@creator.co/wapi 1.9.3 → 1.10.1

package/dist/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@creator.co/wapi",
-    "version": "1.9.3",
+    "version": "1.10.1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@creator.co/wapi",
-            "version": "1.9.3",
+            "version": "1.10.1",
             "license": "ISC",
             "dependencies": {
                 "@aws-sdk/client-dynamodb": "^3.730.0",
@@ -26,13 +26,13 @@
                 "cuid": "^3.0.0",
                 "dotenv": "^16.4.1",
                 "email-templates": "^13.0.1",
-                "express": "^4.22.0",
+                "express": "^4.22.2",
                 "express-rate-limit": "^7.5.0",
                 "json-stringify-safe": "^5.0.1",
                 "jsonwebtoken": "^9.0.2",
                 "knex": "^3.0.1",
                 "knex-stringcase": "^1.4.6",
-                "kysely": "^0.28.14",
+                "kysely": "^0.28.17",
                 "node-cache": "^5.1.2",
                 "nodemailer": "^8.0.5",
                 "object-hash": "^3.0.0",
@@ -3271,21 +3271,6 @@
                 "node": ">=18"
             }
         },
-        "node_modules/@ladjs/i18n/node_modules/qs": {
-            "version": "6.15.1",
-            "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
-            "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "side-channel": "^1.1.0"
-            },
-            "engines": {
-                "node": ">=0.6"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
         "node_modules/@messageformat/core": {
             "version": "3.4.0",
             "resolved": "https://registry.npmjs.org/@messageformat/core/-/core-3.4.0.tgz",
@@ -6037,22 +6022,23 @@
             ]
         },
         "node_modules/body-parser": {
-            "version": "1.20.3",
-            "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
-            "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
+            "version": "1.20.5",
+            "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
+            "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==",
+            "license": "MIT",
             "dependencies": {
-                "bytes": "3.1.2",
+                "bytes": "~3.1.2",
                 "content-type": "~1.0.5",
                 "debug": "2.6.9",
                 "depd": "2.0.0",
-                "destroy": "1.2.0",
-                "http-errors": "2.0.0",
-                "iconv-lite": "0.4.24",
-                "on-finished": "2.4.1",
-                "qs": "6.13.0",
-                "raw-body": "2.5.2",
+                "destroy": "~1.2.0",
+                "http-errors": "~2.0.1",
+                "iconv-lite": "~0.4.24",
+                "on-finished": "~2.4.1",
+                "qs": "~6.15.1",
+                "raw-body": "~2.5.3",
                 "type-is": "~1.6.18",
-                "unpipe": "1.0.0"
+                "unpipe": "~1.0.0"
             },
             "engines": {
                 "node": ">= 0.8",
@@ -6063,14 +6049,36 @@
             "version": "2.6.9",
             "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
             "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+            "license": "MIT",
             "dependencies": {
                 "ms": "2.0.0"
             }
         },
+        "node_modules/body-parser/node_modules/http-errors": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+            "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+            "license": "MIT",
+            "dependencies": {
+                "depd": "~2.0.0",
+                "inherits": "~2.0.4",
+                "setprototypeof": "~1.2.0",
+                "statuses": "~2.0.2",
+                "toidentifier": "~1.0.1"
+            },
+            "engines": {
+                "node": ">= 0.8"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/express"
+            }
+        },
         "node_modules/body-parser/node_modules/iconv-lite": {
             "version": "0.4.24",
             "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
             "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+            "license": "MIT",
             "dependencies": {
                 "safer-buffer": ">= 2.1.2 < 3"
             },
@@ -6081,7 +6089,17 @@
         "node_modules/body-parser/node_modules/ms": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-            "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+            "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+            "license": "MIT"
+        },
+        "node_modules/body-parser/node_modules/statuses": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+            "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.8"
+            }
         },
         "node_modules/boolbase": {
             "version": "1.0.0",
@@ -6196,6 +6214,7 @@
             "version": "3.1.2",
             "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
             "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+            "license": "MIT",
             "engines": {
                 "node": ">= 0.8"
             }
@@ -6600,6 +6619,7 @@
             "version": "1.0.5",
             "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
             "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+            "license": "MIT",
             "engines": {
                 "node": ">= 0.6"
             }
@@ -8310,14 +8330,14 @@
             }
         },
         "node_modules/express": {
-            "version": "4.22.1",
-            "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
-            "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+            "version": "4.22.2",
+            "resolved": "https://registry.npmjs.org/express/-/express-4.22.2.tgz",
+            "integrity": "sha512-IuL+Elrou2ZvCFHs18/CIzy2Nzvo25nZ1/D2eIZlz7c+QUayAcYoiM2BthCjs+EBHVpjYjcuLDAiCWgeIX3X1Q==",
             "license": "MIT",
             "dependencies": {
                 "accepts": "~1.3.8",
                 "array-flatten": "1.1.1",
-                "body-parser": "~1.20.3",
+                "body-parser": "~1.20.5",
                 "content-disposition": "~0.5.4",
                 "content-type": "~1.0.4",
                 "cookie": "~0.7.1",
@@ -8336,7 +8356,7 @@
                 "parseurl": "~1.3.3",
                 "path-to-regexp": "~0.1.12",
                 "proxy-addr": "~2.0.7",
-                "qs": "~6.14.0",
+                "qs": "~6.15.1",
                 "range-parser": "~1.2.1",
                 "safe-buffer": "5.2.1",
                 "send": "~0.19.0",
@@ -8388,21 +8408,6 @@
             "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
             "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ=="
         },
-        "node_modules/express/node_modules/qs": {
-            "version": "6.14.0",
-            "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
-            "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "side-channel": "^1.1.0"
-            },
-            "engines": {
-                "node": ">=0.6"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/ljharb"
-            }
-        },
         "node_modules/extend-object": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/extend-object/-/extend-object-1.0.0.tgz",
@@ -11180,9 +11185,9 @@
             "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
         },
         "node_modules/kysely": {
-            "version": "0.28.14",
-            "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz",
-            "integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==",
+            "version": "0.28.17",
+            "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
+            "integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
             "license": "MIT",
             "engines": {
                 "node": ">=20.0.0"
@@ -11448,6 +11453,7 @@
             "version": "0.3.0",
             "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
             "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+            "license": "MIT",
             "engines": {
                 "node": ">= 0.6"
             }
@@ -12868,11 +12874,12 @@
             ]
         },
         "node_modules/qs": {
-            "version": "6.13.0",
-            "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
-            "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
+            "version": "6.15.2",
+            "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+            "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
+            "license": "BSD-3-Clause",
             "dependencies": {
-                "side-channel": "^1.0.6"
+                "side-channel": "^1.1.0"
             },
             "engines": {
                 "node": ">=0.6"
@@ -12932,23 +12939,45 @@
             }
         },
         "node_modules/raw-body": {
-            "version": "2.5.2",
-            "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
-            "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+            "version": "2.5.3",
+            "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+            "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+            "license": "MIT",
             "dependencies": {
-                "bytes": "3.1.2",
-                "http-errors": "2.0.0",
-                "iconv-lite": "0.4.24",
-                "unpipe": "1.0.0"
+                "bytes": "~3.1.2",
+                "http-errors": "~2.0.1",
+                "iconv-lite": "~0.4.24",
+                "unpipe": "~1.0.0"
             },
             "engines": {
                 "node": ">= 0.8"
             }
         },
+        "node_modules/raw-body/node_modules/http-errors": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+            "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+            "license": "MIT",
+            "dependencies": {
+                "depd": "~2.0.0",
+                "inherits": "~2.0.4",
+                "setprototypeof": "~1.2.0",
+                "statuses": "~2.0.2",
+                "toidentifier": "~1.0.1"
+            },
+            "engines": {
+                "node": ">= 0.8"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/express"
+            }
+        },
         "node_modules/raw-body/node_modules/iconv-lite": {
             "version": "0.4.24",
             "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
             "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+            "license": "MIT",
             "dependencies": {
                 "safer-buffer": ">= 2.1.2 < 3"
             },
@@ -12956,6 +12985,15 @@
                 "node": ">=0.10.0"
             }
         },
+        "node_modules/raw-body/node_modules/statuses": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+            "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+            "license": "MIT",
+            "engines": {
+                "node": ">= 0.8"
+            }
+        },
         "node_modules/rc": {
             "version": "1.2.8",
             "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
@@ -14550,6 +14588,7 @@
             "version": "1.6.18",
             "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
             "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+            "license": "MIT",
             "dependencies": {
                 "media-typer": "0.3.0",
                 "mime-types": "~2.1.24"

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@creator.co/wapi",
-    "version": "1.9.3",
+    "version": "1.10.1",
     "description": "",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
@@ -40,13 +40,13 @@
         "cuid": "^3.0.0",
         "dotenv": "^16.4.1",
         "email-templates": "^13.0.1",
-        "express": "^4.22.0",
+        "express": "^4.22.2",
         "express-rate-limit": "^7.5.0",
         "json-stringify-safe": "^5.0.1",
         "jsonwebtoken": "^9.0.2",
         "knex": "^3.0.1",
         "knex-stringcase": "^1.4.6",
-        "kysely": "^0.28.14",
+        "kysely": "^0.28.17",
         "node-cache": "^5.1.2",
         "nodemailer": "^8.0.5",
         "object-hash": "^3.0.0",

package/dist/src/Server/lib/container/Proxy.d.ts

@@ -30,6 +30,12 @@ export default class Proxy {
      * @returns None
      */
     private readonly serverlessHandler;
+    /**
+     * Route resolver used to identify per-route rate limit configuration.
+     * @private
+     * @readonly
+     */
+    private readonly routeResolver;
     /**
      * Represents a listener for an HTTP server.
      * @private
@@ -70,6 +76,15 @@ export default class Proxy {
      * @returns None
      */
     private installRoutes;
+    /**
+     * Creates rate limiting middleware from a per-route {@link RateLimitConfig},
+     * inheriting the global Redis store configuration when available so all
+     * rate-limit counters share the same Redis connection.
+     * @param {RateLimitConfig} config - The per-route rate limit configuration
+     * @returns {express.RequestHandler} Express middleware for rate limiting
+     * @private
+     */
+    private createRouteRateLimitMiddleware;
     /**
      * Creates rate limiting middleware based on the provided configuration.
      * @param {GlobalRateLimitConfig} config - The rate limit configuration

package/dist/src/Server/lib/container/Proxy.js

@@ -18,6 +18,7 @@ import HealthHandler from './HealthHandler.js';
 import Globals from '../../../Globals.js';
 import Logger from '../../../Logger/Logger.js';
 import Utils from '../../../Util/Utils.js';
+import RouteResolver from '../../RouteResolver.js';
 /* Get package.json version from Wapi on ESM */
 const { version: appVersion } = JSON.parse(fs.readFileSync('package.json').toString());
 /**
@@ -34,8 +35,12 @@ export default class Proxy {
         this.stopping = false;
         this.config = config;
         this.serverlessHandler = serverlessHandler;
+        this.routeResolver = new RouteResolver(this.config);
         this.logger = new Logger({ logLevel: 'INFO' }, 'proxy-container');
         this.app = express();
+        // Trust the first proxy hop so req.ip resolves to the real client IP
+        // (not the load balancer's IP) when running behind ALB or similar.
+        this.app.set('trust proxy', 1);
         /* Opinionated Express configs */
         this.app.use(express.json({
             verify(req, res, buf) {
@@ -54,7 +59,16 @@ export default class Proxy {
         // Apply global rate limiting if configured
         if (this.config.rateLimit && this.config.rateLimit.enabled !== false) {
             this.logger.info('[Proxy] - [RATE-LIMIT] - Global rate limiting enabled');
-            const rateLimitMiddleware = this.createRateLimitMiddleware(this.config.rateLimit);
+            // Augment the skip function to bypass the global limit for routes that
+            // have their own rateLimit config (false = disable, or a RateLimitConfig).
+            const globalConfig = Object.assign(Object.assign({}, this.config.rateLimit), { skip: (req) => {
+                    var _a, _b, _c;
+                    const route = this.routeResolver.resolveRoute(req.method, req.path);
+                    if (route && route.rateLimit !== undefined)
+                        return true;
+                    return (_c = (_b = (_a = this.config.rateLimit).skip) === null || _b === void 0 ? void 0 : _b.call(_a, req)) !== null && _c !== void 0 ? _c : false;
+                } });
+            const rateLimitMiddleware = this.createRateLimitMiddleware(globalConfig);
             this.app.use(rateLimitMiddleware);
         }
         // //This supposedly fix some 502 codes where nodejs socket would hang during
@@ -148,11 +162,79 @@ export default class Proxy {
         this.app
             .route(this.config.healthCheckRoute || Globals.Listener_HTTP_DefaultHealthCheckRoute)
             .get(HealthHandler);
+        // Register individual routes that declare their own rateLimit config.
+        // These are installed BEFORE the wildcard so Express matches them first,
+        // giving each route an independent rate limit bucket.
+        for (const route of this.config.routes) {
+            if (!route.rateLimit)
+                continue;
+            const rlMiddleware = this.createRouteRateLimitMiddleware(route.rateLimit);
+            const paths = Array.isArray(route.path) ? route.path : [route.path];
+            for (const path of paths) {
+                ;
+                this.app.route(path)[route.method.toLowerCase()](rlMiddleware, GenericHandler(this.serverlessHandler));
+            }
+        }
         //Main route -- We use a wildcard route because is not the job of the runtime and neither
         //the task to deny/constrain routes that invoked this task; all the job is done by the
         //load balancer and we just foward everything we have to the function.
         this.app.route(Globals.Listener_HTTP_ProxyRoute).all(GenericHandler(this.serverlessHandler));
     }
+    /**
+     * Creates rate limiting middleware from a per-route {@link RateLimitConfig},
+     * inheriting the global Redis store configuration when available so all
+     * rate-limit counters share the same Redis connection.
+     * @param {RateLimitConfig} config - The per-route rate limit configuration
+     * @returns {express.RequestHandler} Express middleware for rate limiting
+     * @private
+     */
+    createRouteRateLimitMiddleware(config) {
+        // Resolve keyGenerator string shorthands to concrete functions.
+        let keyGenerator;
+        if (config.keyGenerator === 'ip') {
+            keyGenerator = (req) => req.ip || req.socket.remoteAddress || 'unknown';
+        }
+        else if (config.keyGenerator === 'userId') {
+            keyGenerator = (req) => {
+                const authHeader = req.headers['authorization'];
+                if (authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer ')) {
+                    const parts = authHeader.slice(7).split('.');
+                    if (parts.length === 3) {
+                        try {
+                            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+                            const userId = payload.sub || payload.id || payload.userId;
+                            if (userId)
+                                return String(userId);
+                        }
+                        catch (_a) {
+                            // malformed token — fall through to IP
+                        }
+                    }
+                }
+                return req.ip || req.socket.remoteAddress || 'unknown';
+            };
+        }
+        else {
+            keyGenerator = config.keyGenerator;
+        }
+        // Inherit the global Redis store (if configured) so per-route limiters
+        // share the same connection; distinguish them with a unique key prefix.
+        const globalRl = this.config.rateLimit;
+        const globalConfig = {
+            windowMs: config.windowMs,
+            limit: config.limit,
+            keyGenerator,
+            skip: config.skip,
+            store: globalRl === null || globalRl === void 0 ? void 0 : globalRl.store,
+            redis: (globalRl === null || globalRl === void 0 ? void 0 : globalRl.redis)
+                ? {
+                    client: globalRl.redis.client,
+                    prefix: `${globalRl.redis.prefix || 'wapi:rl:'}route:`,
+                }
+                : undefined,
+        };
+        return this.createRateLimitMiddleware(globalConfig);
+    }
     /**
      * Creates rate limiting middleware based on the provided configuration.
      * @param {GlobalRateLimitConfig} config - The rate limit configuration
@@ -169,12 +251,27 @@ export default class Proxy {
             // Key generator - how to identify unique clients
             keyGenerator: config.keyGenerator ||
                 ((req) => {
-                    var _a, _b;
-                    // Use IP address from proxy-aware sources
-                    return (req.ip ||
-                        ((_b = (_a = req.headers['x-forwarded-for']) === null || _a === void 0 ? void 0 : _a.split(',')[0]) === null || _b === void 0 ? void 0 : _b.trim()) ||
-                        req.socket.remoteAddress ||
-                        'unknown');
+                    // For authenticated requests, use the stable user ID from the JWT
+                    // payload so that multiple users behind the same IP are bucketed
+                    // independently and token rotation doesn't change a user's bucket.
+                    const authHeader = req.headers['authorization'];
+                    if (authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer ')) {
+                        const parts = authHeader.slice(7).split('.');
+                        if (parts.length === 3) {
+                            try {
+                                const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+                                const userId = payload.sub || payload.id || payload.userId;
+                                if (userId)
+                                    return String(userId);
+                            }
+                            catch (_a) {
+                                // malformed token — fall through to IP
+                            }
+                        }
+                    }
+                    // Unauthenticated: fall back to real client IP.
+                    // trust proxy is set so req.ip reflects x-forwarded-for correctly.
+                    return req.ip || req.socket.remoteAddress || 'unknown';
                 }),
             // Custom handler when rate limit is exceeded
             handler: config.handler ||

package/dist/src/Server/lib/container/Proxy.js.map

@@ -1 +1 @@
-{"version":3,"file":"Proxy.js","sourceRoot":"","sources":["../../../../../src/Server/lib/container/Proxy.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,EAAwB,YAAY,EAAE,MAAM,MAAM,CAAA;AAEzD,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAG7C,OAAO,cAAc,MAAM,qBAAqB,CAAA;AAChD,OAAO,aAAa,MAAM,oBAAoB,CAAA;AAC9C,OAAO,OAAO,MAAM,qBAAqB,CAAA;AACzC,OAAO,MAAM,MAAM,2BAA2B,CAAA;AAC9C,OAAO,KAAK,MAAM,wBAAwB,CAAA;AAG1C,+CAA+C;AAC/C,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;AAEtF;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,KAAK;IAkCxB;;;;;OAKG;IACH,YAAY,MAAoB,EAAE,iBAAkD;QAClF,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAA;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAA;QAC1C,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAA;QACjE,IAAI,CAAC,GAAG,GAAG,OAAO,EAAE,CAAA;QACpB,iCAAiC;QACjC,IAAI,CAAC,GAAG,CAAC,GAAG,CACV,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG;gBAClB,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAA;YACtB,CAAC;SACF,CAAC,CACH,CAAA;QACD,oBAAoB;QACpB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC,sBAAsB,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACrF,IAAI,CAAC,GAAG,CAAC,GAAG,CACV,IAAI,CACF,UAAU;YACR,CAAC,CAAC;gBACE,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,cAAc,EAAE,UAAU,CAAC,OAAO;gBAClC,WAAW,EAAE,CAAC,CAAC,UAAU,CAAC,gBAAgB;aAC3C;YACH,CAAC,CAAC,EAAE,CACP,CACF,CAAA;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACrE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAA;YACzE,MAAM,mBAAmB,GAAG,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YACjF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;QACnC,CAAC;QAED,6EAA6E;QAC7E,iFAAiF;QACjF,gFAAgF;QAChF,mFAAmF;QACnF,mBAAmB;QACnB,kDAAkD;QAClD,gDAAgD;IAClD,CAAC;IAED;;;OAGG;IACU,IAAI;;YACf,MAAM,IAAI,CAAC,cAAc,EAAE,CAAA;YAC3B,IAAI,CAAC,aAAa,EAAE,CAAA;QACtB,CAAC;KAAA;IAED;;;;OAIG;IACU,MAAM,CAAC,GAAS;;YAC3B,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;QAC/B,CAAC;KAAA;IAED;;;OAGG;IACW,cAAc;;YAC1B,qDAAqD;YACrD,OAAO,IAAI,OAAO,CAAC,CAAM,OAAO,EAAC,EAAE;gBACjC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,yBAAyB,CAAA;gBAClE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,UAAU,OAAO,IAAI,EAAE,CAAC,CAAA;gBACrE,gBAAgB;gBAChB,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACtC,eAAe;gBACf,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,OAAO,CAAC,4BAA4B,CAAC,CAAA;gBACrF,0EAA0E;gBAC1E,8BAA8B;gBAC9B,IAAI,CAAC,QAAQ,CAAC,gBAAgB,GAAG,KAAK,CAAA;gBACtC,IAAI,CAAC,QAAQ,CAAC,cAAc,GAAG,KAAK,CAAA;gBAEpC,yBAAyB;gBACzB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAChC,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC/D,eAAe;gBACf,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;oBAC9B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;oBAClC,OAAO,EAAE,CAAA;gBACX,CAAC,CAAC,CAAA;YACJ,CAAC,CAAA,CAAC,CAAA;QACJ,CAAC;KAAA;IAED;;;;OAIG;IACW,aAAa,CAAC,GAAS;;YACnC,IAAI,IAAI,CAAC,QAAQ;gBAAE,OAAM;YACzB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAA;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAA;YACxC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;gBAC3B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE;oBACzB,MAAM,IAAI,GAAG,GAAG,IAAI,IAAI,CAAA;oBACxB,IAAI,IAAI;wBAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,CAAA;oBAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;oBACvC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;oBAC1B,OAAO,CAAC,IAAI,CAAC,CAAA;gBACf,CAAC,CAAC,CAAA;YACJ,CAAC,CAAC,CAAA;QACJ,CAAC;KAAA;IAED;;;OAGG;IACK,aAAa;QACnB,+DAA+D;QAC/D,mDAAmD;QACnD,OAAO,CAAC,GAAG,CACT,8BACE,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,qCAC1C,EAAE,CACH,CAAA;QACD,IAAI,CAAC,GAAG;aACL,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,qCAAqC,CAAC;aACpF,GAAG,CAAC,aAAa,CAAC,CAAA;QACrB,yFAAyF;QACzF,sFAAsF;QACtF,sEAAsE;QACtE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAA;IAC9F,CAAC;IAED;;;;;OAKG;IACK,yBAAyB,CAAC,MAA6B;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAA;QAE/C,OAAO,SAAS,CAAC;YACf,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK,EAAE,oBAAoB;YACxD,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,oCAAoC;YAC/D,eAAe,EAAE,IAAI,EAAE,kDAAkD;YACzE,aAAa,EAAE,KAAK,EAAE,kCAAkC;YAExD,iDAAiD;YACjD,YAAY,EACV,MAAM,CAAC,YAAY;gBACnB,CAAC,CAAC,GAAoB,EAAE,EAAE;;oBACxB,0CAA0C;oBAC1C,OAAO,CACJ,GAAG,CAAC,EAAa;yBAClB,MAAA,MAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAY,0CAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,0CAAE,IAAI,EAAE,CAAA;wBACjE,GAAG,CAAC,MAAM,CAAC,aAAa;wBACxB,SAAS,CACV,CAAA;gBACH,CAAC,CAAC;YAEJ,6CAA6C;YAC7C,OAAO,EACL,MAAM,CAAC,OAAO;gBACd,CAAC,CAAC,GAAoB,EAAE,GAAqB,EAAE,EAAE;oBAC/C,2BAA2B;oBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;wBAC1D,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC,CAAA;oBAEF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,qBAAqB;wBAC5B,OAAO,EAAE,4CAA4C;qBACtD,CAAC,CAAA;gBACJ,CAAC,CAAC;YAEJ,sEAAsE;YACtE,IAAI,EAAE,MAAM,CAAC,IAAI;YAEjB,uDAAuD;YACvD,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,MAA6B;;QACxD,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,KAAI,MAAA,MAAM,CAAC,KAAK,0CAAE,MAAM,CAAA,EAAE,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;YACzD,OAAO,IAAI,UAAU,CAAC;gBACpB,WAAW,EAAE,CAAC,GAAG,IAAc,EAAE,EAAE,CAAC,MAAM,CAAC,KAAM,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC;gBAC1E,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,UAAU;aAC1C,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAA;QAC7D,OAAO,SAAS,CAAA,CAAC,iDAAiD;IACpE,CAAC;CACF"}
+{"version":3,"file":"Proxy.js","sourceRoot":"","sources":["../../../../../src/Server/lib/container/Proxy.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,EAAwB,YAAY,EAAE,MAAM,MAAM,CAAA;AAEzD,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAG7C,OAAO,cAAc,MAAM,qBAAqB,CAAA;AAChD,OAAO,aAAa,MAAM,oBAAoB,CAAA;AAE9C,OAAO,OAAO,MAAM,qBAAqB,CAAA;AACzC,OAAO,MAAM,MAAM,2BAA2B,CAAA;AAC9C,OAAO,KAAK,MAAM,wBAAwB,CAAA;AAE1C,OAAO,aAAa,MAAM,wBAAwB,CAAA;AAElD,+CAA+C;AAC/C,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;AAEtF;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,KAAK;IAwCxB;;;;;OAKG;IACH,YAAY,MAAoB,EAAE,iBAAkD;QAClF,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAA;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAA;QAC1C,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QACnD,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAA;QACjE,IAAI,CAAC,GAAG,GAAG,OAAO,EAAE,CAAA;QACpB,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAA;QAC9B,iCAAiC;QACjC,IAAI,CAAC,GAAG,CAAC,GAAG,CACV,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG;gBAClB,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAA;YACtB,CAAC;SACF,CAAC,CACH,CAAA;QACD,oBAAoB;QACpB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC,sBAAsB,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACrF,IAAI,CAAC,GAAG,CAAC,GAAG,CACV,IAAI,CACF,UAAU;YACR,CAAC,CAAC;gBACE,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,cAAc,EAAE,UAAU,CAAC,OAAO;gBAClC,WAAW,EAAE,CAAC,CAAC,UAAU,CAAC,gBAAgB;aAC3C;YACH,CAAC,CAAC,EAAE,CACP,CACF,CAAA;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACrE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAA;YACzE,uEAAuE;YACvE,2EAA2E;YAC3E,MAAM,YAAY,mCACb,IAAI,CAAC,MAAM,CAAC,SAAS,KACxB,IAAI,EAAE,CAAC,GAAoB,EAAE,EAAE;;oBAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,GAAG,CAAC,MAAoB,EAAE,GAAG,CAAC,IAAI,CAAC,CAAA;oBACjF,IAAI,KAAK,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;wBAAE,OAAO,IAAI,CAAA;oBACvD,OAAO,MAAA,MAAA,MAAA,IAAI,CAAC,MAAM,CAAC,SAAU,EAAC,IAAI,mDAAG,GAAG,CAAC,mCAAI,KAAK,CAAA;gBACpD,CAAC,GACF,CAAA;YACD,MAAM,mBAAmB,GAAG,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACxE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;QACnC,CAAC;QAED,6EAA6E;QAC7E,iFAAiF;QACjF,gFAAgF;QAChF,mFAAmF;QACnF,mBAAmB;QACnB,kDAAkD;QAClD,gDAAgD;IAClD,CAAC;IAED;;;OAGG;IACU,IAAI;;YACf,MAAM,IAAI,CAAC,cAAc,EAAE,CAAA;YAC3B,IAAI,CAAC,aAAa,EAAE,CAAA;QACtB,CAAC;KAAA;IAED;;;;OAIG;IACU,MAAM,CAAC,GAAS;;YAC3B,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAA;QAC/B,CAAC;KAAA;IAED;;;OAGG;IACW,cAAc;;YAC1B,qDAAqD;YACrD,OAAO,IAAI,OAAO,CAAC,CAAM,OAAO,EAAC,EAAE;gBACjC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,yBAAyB,CAAA;gBAClE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,UAAU,OAAO,IAAI,EAAE,CAAC,CAAA;gBACrE,gBAAgB;gBAChB,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACtC,eAAe;gBACf,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,OAAO,CAAC,4BAA4B,CAAC,CAAA;gBACrF,0EAA0E;gBAC1E,8BAA8B;gBAC9B,IAAI,CAAC,QAAQ,CAAC,gBAAgB,GAAG,KAAK,CAAA;gBACtC,IAAI,CAAC,QAAQ,CAAC,cAAc,GAAG,KAAK,CAAA;gBAEpC,yBAAyB;gBACzB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAChC,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC/D,eAAe;gBACf,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;oBAC9B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;oBAClC,OAAO,EAAE,CAAA;gBACX,CAAC,CAAC,CAAA;YACJ,CAAC,CAAA,CAAC,CAAA;QACJ,CAAC;KAAA;IAED;;;;OAIG;IACW,aAAa,CAAC,GAAS;;YACnC,IAAI,IAAI,CAAC,QAAQ;gBAAE,OAAM;YACzB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAA;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAA;YACxC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;gBAC3B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE;oBACzB,MAAM,IAAI,GAAG,GAAG,IAAI,IAAI,CAAA;oBACxB,IAAI,IAAI;wBAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,IAAI,CAAC,CAAA;oBAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;oBACvC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;oBAC1B,OAAO,CAAC,IAAI,CAAC,CAAA;gBACf,CAAC,CAAC,CAAA;YACJ,CAAC,CAAC,CAAA;QACJ,CAAC;KAAA;IAED;;;OAGG;IACK,aAAa;QACnB,+DAA+D;QAC/D,mDAAmD;QACnD,OAAO,CAAC,GAAG,CACT,8BACE,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,qCAC1C,EAAE,CACH,CAAA;QACD,IAAI,CAAC,GAAG;aACL,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,qCAAqC,CAAC;aACpF,GAAG,CAAC,aAAa,CAAC,CAAA;QACrB,sEAAsE;QACtE,yEAAyE;QACzE,sDAAsD;QACtD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,CAAC,KAAK,CAAC,SAAS;gBAAE,SAAQ;YAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,8BAA8B,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;YACzE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YACnE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,CAAC;gBAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAS,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CACxD,YAAY,EACZ,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CACvC,CAAA;YACH,CAAC;QACH,CAAC;QACD,yFAAyF;QACzF,sFAAsF;QACtF,sEAAsE;QACtE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAA;IAC9F,CAAC;IAED;;;;;;;OAOG;IACK,8BAA8B,CAAC,MAAuB;QAC5D,gEAAgE;QAChE,IAAI,YAAmD,CAAA;QACvD,IAAI,MAAM,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YACjC,YAAY,GAAG,CAAC,GAAoB,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAA;QAC1F,CAAC;aAAM,IAAI,MAAM,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YAC5C,YAAY,GAAG,CAAC,GAAoB,EAAE,EAAE;gBACtC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;gBAC/C,IAAI,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;oBAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACvB,IAAI,CAAC;4BACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAA;4BAC/E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,MAAM,CAAA;4BAC1D,IAAI,MAAM;gCAAE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAA;wBACnC,CAAC;wBAAC,WAAM,CAAC;4BACP,uCAAuC;wBACzC,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAA;YACxD,CAAC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,MAAM,CAAC,YAAY,CAAA;QACpC,CAAC;QAED,uEAAuE;QACvE,wEAAwE;QACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAA;QACtC,MAAM,YAAY,GAA0B;YAC1C,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY;YACZ,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,KAAK;YACtB,KAAK,EAAE,CAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,KAAK;gBACpB,CAAC,CAAC;oBACE,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;oBAC7B,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,IAAI,UAAU,QAAQ;iBACvD;gBACH,CAAC,CAAC,SAAS;SACd,CAAA;QAED,OAAO,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;IACrD,CAAC;IAED;;;;;OAKG;IACK,yBAAyB,CAAC,MAA6B;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAA;QAE/C,OAAO,SAAS,CAAC;YACf,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK,EAAE,oBAAoB;YACxD,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,oCAAoC;YAC/D,eAAe,EAAE,IAAI,EAAE,kDAAkD;YACzE,aAAa,EAAE,KAAK,EAAE,kCAAkC;YAExD,iDAAiD;YACjD,YAAY,EACV,MAAM,CAAC,YAAY;gBACnB,CAAC,CAAC,GAAoB,EAAE,EAAE;oBACxB,kEAAkE;oBAClE,iEAAiE;oBACjE,mEAAmE;oBACnE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAA;oBAC/C,IAAI,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;wBACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;wBAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BACvB,IAAI,CAAC;gCACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAA;gCAC/E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,MAAM,CAAA;gCAC1D,IAAI,MAAM;oCAAE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAA;4BACnC,CAAC;4BAAC,WAAM,CAAC;gCACP,uCAAuC;4BACzC,CAAC;wBACH,CAAC;oBACH,CAAC;oBACD,gDAAgD;oBAChD,mEAAmE;oBACnE,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAA;gBACxD,CAAC,CAAC;YAEJ,6CAA6C;YAC7C,OAAO,EACL,MAAM,CAAC,OAAO;gBACd,CAAC,CAAC,GAAoB,EAAE,GAAqB,EAAE,EAAE;oBAC/C,2BAA2B;oBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;wBAC1D,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC,CAAA;oBAEF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,qBAAqB;wBAC5B,OAAO,EAAE,4CAA4C;qBACtD,CAAC,CAAA;gBACJ,CAAC,CAAC;YAEJ,sEAAsE;YACtE,IAAI,EAAE,MAAM,CAAC,IAAI;YAEjB,uDAAuD;YACvD,KAAK,EAAE,KAAK;SACb,CAAC,CAAA;IACJ,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,MAA6B;;QACxD,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,KAAI,MAAA,MAAM,CAAC,KAAK,0CAAE,MAAM,CAAA,EAAE,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;YACzD,OAAO,IAAI,UAAU,CAAC;gBACpB,WAAW,EAAE,CAAC,GAAG,IAAc,EAAE,EAAE,CAAC,MAAM,CAAC,KAAM,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC;gBAC1E,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,UAAU;aAC1C,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAA;QAC7D,OAAO,SAAS,CAAA,CAAC,iDAAiD;IACpE,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@creator.co/wapi",
-  "version": "1.9.3",
+  "version": "1.10.1",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -40,13 +40,13 @@
     "cuid": "^3.0.0",
     "dotenv": "^16.4.1",
     "email-templates": "^13.0.1",
-    "express": "^4.22.0",
+    "express": "^4.22.2",
     "express-rate-limit": "^7.5.0",
     "json-stringify-safe": "^5.0.1",
     "jsonwebtoken": "^9.0.2",
     "knex": "^3.0.1",
     "knex-stringcase": "^1.4.6",
-    "kysely": "^0.28.14",
+    "kysely": "^0.28.17",
     "node-cache": "^5.1.2",
     "nodemailer": "^8.0.5",
     "object-hash": "^3.0.0",

package/src/Server/lib/container/Proxy.ts

@@ -9,10 +9,12 @@ import { RedisStore } from 'rate-limit-redis'
 import Server from './../Server.js'
 import GenericHandler from './GenericHandler.js'
 import HealthHandler from './HealthHandler.js'
+import { HttpMethod } from '../../../API/Request.js'
 import Globals from '../../../Globals.js'
 import Logger from '../../../Logger/Logger.js'
 import Utils from '../../../Util/Utils.js'
-import { GlobalRateLimitConfig, RouterConfig } from '../../Router.js'
+import { GlobalRateLimitConfig, RateLimitConfig, RouterConfig } from '../../Router.js'
+import RouteResolver from '../../RouteResolver.js'
 
 /* Get package.json version from Wapi on ESM */
 const { version: appVersion } = JSON.parse(fs.readFileSync('package.json').toString())
@@ -47,6 +49,12 @@ export default class Proxy {
    * @returns None
    */
   private readonly serverlessHandler: Server['handleServerlessEvent']
+  /**
+   * Route resolver used to identify per-route rate limit configuration.
+   * @private
+   * @readonly
+   */
+  private readonly routeResolver: RouteResolver
   /**
    * Represents a listener for an HTTP server.
    * @private
@@ -64,8 +72,12 @@ export default class Proxy {
     this.stopping = false
     this.config = config
     this.serverlessHandler = serverlessHandler
+    this.routeResolver = new RouteResolver(this.config)
     this.logger = new Logger({ logLevel: 'INFO' }, 'proxy-container')
     this.app = express()
+    // Trust the first proxy hop so req.ip resolves to the real client IP
+    // (not the load balancer's IP) when running behind ALB or similar.
+    this.app.set('trust proxy', 1)
     /* Opinionated Express configs */
     this.app.use(
       express.json({
@@ -91,7 +103,17 @@ export default class Proxy {
     // Apply global rate limiting if configured
     if (this.config.rateLimit && this.config.rateLimit.enabled !== false) {
       this.logger.info('[Proxy] - [RATE-LIMIT] - Global rate limiting enabled')
-      const rateLimitMiddleware = this.createRateLimitMiddleware(this.config.rateLimit)
+      // Augment the skip function to bypass the global limit for routes that
+      // have their own rateLimit config (false = disable, or a RateLimitConfig).
+      const globalConfig: GlobalRateLimitConfig = {
+        ...this.config.rateLimit,
+        skip: (req: express.Request) => {
+          const route = this.routeResolver.resolveRoute(req.method as HttpMethod, req.path)
+          if (route && route.rateLimit !== undefined) return true
+          return this.config.rateLimit!.skip?.(req) ?? false
+        },
+      }
+      const rateLimitMiddleware = this.createRateLimitMiddleware(globalConfig)
       this.app.use(rateLimitMiddleware)
     }
 
@@ -186,12 +208,80 @@ export default class Proxy {
     this.app
       .route(this.config.healthCheckRoute || Globals.Listener_HTTP_DefaultHealthCheckRoute)
       .get(HealthHandler)
+    // Register individual routes that declare their own rateLimit config.
+    // These are installed BEFORE the wildcard so Express matches them first,
+    // giving each route an independent rate limit bucket.
+    for (const route of this.config.routes) {
+      if (!route.rateLimit) continue
+      const rlMiddleware = this.createRouteRateLimitMiddleware(route.rateLimit)
+      const paths = Array.isArray(route.path) ? route.path : [route.path]
+      for (const path of paths) {
+        ;(this.app.route(path) as any)[route.method.toLowerCase()](
+          rlMiddleware,
+          GenericHandler(this.serverlessHandler)
+        )
+      }
+    }
     //Main route -- We use a wildcard route because is not the job of the runtime and neither
     //the task to deny/constrain routes that invoked this task; all the job is done by the
     //load balancer and we just foward everything we have to the function.
     this.app.route(Globals.Listener_HTTP_ProxyRoute).all(GenericHandler(this.serverlessHandler))
   }
 
+  /**
+   * Creates rate limiting middleware from a per-route {@link RateLimitConfig},
+   * inheriting the global Redis store configuration when available so all
+   * rate-limit counters share the same Redis connection.
+   * @param {RateLimitConfig} config - The per-route rate limit configuration
+   * @returns {express.RequestHandler} Express middleware for rate limiting
+   * @private
+   */
+  private createRouteRateLimitMiddleware(config: RateLimitConfig): express.RequestHandler {
+    // Resolve keyGenerator string shorthands to concrete functions.
+    let keyGenerator: GlobalRateLimitConfig['keyGenerator']
+    if (config.keyGenerator === 'ip') {
+      keyGenerator = (req: express.Request) => req.ip || req.socket.remoteAddress || 'unknown'
+    } else if (config.keyGenerator === 'userId') {
+      keyGenerator = (req: express.Request) => {
+        const authHeader = req.headers['authorization']
+        if (authHeader?.startsWith('Bearer ')) {
+          const parts = authHeader.slice(7).split('.')
+          if (parts.length === 3) {
+            try {
+              const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'))
+              const userId = payload.sub || payload.id || payload.userId
+              if (userId) return String(userId)
+            } catch {
+              // malformed token — fall through to IP
+            }
+          }
+        }
+        return req.ip || req.socket.remoteAddress || 'unknown'
+      }
+    } else {
+      keyGenerator = config.keyGenerator
+    }
+
+    // Inherit the global Redis store (if configured) so per-route limiters
+    // share the same connection; distinguish them with a unique key prefix.
+    const globalRl = this.config.rateLimit
+    const globalConfig: GlobalRateLimitConfig = {
+      windowMs: config.windowMs,
+      limit: config.limit,
+      keyGenerator,
+      skip: config.skip,
+      store: globalRl?.store,
+      redis: globalRl?.redis
+        ? {
+            client: globalRl.redis.client,
+            prefix: `${globalRl.redis.prefix || 'wapi:rl:'}route:`,
+          }
+        : undefined,
+    }
+
+    return this.createRateLimitMiddleware(globalConfig)
+  }
+
   /**
    * Creates rate limiting middleware based on the provided configuration.
    * @param {GlobalRateLimitConfig} config - The rate limit configuration
@@ -211,13 +301,25 @@ export default class Proxy {
       keyGenerator:
         config.keyGenerator ||
         ((req: express.Request) => {
-          // Use IP address from proxy-aware sources
-          return (
-            (req.ip as string) ||
-            (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() ||
-            req.socket.remoteAddress ||
-            'unknown'
-          )
+          // For authenticated requests, use the stable user ID from the JWT
+          // payload so that multiple users behind the same IP are bucketed
+          // independently and token rotation doesn't change a user's bucket.
+          const authHeader = req.headers['authorization']
+          if (authHeader?.startsWith('Bearer ')) {
+            const parts = authHeader.slice(7).split('.')
+            if (parts.length === 3) {
+              try {
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'))
+                const userId = payload.sub || payload.id || payload.userId
+                if (userId) return String(userId)
+              } catch {
+                // malformed token — fall through to IP
+              }
+            }
+          }
+          // Unauthenticated: fall back to real client IP.
+          // trust proxy is set so req.ip reflects x-forwarded-for correctly.
+          return req.ip || req.socket.remoteAddress || 'unknown'
         }),
 
       // Custom handler when rate limit is exceeded

package/tests/Server/lib/container/RateLimit.test.ts

@@ -3,9 +3,10 @@ import { APIGatewayProxyEvent, Context } from 'aws-lambda'
 import { expect as c_expect } from 'chai'
 import request from 'supertest'
 
+import { HttpMethod } from '../../../../src/API/Request.js'
 import Globals from '../../../../src/Globals.js'
 import Proxy from '../../../../src/Server/lib/container/Proxy.js'
-import { GlobalRateLimitConfig } from '../../../../src/Server/Router.js'
+import { GlobalRateLimitConfig, RateLimitConfig } from '../../../../src/Server/Router.js'
 import { defaultUrl } from '../../../Test.utils.js'
 
 describe('Rate Limiting', () => {
@@ -548,24 +549,19 @@ describe('Rate Limiting', () => {
 
     await proxy.load()
 
-    // Test with x-forwarded-for header (covers line 197-198)
-    const res1 = await request(url)
-      .get('/test')
-      .set('x-forwarded-for', '10.0.0.1, 10.0.0.2')
-      .expect(200)
+    // With trust proxy=1, req.ip is the rightmost entry of x-forwarded-for.
+    // Two requests with the same rightmost IP share a bucket.
+    const res1 = await request(url).get('/test').set('x-forwarded-for', '10.0.0.1').expect(200)
     c_expect(res1.body).to.deep.equal({ success: true })
 
-    // Second request from same IP should be rate limited
-    const res2 = await request(url)
-      .get('/test')
-      .set('x-forwarded-for', '10.0.0.1, 10.0.0.3')
-      .expect(429)
+    // Second request from same IP (same rightmost x-forwarded-for) should be rate limited
+    const res2 = await request(url).get('/test').set('x-forwarded-for', '10.0.0.1').expect(429)
     c_expect(res2.body).to.have.property('error', 'rate_limit_exceeded')
 
     // Wait for window to reset
     await new Promise(resolve => setTimeout(resolve, 1100))
 
-    // Different IP should work (covers the split and trim logic)
+    // Different IP should have its own clean bucket
     const res3 = await request(url).get('/test').set('x-forwarded-for', '10.0.0.99').expect(200)
     c_expect(res3.body).to.deep.equal({ success: true })
   }, 10000)
@@ -701,6 +697,277 @@ describe('Rate Limiting', () => {
     // Verify proxy is running
     c_expect(proxy).to.exist
   })
+
+  test('Rate limit default keyGenerator - same bearer token shares a bucket', async () => {
+    const port = 57017
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    // Build a fake but structurally-valid JWT for user1
+    const makeJwt = (sub: string) => {
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url')
+      const payload = Buffer.from(JSON.stringify({ sub })).toString('base64url')
+      return `${header}.${payload}.fakesignature`
+    }
+
+    const rateLimitConfig: GlobalRateLimitConfig = {
+      enabled: true,
+      windowMs: 1000,
+      limit: 2,
+      // NO custom keyGenerator - should default to bearer token extraction
+    }
+
+    proxy = new Proxy(
+      {
+        routes: [],
+        port,
+        rateLimit: rateLimitConfig,
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({
+          body: JSON.stringify({ success: true }),
+          statusCode: 200,
+        })
+      }
+    )
+
+    await proxy.load()
+
+    const token = makeJwt('user1')
+
+    // First 2 requests with same token should succeed
+    await request(url).get('/test').set('Authorization', `Bearer ${token}`).expect(200)
+    await request(url).get('/test').set('Authorization', `Bearer ${token}`).expect(200)
+
+    // 3rd request from same user (same token sub) should be rate limited
+    const rateLimitedRes = await request(url)
+      .get('/test')
+      .set('Authorization', `Bearer ${token}`)
+      .expect(429)
+    c_expect(rateLimitedRes.body).to.have.property('error', 'rate_limit_exceeded')
+  }, 10000)
+
+  test('Rate limit default keyGenerator - different users have separate buckets', async () => {
+    const port = 57018
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    const makeJwt = (sub: string) => {
+      const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url')
+      const payload = Buffer.from(JSON.stringify({ sub })).toString('base64url')
+      return `${header}.${payload}.fakesignature`
+    }
+
+    const rateLimitConfig: GlobalRateLimitConfig = {
+      enabled: true,
+      windowMs: 1000,
+      limit: 2,
+    }
+
+    proxy = new Proxy(
+      {
+        routes: [],
+        port,
+        rateLimit: rateLimitConfig,
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({
+          body: JSON.stringify({ success: true }),
+          statusCode: 200,
+        })
+      }
+    )
+
+    await proxy.load()
+
+    const user1Token = makeJwt('user1')
+    const user2Token = makeJwt('user2')
+
+    // User 1 exhausts their bucket
+    await request(url).get('/test').set('Authorization', `Bearer ${user1Token}`).expect(200)
+    await request(url).get('/test').set('Authorization', `Bearer ${user1Token}`).expect(200)
+    await request(url).get('/test').set('Authorization', `Bearer ${user1Token}`).expect(429)
+
+    // User 2 has their own independent bucket — should still be allowed
+    const user2Res = await request(url)
+      .get('/test')
+      .set('Authorization', `Bearer ${user2Token}`)
+      .expect(200)
+    c_expect(user2Res.body).to.deep.equal({ success: true })
+  }, 10000)
+
+  test('Rate limit default keyGenerator - unauthenticated requests fall back to IP', async () => {
+    const port = 57019
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    const rateLimitConfig: GlobalRateLimitConfig = {
+      enabled: true,
+      windowMs: 1000,
+      limit: 2,
+    }
+
+    proxy = new Proxy(
+      {
+        routes: [],
+        port,
+        rateLimit: rateLimitConfig,
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({
+          body: JSON.stringify({ success: true }),
+          statusCode: 200,
+        })
+      }
+    )
+
+    await proxy.load()
+
+    // Requests with no Authorization header are bucketed by IP (all from ::1 in tests)
+    await request(url).get('/test').expect(200)
+    await request(url).get('/test').expect(200)
+
+    // Same IP, 3rd request exceeds the limit
+    const rateLimitedRes = await request(url).get('/test').expect(429)
+    c_expect(rateLimitedRes.body).to.have.property('error', 'rate_limit_exceeded')
+  }, 10000)
+})
+
+describe('Per-route rate limiting', () => {
+  // @ts-ignore
+  let mockExit = jest.spyOn(process, 'exit').mockImplementation(() => {})
+  let proxy: Proxy | null = null
+
+  beforeAll(() => {
+    // @ts-ignore
+    mockExit = jest.spyOn(process, 'exit').mockImplementation(() => {})
+  })
+
+  afterAll(() => {
+    mockExit.mockRestore()
+  })
+
+  beforeEach(() => {
+    mockExit.mockReset()
+  })
+
+  afterEach(async () => {
+    if (proxy) {
+      await proxy.unload()
+      proxy = null
+    }
+    await new Promise(resolve => setTimeout(resolve, 100))
+  })
+
+  test('Per-route rate limit is applied independently of global', async () => {
+    const port = 57020
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    const routeRateLimit: RateLimitConfig = { limit: 2, windowMs: 1000 }
+
+    proxy = new Proxy(
+      {
+        routes: [
+          {
+            path: '/api/limited',
+            method: HttpMethod.GET,
+            rateLimit: routeRateLimit,
+            handler: async () => ({}) as any,
+          },
+        ],
+        port,
+        // No global rate limit — only per-route
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({ body: JSON.stringify({ success: true }), statusCode: 200 })
+      }
+    )
+
+    await proxy.load()
+
+    // First 2 requests succeed
+    await request(url).get('/api/limited').expect(200)
+    await request(url).get('/api/limited').expect(200)
+
+    // 3rd request is blocked by the per-route rate limit
+    const res = await request(url).get('/api/limited').expect(429)
+    c_expect(res.body).to.have.property('error', 'rate_limit_exceeded')
+
+    // Wait for the window to reset and verify recovery
+    await new Promise(resolve => setTimeout(resolve, 1100))
+    await request(url).get('/api/limited').expect(200)
+  }, 10000)
+
+  test('rateLimit: false exempts a route from the global rate limit', async () => {
+    const port = 57021
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    proxy = new Proxy(
+      {
+        routes: [
+          {
+            path: '/api/exempt',
+            method: HttpMethod.GET,
+            rateLimit: false,
+            handler: async () => ({}) as any,
+          },
+        ],
+        port,
+        rateLimit: { enabled: true, limit: 2, windowMs: 5000 },
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({ body: JSON.stringify({ success: true }), statusCode: 200 })
+      }
+    )
+
+    await proxy.load()
+
+    // Global limit is 2, but /api/exempt bypasses it — all 5 requests should succeed
+    for (let i = 0; i < 5; i++) {
+      const res = await request(url).get('/api/exempt').expect(200)
+      c_expect(res.body).to.deep.equal({ success: true })
+    }
+
+    // A non-exempt path still hits the global limit
+    await request(url).get('/other-path').expect(200)
+    await request(url).get('/other-path').expect(200)
+    await request(url).get('/other-path').expect(429)
+  }, 10000)
+
+  test('Per-route and global limits operate independently', async () => {
+    const port = 57022
+    const url = defaultUrl.replace(String(Globals.Listener_HTTP_DefaultPort), String(port))
+
+    proxy = new Proxy(
+      {
+        routes: [
+          {
+            path: '/api/strict',
+            method: HttpMethod.GET,
+            rateLimit: { limit: 2, windowMs: 5000 },
+            handler: async () => ({}) as any,
+          },
+        ],
+        port,
+        rateLimit: { enabled: true, limit: 5, windowMs: 5000 },
+      },
+      async (event: APIGatewayProxyEvent, context: Context) => {
+        context.succeed({ body: JSON.stringify({ success: true }), statusCode: 200 })
+      }
+    )
+
+    await proxy.load()
+
+    // /api/strict has a tighter per-route limit (2); hits 429 on 3rd request
+    await request(url).get('/api/strict').expect(200)
+    await request(url).get('/api/strict').expect(200)
+    await request(url).get('/api/strict').expect(429)
+
+    // /api/strict requests do NOT consume global tokens — /other-path still has its full budget
+    for (let i = 0; i < 5; i++) {
+      const res = await request(url).get('/other-path').expect(200)
+      c_expect(res.body).to.deep.equal({ success: true })
+    }
+    // 6th request to /other-path exhausts the global limit
+    await request(url).get('/other-path').expect(429)
+  }, 15000)
 })
 
 export {}