loginConfig);
+
+			expect(status.attempts).toBe(2);
+			expect(status.remaining).toBe(3);
+		});
+
+		it('should return full remaining attempts for untouched key', () => {
+			const status = getRateLimitStatus('new@example.com', loginConfig);
+
+			expect(status.attempts).toBe(0);
+			expect(status.remaining).toBe(loginConfig.maxAttempts);
+		});
+
+		it('should provide resetAt timestamp', () => {
+			const key = 'user@example.com';
+			checkRateLimit(key, loginConfig);
+
+			const status = getRateLimitStatus(key, loginConfig);
+			expect(status.resetAt).toBeGreaterThan(Date.now());
+		});
+	});
+
+	describe('clearAllRateLimits', () => {
+		it('should clear all stored rate limits', () => {
+			const key1 = 'user1@example.com';
+			const key2 = 'user2@example.com';
+
+			checkRateLimit(key1, loginConfig);
+			checkRateLimit(key2, loginConfig);
+
+			clearAllRateLimits();
+
+			const status1 = getRateLimitStatus(key1, loginConfig);
+			const status2 = getRateLimitStatus(key2, loginConfig);
+
+			expect(status1.attempts).toBe(0);
+			expect(status2.attempts).toBe(0);
+		});
+	});
+
+	describe('extractClientIp', () => {
+		it('should extract IP from x-forwarded-for header', () => {
+			const headers: Record<string, string | string[] | undefined> = {
+				'x-forwarded-for': '192.168.1.1, 10.0.0.1'
+			};
+
+			const ip = extractClientIp(headers);
+			expect(ip).toBe('192.168.1.1');
+		});
+
+		it('should extract IP from x-real-ip header', () => {
+			const headers: Record<string, string | string[] | undefined> = {
+				'x-real-ip': '192.168.1.2'
+			};
+
+			const ip = extractClientIp(headers);
+			expect(ip).toBe('192.168.1.2');
+		});
+
+		it('should return unknown if no IP headers present', () => {
+			const headers: Record<string, string | string[] | undefined> = {};
+
+			const ip = extractClientIp(headers);
+			expect(ip).toBe('unknown');
+		});
+
+		it('should handle whitespace in x-forwarded-for', () => {
+			const headers: Record<string, string | string[] | undefined> = {
+				'x-forwarded-for': '  192.168.1.3  , 10.0.0.2'
+			};
+
+			const ip = extractClientIp(headers);
+			expect(ip).toBe('192.168.1.3');
+		});
+	});
+
+	describe('Rate limit expiration', () => {
+		it('should clean up expired entries', () => {
+			const key = 'user@example.com';
+			const shortConfig: RateLimitConfig = {
+				maxAttempts: 2,
+				windowMs: 100 // 100ms window
+			};
+
+			// Make attempts
+			checkRateLimit(key, shortConfig);
+			checkRateLimit(key, shortConfig);
+
+			// Should be blocked
+			let result = checkRateLimit(key, shortConfig);
+			expect(result.allowed).toBe(false);
+
+			// Wait for window to expire
+			return new Promise((resolve) => {
+				setTimeout(() => {
+					// After expiration, should be allowed again
+					result = checkRateLimit(key, shortConfig);
+					expect(result.allowed).toBe(true);
+					resolve(undefined);
+				}, 150);
+			});
+		});
+	});
+
+	describe('Integration scenarios', () => {
+		it('should handle login flow with failed then successful attempt', () => {
+			const key = 'test@example.com';
+
+			// Simulate failed login attempts
+			for (let i = 0; i < 5; i++) {
+				const result = checkRateLimit(key, loginConfig);
+				expect(result.allowed).toBe(true);
+			}
+
+			// Should be rate limited
+			let result = checkRateLimit(key, loginConfig);
+			expect(result.allowed).toBe(false);
+
+			// After successful login (outside rate limit), reset
+			resetRateLimit(key);
+
+			// Should be able to login again
+			result = checkRateLimit(key, loginConfig);
+			expect(result.allowed).toBe(true);
+		});
+
+		it('should handle multiple endpoints with different limits', () => {
+			const email = 'user@example.com';
+			const ip = '192.168.1.1';
+
+			// Login limit - use operation-specific key
+			const loginKey = `login:${email}`;
+			checkRateLimit(loginKey, loginConfig);
+			const loginStatus = getRateLimitStatus(loginKey, loginConfig);
+			expect(loginStatus.remaining).toBe(4);
+
+			// Registration limit (IP based)
+			const regKey = `register:${ip}`;
+			checkRateLimit(regKey, registrationConfig);
+			const regStatus = getRateLimitStatus(regKey, registrationConfig);
+			expect(regStatus.remaining).toBe(2);
+
+			// Password reset limit (email based)
+			const resetKey = `reset:${email}`;
+			checkRateLimit(resetKey, passwordResetConfig);
+			const resetStatus = getRateLimitStatus(resetKey, passwordResetConfig);
+			expect(resetStatus.remaining).toBe(1);
+
+			// Verify they are independent
+			expect(loginStatus.remaining).not.toBe(regStatus.remaining);
+		});
+	});
+});

package/src/rate-limit.ts

@@ -0,0 +1,118 @@
+interface RateLimitEntry {
+	key: string;
+	count: number;
+	resetAt: number;
+}
+
+export interface RateLimitConfig {
+	maxAttempts: number;
+	windowMs: number; // Time window in milliseconds
+}
+
+const RATE_LIMITS: Record<string, RateLimitEntry[]> = {};
+
+/**
+ * Check if a request should be rate limited
+ * @param key - Unique identifier for the rate limit (e.g., email, IP address)
+ * @param config - Rate limit configuration
+ * @returns Object with remaining attempts and resetTime
+ */
+export function checkRateLimit(
+	key: string,
+	config: RateLimitConfig
+): { allowed: boolean; remaining: number; resetAt: number } {
+	const now = Date.now();
+
+	// Initialize rate limit storage for this key if not exists
+	if (!RATE_LIMITS[key]) {
+		RATE_LIMITS[key] = [];
+	}
+
+	// Remove expired entries
+	RATE_LIMITS[key] = RATE_LIMITS[key].filter((entry) => entry.resetAt > now);
+
+	// Count current attempts
+	const currentCount = RATE_LIMITS[key].length;
+
+	if (currentCount >= config.maxAttempts) {
+		// Get the earliest reset time
+		const resetAt = Math.min(...RATE_LIMITS[key].map((e) => e.resetAt));
+		return {
+			allowed: false,
+			remaining: 0,
+			resetAt
+		};
+	}
+
+	// Add new attempt
+	const resetAt = now + config.windowMs;
+	RATE_LIMITS[key].push({
+		key,
+		count: 1,
+		resetAt
+	});
+
+	return {
+		allowed: true,
+		remaining: config.maxAttempts - currentCount - 1,
+		resetAt
+	};
+}
+
+/**
+ * Reset rate limit for a key (e.g., after successful login)
+ */
+export function resetRateLimit(key: string): void {
+	if (RATE_LIMITS[key]) {
+		delete RATE_LIMITS[key];
+	}
+}
+
+/**
+ * Get current rate limit status for a key
+ */
+export function getRateLimitStatus(key: string, config: RateLimitConfig) {
+	const now = Date.now();
+
+	if (!RATE_LIMITS[key]) {
+		return {
+			attempts: 0,
+			remaining: config.maxAttempts,
+			resetAt: now + config.windowMs
+		};
+	}
+
+	// Remove expired entries
+	RATE_LIMITS[key] = RATE_LIMITS[key].filter((entry) => entry.resetAt > now);
+
+	const currentCount = RATE_LIMITS[key].length;
+	const resetAt = RATE_LIMITS[key].length > 0 ? Math.max(...RATE_LIMITS[key].map((e) => e.resetAt)) : now + config.windowMs;
+
+	return {
+		attempts: currentCount,
+		remaining: Math.max(0, config.maxAttempts - currentCount),
+		resetAt
+	};
+}
+
+/**
+ * Clear all rate limits (useful for testing)
+ */
+export function clearAllRateLimits(): void {
+	for (const key in RATE_LIMITS) {
+		delete RATE_LIMITS[key];
+	}
+}
+
+/**
+ * Extract IP address from headers
+ */
+export function extractClientIp(
+	headers: Record<string, string | string[] | undefined>
+): string {
+	const forwarded = headers['x-forwarded-for'];
+	if (typeof forwarded === 'string') {
+		return forwarded.split(',')[0].trim();
+	}
+	return headers['x-real-ip'] as string || 'unknown';
+}