@dismissible/nestjs-rate-limiter-hook 2.0.2-alpha.f50def9.0

package/README.md

@@ -0,0 +1,187 @@
+<p align="center">
+  <a href="https://dismissible.io" target="_blank"><img src="https://raw.githubusercontent.com/DismissibleIo/dismissible-api/main/docs/images/dismissible_logo.png" width="120" alt="Dismissible" /></a>
+</p>
+
+<p align="center">Never Show The Same Thing Twice!</p>
+<p align="center">
+  <a href="https://www.npmjs.com/package/@dismissible/nestjs-rate-limiter-hook" target="_blank"><img src="https://img.shields.io/npm/v/@dismissible/nestjs-rate-limiter-hook.svg" alt="NPM Version" /></a>
+  <a href="https://github.com/dismissibleio/dismissible-api/blob/main/LICENSE" target="_blank"><img src="https://img.shields.io/npm/l/@dismissible/nestjs-rate-limiter-hook.svg" alt="Package License" /></a>
+  <a href="https://www.npmjs.com/package/@dismissible/nestjs-rate-limiter-hook" target="_blank"><img src="https://img.shields.io/npm/dm/@dismissible/nestjs-rate-limiter-hook.svg" alt="NPM Downloads" /></a>
+  <a href="https://github.com/dismissibleio/dismissible-api" target="_blank"><img alt="GitHub Actions Workflow Status" src="https://img.shields.io/github/actions/workflow/status/dismissibleio/dismissible-api/release.yml"></a>
+  <a href="https://paypal.me/joshstuartx" target="_blank"><img src="https://img.shields.io/badge/Donate-PayPal-ff3f59.svg"/></a>
+</p>
+
+Dismissible manages the state of your UI elements across sessions, so your users see what matters, once! No more onboarding messages reappearing on every tab, no more notifications haunting users across devices. Dismissible syncs dismissal state everywhere, so every message is intentional, never repetitive.
+
+# @dismissible/nestjs-rate-limiter-hook
+
+Rate limiting hook for Dismissible applications using in-memory rate limiting.
+
+## Overview
+
+This library provides a lifecycle hook that integrates with the `@dismissible/nestjs-core` module to rate limit requests. It uses the `rate-limiter-flexible` library for efficient in-memory rate limiting.
+
+## Installation
+
+```bash
+npm install @dismissible/nestjs-rate-limiter-hook
+```
+
+## Usage
+
+### Basic Setup
+
+```typescript
+import { Module } from '@nestjs/common';
+import { DismissibleModule } from '@dismissible/nestjs-core';
+import { RateLimiterHookModule, RateLimiterHook } from '@dismissible/nestjs-rate-limiter-hook';
+
+@Module({
+  imports: [
+    // Configure the rate limiter hook module
+    RateLimiterHookModule.forRoot({
+      enabled: true,
+      points: 10, // 10 requests
+      duration: 1, // per 1 second
+      keyType: ['ip'], // rate limit by IP address
+    }),
+
+    // Pass the hook to the DismissibleModule
+    DismissibleModule.forRoot({
+      hooks: [RateLimiterHook],
+      // ... other options
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### Async Configuration
+
+When configuration values come from environment variables or other async sources:
+
+```typescript
+import { Module } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { DismissibleModule } from '@dismissible/nestjs-core';
+import { RateLimiterHookModule, RateLimiterHook } from '@dismissible/nestjs-rate-limiter-hook';
+
+@Module({
+  imports: [
+    RateLimiterHookModule.forRootAsync({
+      useFactory: (configService: ConfigService) => ({
+        enabled: configService.get('RATE_LIMITER_ENABLED', true),
+        points: configService.get('RATE_LIMITER_POINTS', 10),
+        duration: configService.get('RATE_LIMITER_DURATION', 1),
+        keyType: configService.get('RATE_LIMITER_KEY_TYPE', 'ip').split(','),
+      }),
+      inject: [ConfigService],
+    }),
+
+    DismissibleModule.forRoot({
+      hooks: [RateLimiterHook],
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+## Configuration Options
+
+| Option          | Type                 | Required | Default | Description                                                            |
+| --------------- | -------------------- | -------- | ------- | ---------------------------------------------------------------------- |
+| `enabled`       | `boolean`            | Yes      | -       | Whether rate limiting is enabled                                       |
+| `points`        | `number`             | Yes\*    | -       | Number of requests allowed per duration                                |
+| `duration`      | `number`             | Yes\*    | -       | Time window in seconds                                                 |
+| `blockDuration` | `number`             | No       | -       | Duration in seconds to block requests after limit is exceeded          |
+| `keyType`       | `RateLimitKeyType[]` | Yes\*    | -       | Key source(s) for rate limiting: `ip`, `origin`, `referrer`            |
+| `keyMode`       | `RateLimitKeyMode`   | No       | `and`   | Mode for combining key types: `and`, `or`, `any`                       |
+| `priority`      | `number`             | No       | `-50`   | Hook priority (lower numbers run first, runs after auth hooks at -100) |
+
+\* Required when `enabled` is `true`.
+
+### Key Types
+
+- **`ip`**: Rate limit by IP address (extracted from `x-forwarded-for` or `x-real-ip` headers)
+- **`origin`**: Rate limit by Origin header (useful for CORS scenarios)
+- **`referrer`**: Rate limit by Referer header
+
+### Key Modes
+
+When multiple key types are specified, the `keyMode` determines how they are combined:
+
+- **`and`** (default): Combine all key types into a single key. For example, `keyType: ['ip', 'origin']` creates keys like `192.168.1.1:example.com`. All requests from the same IP+Origin combination share the same rate limit bucket.
+
+- **`or`**: Use the first available key type as a fallback chain. For example, with `keyType: ['ip', 'origin', 'referrer']`:
+  - If IP is available, use IP
+  - If IP is not available but Origin is, use Origin
+  - If neither IP nor Origin is available, use Referrer
+  - Useful when you want to rate limit by the most reliable identifier available
+
+- **`any`**: Check all key types independently - the request is blocked if ANY key type exceeds the limit. Each key type gets its own rate limit bucket. For example, with `keyType: ['ip', 'origin']`:
+  - Keys are prefixed: `ip:192.168.1.1` and `origin:example.com`
+  - Both buckets are checked
+  - Request is blocked if either bucket is exhausted
+  - This is the strictest mode
+
+## Environment Variables
+
+When using the Dismissible API Docker image or the standalone API, these environment variables configure rate limiting:
+
+| Variable                                  | Description                                   | Default |
+| ----------------------------------------- | --------------------------------------------- | ------- |
+| `DISMISSIBLE_RATE_LIMITER_ENABLED`        | Enable rate limiting                          | `false` |
+| `DISMISSIBLE_RATE_LIMITER_POINTS`         | Number of requests allowed per duration       | `10`    |
+| `DISMISSIBLE_RATE_LIMITER_DURATION`       | Time window in seconds                        | `1`     |
+| `DISMISSIBLE_RATE_LIMITER_BLOCK_DURATION` | Block duration after limit exceeded (seconds) | -       |
+| `DISMISSIBLE_RATE_LIMITER_KEY_TYPE`       | Key type(s) (comma-separated)                 | `ip`    |
+| `DISMISSIBLE_RATE_LIMITER_KEY_MODE`       | Key combination mode: `and`, `or`, `any`      | `and`   |
+| `DISMISSIBLE_RATE_LIMITER_PRIORITY`       | Hook priority (lower runs first)              | `-50`   |
+
+### Example: Enabling Rate Limiting
+
+```bash
+docker run -p 3001:3001 \
+  -e DISMISSIBLE_RATE_LIMITER_ENABLED=true \
+  -e DISMISSIBLE_RATE_LIMITER_POINTS=100 \
+  -e DISMISSIBLE_RATE_LIMITER_DURATION=60 \
+  -e DISMISSIBLE_RATE_LIMITER_KEY_TYPE="ip,origin" \
+  -e DISMISSIBLE_RATE_LIMITER_KEY_MODE="or" \
+  -e DISMISSIBLE_STORAGE_POSTGRES_CONNECTION_STRING="postgresql://..." \
+  dismissibleio/dismissible-api:latest
+```
+
+This configuration allows 100 requests per minute, rate limiting by IP if available, otherwise by Origin (using OR mode).
+
+## How It Works
+
+1. **Key Generation**: For each request, the hook generates rate limit key(s) based on the configured key types and mode:
+   - **AND mode**: Creates a single combined key (e.g., `192.168.1.1:example.com`)
+   - **OR mode**: Uses the first available key type from the list
+   - **ANY mode**: Creates separate keys for each key type (e.g., `ip:192.168.1.1`, `origin:example.com`)
+
+2. **Rate Limit Check**: The key(s) are checked against the rate limiter. Each request consumes one "point" from the available pool(s).
+
+3. **Request Handling**:
+   - If points remain (for all keys in ANY mode): The request proceeds
+   - If limit exceeded: The request is blocked with a `429 Too Many Requests` response
+
+4. **Window Reset**: After the `duration` period, the points reset. If `blockDuration` is configured, blocked clients must wait for that duration before being allowed again.
+
+## Error Responses
+
+When rate limit is exceeded, the hook throws a `TooManyRequestsException`:
+
+```json
+{
+  "statusCode": 429,
+  "message": "Rate limit exceeded. Please try again later.",
+  "error": "Too Many Requests"
+}
+```
+
+The exception includes a `retryAfter` property indicating how many seconds until the rate limit resets.
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,68 @@
+{
+  "name": "@dismissible/nestjs-rate-limiter-hook",
+  "version": "2.0.2-alpha.f50def9.0",
+  "description": "Rate limiting hook for Dismissible applications using in-memory rate limiting",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./src/index.mjs",
+      "require": "./src/index.js",
+      "types": "./src/index.d.ts"
+    }
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "dependencies": {
+    "@dismissible/nestjs-hooks": "2.0.2-alpha.f50def9.0",
+    "@dismissible/nestjs-request": "2.0.2-alpha.f50def9.0",
+    "@dismissible/nestjs-logger": "2.0.2-alpha.f50def9.0",
+    "@dismissible/nestjs-validation": "2.0.2-alpha.f50def9.0",
+    "rate-limiter-flexible": "5.0.4"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "10.0.0 || ^11.0.0",
+    "@nestjs/core": "10.0.0 || ^11.0.0",
+    "class-validator": "0.14.3",
+    "class-transformer": "0.5.1",
+    "rxjs": "7.8.2"
+  },
+  "peerDependenciesMeta": {
+    "@nestjs/common": {
+      "optional": false
+    },
+    "@nestjs/core": {
+      "optional": false
+    },
+    "class-validator": {
+      "optional": false
+    },
+    "class-transformer": {
+      "optional": false
+    },
+    "rxjs": {
+      "optional": false
+    }
+  },
+  "keywords": [
+    "nestjs",
+    "rate-limiting",
+    "rate-limiter",
+    "throttle",
+    "dismissible",
+    "hook"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/DismissibleIo/dismissible-api"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "commonjs"
+}

package/src/index.d.ts

@@ -0,0 +1,4 @@
+export * from './rate-limiter-hook.config';
+export * from './rate-limiter-hook.module';
+export * from './rate-limiter.hook';
+export * from './rate-limiter.service';

package/src/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./rate-limiter-hook.config"), exports);
+tslib_1.__exportStar(require("./rate-limiter-hook.module"), exports);
+tslib_1.__exportStar(require("./rate-limiter.hook"), exports);
+tslib_1.__exportStar(require("./rate-limiter.service"), exports);
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../libs/rate-limiter-hook/src/index.ts"],"names":[],"mappings":";;;AAAA,qEAA2C;AAC3C,qEAA2C;AAC3C,8DAAoC;AACpC,iEAAuC"}

package/src/rate-limiter-hook.config.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Injection token for rate limiter hook configuration.
+ */
+export declare const DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG: unique symbol;
+/**
+ * Key type for rate limiting - determines how requests are grouped.
+ */
+export declare enum RateLimitKeyType {
+    /** Rate limit by IP address (from x-forwarded-for or connection IP) */
+    IP = "ip",
+    /** Rate limit by Origin header */
+    ORIGIN = "origin",
+    /** Rate limit by Referer header */
+    REFERRER = "referrer"
+}
+/**
+ * Mode for combining multiple key types.
+ */
+export declare enum RateLimitKeyMode {
+    /** Combine all key types into a single key (e.g., "ip:origin") */
+    AND = "and",
+    /** Use the first available key type as a fallback chain */
+    OR = "or",
+    /** Check all key types independently - blocked if ANY limit exceeded */
+    ANY = "any"
+}
+/**
+ * Configuration options for rate limiter hook.
+ */
+export declare class RateLimiterHookConfig {
+    readonly enabled: boolean;
+    /**
+     * Number of requests allowed per duration.
+     * Defaults to 10.
+     */
+    readonly points: number;
+    /**
+     * Time window in seconds.
+     * Defaults to 1 second.
+     */
+    readonly duration: number;
+    /**
+     * Optional: Duration in seconds to block requests after limit is exceeded.
+     * If not set, requests are allowed again after the duration window resets.
+     */
+    readonly blockDuration?: number;
+    /**
+     * Key type(s) for rate limiting.
+     * Can be a comma-separated string or array of key types.
+     * How multiple types are combined depends on the keyMode setting.
+     * Defaults to ['ip'].
+     */
+    readonly keyType: RateLimitKeyType[];
+    /**
+     * Mode for combining key types when multiple are specified.
+     * - 'and': Combine all into single key (default) - e.g., "192.168.1.1:example.com"
+     * - 'or': Use first available key type (fallback chain)
+     * - 'any': Check each independently (strictest - blocked if ANY exceeds limit)
+     * Defaults to 'and'.
+     */
+    readonly keyMode?: RateLimitKeyMode;
+    /**
+     * Optional: Hook priority (lower numbers run first).
+     * Defaults to -50 (runs after authentication hooks).
+     */
+    readonly priority?: number;
+    /**
+     * Optional: Keys that should bypass rate limiting.
+     * Can be a comma-separated string or array of strings.
+     * Matching is exact (after normalization to lowercase + trim):
+     * - IPs are matched exactly (e.g., "192.168.8.1")
+     * - Origins/referrers are matched by exact hostname when the header is a valid URL
+     *   (e.g., "https://google.com/search" matches ignored key "google.com")
+     * - You may also whitelist an exact raw Origin/Referer value by providing the full string
+     *   (e.g., "https://example.com:8443")
+     * @example ['google.com', '192.168.8.1', 'https://example.com:8443']
+     */
+    readonly ignoredKeys?: string[];
+}

package/src/rate-limiter-hook.config.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiterHookConfig = exports.RateLimitKeyMode = exports.RateLimitKeyType = exports.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG = void 0;
+const tslib_1 = require("tslib");
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+const nestjs_validation_1 = require("@dismissible/nestjs-validation");
+/**
+ * Injection token for rate limiter hook configuration.
+ */
+exports.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG = Symbol('DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG');
+/**
+ * Key type for rate limiting - determines how requests are grouped.
+ */
+var RateLimitKeyType;
+(function (RateLimitKeyType) {
+    /** Rate limit by IP address (from x-forwarded-for or connection IP) */
+    RateLimitKeyType["IP"] = "ip";
+    /** Rate limit by Origin header */
+    RateLimitKeyType["ORIGIN"] = "origin";
+    /** Rate limit by Referer header */
+    RateLimitKeyType["REFERRER"] = "referrer";
+})(RateLimitKeyType || (exports.RateLimitKeyType = RateLimitKeyType = {}));
+/**
+ * Mode for combining multiple key types.
+ */
+var RateLimitKeyMode;
+(function (RateLimitKeyMode) {
+    /** Combine all key types into a single key (e.g., "ip:origin") */
+    RateLimitKeyMode["AND"] = "and";
+    /** Use the first available key type as a fallback chain */
+    RateLimitKeyMode["OR"] = "or";
+    /** Check all key types independently - blocked if ANY limit exceeded */
+    RateLimitKeyMode["ANY"] = "any";
+})(RateLimitKeyMode || (exports.RateLimitKeyMode = RateLimitKeyMode = {}));
+/**
+ * Configuration options for rate limiter hook.
+ */
+class RateLimiterHookConfig {
+}
+exports.RateLimiterHookConfig = RateLimiterHookConfig;
+tslib_1.__decorate([
+    (0, class_validator_1.IsBoolean)(),
+    (0, nestjs_validation_1.TransformBoolean)(),
+    tslib_1.__metadata("design:type", Boolean)
+], RateLimiterHookConfig.prototype, "enabled", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.ValidateIf)((o) => o.enabled === true),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], RateLimiterHookConfig.prototype, "points", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.ValidateIf)((o) => o.enabled === true),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], RateLimiterHookConfig.prototype, "duration", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], RateLimiterHookConfig.prototype, "blockDuration", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.ValidateIf)((o) => o.enabled === true),
+    (0, class_validator_1.IsArray)(),
+    (0, class_validator_1.IsEnum)(RateLimitKeyType, { each: true }),
+    (0, nestjs_validation_1.TransformCommaSeparated)(),
+    tslib_1.__metadata("design:type", Array)
+], RateLimiterHookConfig.prototype, "keyType", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEnum)(RateLimitKeyMode),
+    tslib_1.__metadata("design:type", String)
+], RateLimiterHookConfig.prototype, "keyMode", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsNumber)(),
+    (0, class_transformer_1.Type)(() => Number),
+    tslib_1.__metadata("design:type", Number)
+], RateLimiterHookConfig.prototype, "priority", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsArray)(),
+    (0, class_validator_1.IsString)({ each: true }),
+    (0, nestjs_validation_1.TransformCommaSeparated)(),
+    tslib_1.__metadata("design:type", Array)
+], RateLimiterHookConfig.prototype, "ignoredKeys", void 0);
+//# sourceMappingURL=rate-limiter-hook.config.js.map

package/src/rate-limiter-hook.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter-hook.config.js","sourceRoot":"","sources":["../../../../libs/rate-limiter-hook/src/rate-limiter-hook.config.ts"],"names":[],"mappings":";;;;AAAA,qDAQyB;AACzB,yDAAyC;AACzC,sEAA2F;AAE3F;;GAEG;AACU,QAAA,oCAAoC,GAAG,MAAM,CAAC,sCAAsC,CAAC,CAAC;AAEnG;;GAEG;AACH,IAAY,gBAOX;AAPD,WAAY,gBAAgB;IAC1B,uEAAuE;IACvE,6BAAS,CAAA;IACT,kCAAkC;IAClC,qCAAiB,CAAA;IACjB,mCAAmC;IACnC,yCAAqB,CAAA;AACvB,CAAC,EAPW,gBAAgB,gCAAhB,gBAAgB,QAO3B;AAED;;GAEG;AACH,IAAY,gBAOX;AAPD,WAAY,gBAAgB;IAC1B,kEAAkE;IAClE,+BAAW,CAAA;IACX,2DAA2D;IAC3D,6BAAS,CAAA;IACT,wEAAwE;IACxE,+BAAW,CAAA;AACb,CAAC,EAPW,gBAAgB,gCAAhB,gBAAgB,QAO3B;AAED;;GAEG;AACH,MAAa,qBAAqB;CAgFjC;AAhFD,sDAgFC;AA7EiB;IAFf,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,GAAE;;sDACe;AASlB;IAHf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;qDACa;AAShB;IAHf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;uDACe;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;4DACoB;AAYvB;IAJf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,yBAAO,GAAE;IACT,IAAA,wBAAM,EAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxC,IAAA,2CAAuB,GAAE;;sDACmB;AAW7B;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,wBAAM,EAAC,gBAAgB,CAAC;;sDACkB;AAS3B;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;uDACe;AAiBlB;IAJf,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,GAAE;IACT,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,IAAA,2CAAuB,GAAE;;0DACa"}

package/src/rate-limiter-hook.module.d.ts

@@ -0,0 +1,42 @@
+import { DynamicModule, InjectionToken } from '@nestjs/common';
+import { RateLimiterHookConfig } from './rate-limiter-hook.config';
+/**
+ * Async module options for rate limiter hook.
+ */
+export interface IRateLimiterHookModuleAsyncOptions {
+    useFactory: (...args: unknown[]) => RateLimiterHookConfig | Promise<RateLimiterHookConfig>;
+    inject?: InjectionToken[];
+}
+/**
+ * Module that provides rate limiting hook for Dismissible.
+ *
+ * @example
+ * ```typescript
+ * import { DismissibleModule } from '@dismissible/nestjs-core';
+ * import { RateLimiterHookModule, RateLimiterHook } from '@dismissible/nestjs-rate-limiter-hook';
+ *
+ * @Module({
+ *   imports: [
+ *     RateLimiterHookModule.forRoot({
+ *       enabled: true,
+ *       points: 10,
+ *       duration: 1,
+ *       keyType: ['ip'],
+ *     }),
+ *     DismissibleModule.forRoot({
+ *       hooks: [RateLimiterHook],
+ *       // ... other options
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+export declare class RateLimiterHookModule {
+    static forRoot(config: RateLimiterHookConfig): DynamicModule;
+    /**
+     * Create module with async configuration.
+     * Useful when config values come from environment or other async sources.
+     */
+    static forRootAsync(options: IRateLimiterHookModuleAsyncOptions): DynamicModule;
+}

package/src/rate-limiter-hook.module.js

@@ -0,0 +1,76 @@
+"use strict";
+var RateLimiterHookModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiterHookModule = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const rate_limiter_hook_1 = require("./rate-limiter.hook");
+const rate_limiter_service_1 = require("./rate-limiter.service");
+const rate_limiter_hook_config_1 = require("./rate-limiter-hook.config");
+/**
+ * Module that provides rate limiting hook for Dismissible.
+ *
+ * @example
+ * ```typescript
+ * import { DismissibleModule } from '@dismissible/nestjs-core';
+ * import { RateLimiterHookModule, RateLimiterHook } from '@dismissible/nestjs-rate-limiter-hook';
+ *
+ * @Module({
+ *   imports: [
+ *     RateLimiterHookModule.forRoot({
+ *       enabled: true,
+ *       points: 10,
+ *       duration: 1,
+ *       keyType: ['ip'],
+ *     }),
+ *     DismissibleModule.forRoot({
+ *       hooks: [RateLimiterHook],
+ *       // ... other options
+ *     }),
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+let RateLimiterHookModule = RateLimiterHookModule_1 = class RateLimiterHookModule {
+    static forRoot(config) {
+        return {
+            module: RateLimiterHookModule_1,
+            providers: [
+                {
+                    provide: rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG,
+                    useValue: config,
+                },
+                rate_limiter_service_1.RateLimiterService,
+                rate_limiter_hook_1.RateLimiterHook,
+            ],
+            exports: [rate_limiter_hook_1.RateLimiterHook, rate_limiter_service_1.RateLimiterService, rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG],
+            global: true,
+        };
+    }
+    /**
+     * Create module with async configuration.
+     * Useful when config values come from environment or other async sources.
+     */
+    static forRootAsync(options) {
+        return {
+            module: RateLimiterHookModule_1,
+            providers: [
+                {
+                    provide: rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG,
+                    useFactory: options.useFactory,
+                    inject: options.inject ?? [],
+                },
+                rate_limiter_service_1.RateLimiterService,
+                rate_limiter_hook_1.RateLimiterHook,
+            ],
+            exports: [rate_limiter_hook_1.RateLimiterHook, rate_limiter_service_1.RateLimiterService, rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG],
+            global: true,
+        };
+    }
+};
+exports.RateLimiterHookModule = RateLimiterHookModule;
+exports.RateLimiterHookModule = RateLimiterHookModule = RateLimiterHookModule_1 = tslib_1.__decorate([
+    (0, common_1.Module)({})
+], RateLimiterHookModule);
+//# sourceMappingURL=rate-limiter-hook.module.js.map

package/src/rate-limiter-hook.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter-hook.module.js","sourceRoot":"","sources":["../../../../libs/rate-limiter-hook/src/rate-limiter-hook.module.ts"],"names":[],"mappings":";;;;;AAAA,2CAAuE;AACvE,2DAAsD;AACtD,iEAA4D;AAC5D,yEAGoC;AAUpC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEI,IAAM,qBAAqB,6BAA3B,MAAM,qBAAqB;IAChC,MAAM,CAAC,OAAO,CAAC,MAA6B;QAC1C,OAAO;YACL,MAAM,EAAE,uBAAqB;YAC7B,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,+DAAoC;oBAC7C,QAAQ,EAAE,MAAM;iBACjB;gBACD,yCAAkB;gBAClB,mCAAe;aAChB;YACD,OAAO,EAAE,CAAC,mCAAe,EAAE,yCAAkB,EAAE,+DAAoC,CAAC;YACpF,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,OAA2C;QAC7D,OAAO;YACL,MAAM,EAAE,uBAAqB;YAC7B,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,+DAAoC;oBAC7C,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;iBAC7B;gBACD,yCAAkB;gBAClB,mCAAe;aAChB;YACD,OAAO,EAAE,CAAC,mCAAe,EAAE,yCAAkB,EAAE,+DAAoC,CAAC;YACpF,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;CACF,CAAA;AArCY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,qBAAqB,CAqCjC"}

package/src/rate-limiter.hook.d.ts

@@ -0,0 +1,29 @@
+import { IDismissibleLifecycleHook, IHookResult } from '@dismissible/nestjs-hooks';
+import { IRequestContext } from '@dismissible/nestjs-request';
+import { IDismissibleLogger } from '@dismissible/nestjs-logger';
+import { RateLimiterService } from './rate-limiter.service';
+import { RateLimiterHookConfig } from './rate-limiter-hook.config';
+/**
+ * Custom error for rate limiting that includes retry information.
+ */
+export declare class TooManyRequestsException extends Error {
+    readonly statusCode = 429;
+    readonly retryAfter?: number;
+    constructor(message: string, retryAfterMs?: number);
+}
+/**
+ * Rate limiter hook that limits requests based on configured key types.
+ * This hook runs during the pre-request phase and rejects requests that exceed the rate limit.
+ */
+export declare class RateLimiterHook implements IDismissibleLifecycleHook {
+    private readonly rateLimiterService;
+    private readonly config;
+    private readonly logger;
+    readonly priority: number;
+    constructor(rateLimiterService: RateLimiterService, config: RateLimiterHookConfig, logger: IDismissibleLogger);
+    /**
+     * Check rate limit before processing the request.
+     * Runs before any dismissible operation.
+     */
+    onBeforeRequest(itemId: string, userId: string, context?: IRequestContext): Promise<IHookResult>;
+}

package/src/rate-limiter.hook.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiterHook = exports.TooManyRequestsException = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const nestjs_logger_1 = require("@dismissible/nestjs-logger");
+const rate_limiter_service_1 = require("./rate-limiter.service");
+const rate_limiter_hook_config_1 = require("./rate-limiter-hook.config");
+/**
+ * Custom error for rate limiting that includes retry information.
+ */
+class TooManyRequestsException extends Error {
+    constructor(message, retryAfterMs) {
+        super(message);
+        this.statusCode = 429;
+        this.name = 'TooManyRequestsException';
+        if (retryAfterMs) {
+            // Convert milliseconds to seconds for Retry-After header
+            this.retryAfter = Math.ceil(retryAfterMs / 1000);
+        }
+    }
+}
+exports.TooManyRequestsException = TooManyRequestsException;
+/**
+ * Rate limiter hook that limits requests based on configured key types.
+ * This hook runs during the pre-request phase and rejects requests that exceed the rate limit.
+ */
+let RateLimiterHook = class RateLimiterHook {
+    constructor(rateLimiterService, config, logger) {
+        this.rateLimiterService = rateLimiterService;
+        this.config = config;
+        this.logger = logger;
+        this.priority = config.priority ?? -101;
+    }
+    /**
+     * Check rate limit before processing the request.
+     * Runs before any dismissible operation.
+     */
+    async onBeforeRequest(itemId, userId, context) {
+        if (!this.config.enabled) {
+            return { proceed: true };
+        }
+        // Check if request should be ignored (whitelisted)
+        if (this.rateLimiterService.isIgnored(context)) {
+            this.logger.debug('Rate limit bypassed (ignored key)', {
+                itemId,
+                userId,
+                requestId: context?.requestId,
+            });
+            return { proceed: true };
+        }
+        const keys = this.rateLimiterService.generateKeys(context);
+        this.logger.debug('Checking rate limit', {
+            itemId,
+            userId,
+            keys,
+            requestId: context?.requestId,
+        });
+        const result = await this.rateLimiterService.consumeAll(keys);
+        if (!result.allowed) {
+            this.logger.debug('Rate limit exceeded', {
+                itemId,
+                userId,
+                keys,
+                requestId: context?.requestId,
+                msBeforeNext: result.msBeforeNext,
+            });
+            throw new TooManyRequestsException('Rate limit exceeded. Please try again later.', result.msBeforeNext);
+        }
+        this.logger.debug('Request allowed', {
+            itemId,
+            userId,
+            keys,
+            requestId: context?.requestId,
+            remainingPoints: result.remainingPoints,
+        });
+        return {
+            proceed: true,
+        };
+    }
+};
+exports.RateLimiterHook = RateLimiterHook;
+exports.RateLimiterHook = RateLimiterHook = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__param(1, (0, common_1.Inject)(rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG)),
+    tslib_1.__param(2, (0, common_1.Inject)(nestjs_logger_1.DISMISSIBLE_LOGGER)),
+    tslib_1.__metadata("design:paramtypes", [rate_limiter_service_1.RateLimiterService,
+        rate_limiter_hook_config_1.RateLimiterHookConfig, Object])
+], RateLimiterHook);
+//# sourceMappingURL=rate-limiter.hook.js.map

package/src/rate-limiter.hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.hook.js","sourceRoot":"","sources":["../../../../libs/rate-limiter-hook/src/rate-limiter.hook.ts"],"names":[],"mappings":";;;;AAAA,2CAAoD;AAGpD,8DAAoF;AACpF,iEAA4D;AAC5D,yEAGoC;AAEpC;;GAEG;AACH,MAAa,wBAAyB,SAAQ,KAAK;IAIjD,YAAY,OAAe,EAAE,YAAqB;QAChD,KAAK,CAAC,OAAO,CAAC,CAAC;QAJR,eAAU,GAAG,GAAG,CAAC;QAKxB,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,YAAY,EAAE,CAAC;YACjB,yDAAyD;YACzD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;CACF;AAZD,4DAYC;AAED;;;GAGG;AAEI,IAAM,eAAe,GAArB,MAAM,eAAe;IAG1B,YACmB,kBAAsC,EAEtC,MAA6B,EAE7B,MAA0B;QAJ1B,uBAAkB,GAAlB,kBAAkB,CAAoB;QAEtC,WAAM,GAAN,MAAM,CAAuB;QAE7B,WAAM,GAAN,MAAM,CAAoB;QAE3C,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,MAAc,EACd,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,mDAAmD;QACnD,IAAI,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;gBACrD,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;aAC9B,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAE3D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YACvC,MAAM;YACN,MAAM;YACN,IAAI;YACJ,SAAS,EAAE,OAAO,EAAE,SAAS;SAC9B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAE9D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;gBACvC,MAAM;gBACN,MAAM;gBACN,IAAI;gBACJ,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;aAClC,CAAC,CAAC;YAEH,MAAM,IAAI,wBAAwB,CAChC,8CAA8C,EAC9C,MAAM,CAAC,YAAY,CACpB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE;YACnC,MAAM;YACN,MAAM;YACN,IAAI;YACJ,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;CACF,CAAA;AA1EY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IAMR,mBAAA,IAAA,eAAM,EAAC,+DAAoC,CAAC,CAAA;IAE5C,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHU,yCAAkB;QAE9B,gDAAqB;GANrC,eAAe,CA0E3B"}

package/src/rate-limiter.service.d.ts

@@ -0,0 +1,89 @@
+import { IRequestContext } from '@dismissible/nestjs-request';
+import { IDismissibleLogger } from '@dismissible/nestjs-logger';
+import { RateLimiterHookConfig } from './rate-limiter-hook.config';
+/**
+ * Result of a rate limit check.
+ */
+export interface IRateLimitResult {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Remaining points in the current window */
+    remainingPoints?: number;
+    /** Milliseconds until the rate limit resets */
+    msBeforeNext?: number;
+    /** Error message if rate limited */
+    error?: string;
+}
+/**
+ * Service that handles rate limiting logic using rate-limiter-flexible.
+ */
+export declare class RateLimiterService {
+    private readonly config;
+    private readonly logger;
+    private readonly rateLimiter;
+    private readonly ignoredKeysSet;
+    constructor(config: RateLimiterHookConfig, logger: IDismissibleLogger);
+    private normalizeIgnoredKey;
+    private tryGetHostname;
+    /**
+     * Generate rate limit key(s) based on the configured mode.
+     * Returns an array of keys to check.
+     */
+    generateKeys(context?: IRequestContext): string[];
+    /**
+     * AND mode: Combine all key types into a single key.
+     * @deprecated Use generateKeys() instead
+     */
+    generateKey(context?: IRequestContext): string;
+    /**
+     * AND mode: Combine all key types into a single key.
+     */
+    private generateAndKey;
+    /**
+     * OR mode: Use the first available key type (fallback chain).
+     */
+    private generateOrKey;
+    /**
+     * ANY mode: Return all available keys separately.
+     * Each key type gets its own rate limit bucket.
+     */
+    private generateAnyKeys;
+    /**
+     * Extract a key value based on the key type.
+     */
+    private extractKeyValue;
+    /**
+     * Extract IP address from headers or connection.
+     */
+    private extractIp;
+    /**
+     * Extract origin from headers.
+     */
+    private extractOrigin;
+    /**
+     * Extract referrer from headers.
+     */
+    private extractReferrer;
+    /**
+     * Extract all raw key values from the request context.
+     * Used for checking against ignored keys list.
+     */
+    extractRawKeyValues(context?: IRequestContext): string[];
+    /**
+     * Check if any of the raw key values should be ignored.
+     * Uses exact matching:
+     * - IPs are matched exactly
+     * - Origins/referrers are matched by exact hostname (when parsable as a URL),
+     *   and also by exact raw value (to allow whitelisting full origins/URLs).
+     */
+    isIgnored(context?: IRequestContext): boolean;
+    /**
+     * Check if a request should be rate limited.
+     */
+    consume(key: string): Promise<IRateLimitResult>;
+    /**
+     * Check rate limit for all provided keys.
+     * In ANY mode, blocks if ANY key exceeds the limit.
+     */
+    consumeAll(keys: string[]): Promise<IRateLimitResult>;
+}

package/src/rate-limiter.service.js

@@ -0,0 +1,280 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiterService = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("@nestjs/common");
+const rate_limiter_flexible_1 = require("rate-limiter-flexible");
+const nestjs_logger_1 = require("@dismissible/nestjs-logger");
+const rate_limiter_hook_config_1 = require("./rate-limiter-hook.config");
+/**
+ * Service that handles rate limiting logic using rate-limiter-flexible.
+ */
+let RateLimiterService = class RateLimiterService {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.rateLimiter = new rate_limiter_flexible_1.RateLimiterMemory({
+            points: config.points,
+            duration: config.duration,
+            blockDuration: config.blockDuration,
+        });
+        this.logger.debug('Rate limiter: Initialized', {
+            points: config.points,
+            duration: config.duration,
+            blockDuration: config.blockDuration,
+        });
+        this.ignoredKeysSet = new Set((config.ignoredKeys ?? [])
+            .map((k) => this.normalizeIgnoredKey(k))
+            .filter((k) => Boolean(k)));
+    }
+    normalizeIgnoredKey(key) {
+        const normalized = key.trim().toLowerCase();
+        return normalized.length > 0 ? normalized : undefined;
+    }
+    tryGetHostname(value) {
+        try {
+            return new URL(value).hostname.toLowerCase();
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Generate rate limit key(s) based on the configured mode.
+     * Returns an array of keys to check.
+     */
+    generateKeys(context) {
+        const mode = this.config.keyMode ?? rate_limiter_hook_config_1.RateLimitKeyMode.AND;
+        switch (mode) {
+            case rate_limiter_hook_config_1.RateLimitKeyMode.OR:
+                return this.generateOrKey(context);
+            case rate_limiter_hook_config_1.RateLimitKeyMode.ANY:
+                return this.generateAnyKeys(context);
+            case rate_limiter_hook_config_1.RateLimitKeyMode.AND:
+            default:
+                return [this.generateAndKey(context)];
+        }
+    }
+    /**
+     * AND mode: Combine all key types into a single key.
+     * @deprecated Use generateKeys() instead
+     */
+    generateKey(context) {
+        return this.generateAndKey(context);
+    }
+    /**
+     * AND mode: Combine all key types into a single key.
+     */
+    generateAndKey(context) {
+        const keyParts = [];
+        for (const keyType of this.config.keyType) {
+            const value = this.extractKeyValue(keyType, context);
+            if (value) {
+                keyParts.push(value);
+            }
+        }
+        // If no key parts could be extracted, use a fallback
+        if (keyParts.length === 0) {
+            return 'unknown';
+        }
+        return keyParts.join(':');
+    }
+    /**
+     * OR mode: Use the first available key type (fallback chain).
+     */
+    generateOrKey(context) {
+        for (const keyType of this.config.keyType) {
+            const value = this.extractKeyValue(keyType, context);
+            if (value) {
+                return [value];
+            }
+        }
+        return ['unknown'];
+    }
+    /**
+     * ANY mode: Return all available keys separately.
+     * Each key type gets its own rate limit bucket.
+     */
+    generateAnyKeys(context) {
+        const keys = [];
+        for (const keyType of this.config.keyType) {
+            const value = this.extractKeyValue(keyType, context);
+            if (value) {
+                // Prefix with key type to avoid collisions between different key types
+                keys.push(`${keyType}:${value}`);
+            }
+        }
+        if (keys.length === 0) {
+            return ['unknown'];
+        }
+        return keys;
+    }
+    /**
+     * Extract a key value based on the key type.
+     */
+    extractKeyValue(keyType, context) {
+        if (!context?.headers) {
+            return undefined;
+        }
+        switch (keyType) {
+            case rate_limiter_hook_config_1.RateLimitKeyType.IP:
+                return this.extractIp(context);
+            case rate_limiter_hook_config_1.RateLimitKeyType.ORIGIN:
+                return this.extractOrigin(context);
+            case rate_limiter_hook_config_1.RateLimitKeyType.REFERRER:
+                return this.extractReferrer(context);
+            default:
+                return undefined;
+        }
+    }
+    /**
+     * Extract IP address from headers or connection.
+     */
+    extractIp(context) {
+        // Check x-forwarded-for header first (for proxied requests)
+        const forwardedFor = context.headers['x-forwarded-for'];
+        if (forwardedFor) {
+            // x-forwarded-for can be a comma-separated list; take the first IP
+            const firstIp = forwardedFor.split(',')[0]?.trim();
+            if (firstIp) {
+                return firstIp;
+            }
+        }
+        // Fall back to x-real-ip
+        const realIp = context.headers['x-real-ip'];
+        if (realIp) {
+            return realIp;
+        }
+        // Could also check context for direct IP if available
+        return undefined;
+    }
+    /**
+     * Extract origin from headers.
+     */
+    extractOrigin(context) {
+        return context.headers['origin'];
+    }
+    /**
+     * Extract referrer from headers.
+     */
+    extractReferrer(context) {
+        // Note: The header is spelled "referer" (historical misspelling)
+        return context.headers['referer'];
+    }
+    /**
+     * Extract all raw key values from the request context.
+     * Used for checking against ignored keys list.
+     */
+    extractRawKeyValues(context) {
+        const values = [];
+        for (const keyType of this.config.keyType) {
+            const value = this.extractKeyValue(keyType, context);
+            if (value) {
+                values.push(value);
+            }
+        }
+        return values;
+    }
+    /**
+     * Check if any of the raw key values should be ignored.
+     * Uses exact matching:
+     * - IPs are matched exactly
+     * - Origins/referrers are matched by exact hostname (when parsable as a URL),
+     *   and also by exact raw value (to allow whitelisting full origins/URLs).
+     */
+    isIgnored(context) {
+        if (this.ignoredKeysSet.size === 0) {
+            return false;
+        }
+        const rawValues = this.extractRawKeyValues(context);
+        for (const rawValue of rawValues) {
+            const normalizedRaw = rawValue.trim().toLowerCase();
+            if (this.ignoredKeysSet.has(normalizedRaw)) {
+                this.logger.debug('Rate limiter: Key ignored (exact)', {
+                    rawValue,
+                    matchedValue: normalizedRaw,
+                });
+                return true;
+            }
+            const hostname = this.tryGetHostname(rawValue);
+            if (hostname && this.ignoredKeysSet.has(hostname)) {
+                this.logger.debug('Rate limiter: Key ignored (hostname)', {
+                    rawValue,
+                    matchedValue: hostname,
+                });
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if a request should be rate limited.
+     */
+    async consume(key) {
+        try {
+            const result = await this.rateLimiter.consume(key);
+            this.logger.debug('Rate limiter: Request allowed', {
+                key,
+                remainingPoints: result.remainingPoints,
+                msBeforeNext: result.msBeforeNext,
+            });
+            return {
+                allowed: true,
+                remainingPoints: result.remainingPoints,
+                msBeforeNext: result.msBeforeNext,
+            };
+        }
+        catch (error) {
+            if (error instanceof rate_limiter_flexible_1.RateLimiterRes) {
+                this.logger.debug('Rate limiter: Request blocked', {
+                    key,
+                    remainingPoints: error.remainingPoints,
+                    msBeforeNext: error.msBeforeNext,
+                });
+                return {
+                    allowed: false,
+                    remainingPoints: error.remainingPoints,
+                    msBeforeNext: error.msBeforeNext,
+                    error: 'Too many requests',
+                };
+            }
+            // Unexpected error - log and allow the request to proceed
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            this.logger.error('Rate limiter: Unexpected error', error instanceof Error ? error : new Error(errorMessage), { key });
+            return {
+                allowed: true,
+                error: 'Rate limiter error',
+            };
+        }
+    }
+    /**
+     * Check rate limit for all provided keys.
+     * In ANY mode, blocks if ANY key exceeds the limit.
+     */
+    async consumeAll(keys) {
+        const results = [];
+        for (const key of keys) {
+            const result = await this.consume(key);
+            results.push(result);
+            // If any key is blocked, return immediately
+            if (!result.allowed) {
+                return result;
+            }
+        }
+        // All keys allowed - return the result with the lowest remaining points
+        const minRemaining = results.reduce((min, r) => Math.min(min, r.remainingPoints ?? Infinity), Infinity);
+        return {
+            allowed: true,
+            remainingPoints: minRemaining === Infinity ? undefined : minRemaining,
+            msBeforeNext: results[0]?.msBeforeNext,
+        };
+    }
+};
+exports.RateLimiterService = RateLimiterService;
+exports.RateLimiterService = RateLimiterService = tslib_1.__decorate([
+    (0, common_1.Injectable)(),
+    tslib_1.__param(0, (0, common_1.Inject)(rate_limiter_hook_config_1.DISMISSIBLE_RATE_LIMITER_HOOK_CONFIG)),
+    tslib_1.__param(1, (0, common_1.Inject)(nestjs_logger_1.DISMISSIBLE_LOGGER)),
+    tslib_1.__metadata("design:paramtypes", [rate_limiter_hook_config_1.RateLimiterHookConfig, Object])
+], RateLimiterService);
+//# sourceMappingURL=rate-limiter.service.js.map

package/src/rate-limiter.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.service.js","sourceRoot":"","sources":["../../../../libs/rate-limiter-hook/src/rate-limiter.service.ts"],"names":[],"mappings":";;;;AAAA,2CAAoD;AACpD,iEAA0E;AAE1E,8DAAoF;AACpF,yEAKoC;AAgBpC;;GAEG;AAEI,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAI7B,YAEmB,MAA6B,EAE7B,MAA0B;QAF1B,WAAM,GAAN,MAAM,CAAuB;QAE7B,WAAM,GAAN,MAAM,CAAoB;QAE3C,IAAI,CAAC,WAAW,GAAG,IAAI,yCAAiB,CAAC;YACvC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE;YAC7C,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,cAAc,GAAG,IAAI,GAAG,CAC3B,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;aACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;aACvC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAC1C,CAAC;IACJ,CAAC;IAEO,mBAAmB,CAAC,GAAW;QACrC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC5C,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;IACxD,CAAC;IAEO,cAAc,CAAC,KAAa;QAClC,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,YAAY,CAAC,OAAyB;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,2CAAgB,CAAC,GAAG,CAAC;QAEzD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,2CAAgB,CAAC,EAAE;gBACtB,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACrC,KAAK,2CAAgB,CAAC,GAAG;gBACvB,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACvC,KAAK,2CAAgB,CAAC,GAAG,CAAC;YAC1B;gBACE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,OAAyB;QACnC,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,OAAyB;QAC9C,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,OAAyB;QAC7C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,SAAS,CAAC,CAAC;IACrB,CAAC;IAED;;;OAGG;IACK,eAAe,CAAC,OAAyB;QAC/C,MAAM,IAAI,GAAa,EAAE,CAAC;QAE1B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,uEAAuE;gBACvE,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,eAAe,CACrB,OAAyB,EACzB,OAAyB;QAEzB,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,2CAAgB,CAAC,EAAE;gBACtB,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACjC,KAAK,2CAAgB,CAAC,MAAM;gBAC1B,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACrC,KAAK,2CAAgB,CAAC,QAAQ;gBAC5B,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACvC;gBACE,OAAO,SAAS,CAAC;QACrB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,OAAwB;QACxC,4DAA4D;QAC5D,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACxD,IAAI,YAAY,EAAE,CAAC;YACjB,mEAAmE;YACnE,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;YACnD,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAC5C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,sDAAsD;QACtD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,OAAwB;QAC5C,OAAO,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,OAAwB;QAC9C,iEAAiE;QACjE,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,mBAAmB,CAAC,OAAyB;QAC3C,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,SAAS,CAAC,OAAyB;QACjC,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAEpD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAEpD,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC3C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;oBACrD,QAAQ;oBACR,YAAY,EAAE,aAAa;iBAC5B,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,QAAQ,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;oBACxD,QAAQ;oBACR,YAAY,EAAE,QAAQ;iBACvB,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAEnD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBACjD,GAAG;gBACH,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,YAAY,EAAE,MAAM,CAAC,YAAY;aAClC,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,YAAY,EAAE,MAAM,CAAC,YAAY;aAClC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sCAAc,EAAE,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;oBACjD,GAAG;oBACH,eAAe,EAAE,KAAK,CAAC,eAAe;oBACtC,YAAY,EAAE,KAAK,CAAC,YAAY;iBACjC,CAAC,CAAC;gBAEH,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,eAAe,EAAE,KAAK,CAAC,eAAe;oBACtC,YAAY,EAAE,KAAK,CAAC,YAAY;oBAChC,KAAK,EAAE,mBAAmB;iBAC3B,CAAC;YACJ,CAAC;YAED,0DAA0D;YAC1D,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,gCAAgC,EAChC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,EACxD,EAAE,GAAG,EAAE,CACR,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,oBAAoB;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,IAAc;QAC7B,MAAM,OAAO,GAAuB,EAAE,CAAC;QAEvC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAErB,4CAA4C;YAC5C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CACjC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,eAAe,IAAI,QAAQ,CAAC,EACxD,QAAQ,CACT,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,IAAI;YACb,eAAe,EAAE,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;YACrE,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,YAAY;SACvC,CAAC;IACJ,CAAC;CACF,CAAA;AAhUY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,mBAAU,GAAE;IAMR,mBAAA,IAAA,eAAM,EAAC,+DAAoC,CAAC,CAAA;IAE5C,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CADF,gDAAqB;GANrC,kBAAkB,CAgU9B"}