@futdevpro/nts-dynamo 1.15.29 → 1.15.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@futdevpro/nts-dynamo",
-  "version": "01.15.29",
+  "version": "01.15.33",
   "description": "Dynamic NodeTS (NodeJS-Typescript), MongoDB Backend System Framework by Future Development Program Ltd.",
   "DyBu_settings": {
     "packageType": "server-package",
@@ -190,6 +190,12 @@
       "types": "./build/_modules/oauth2/index.d.ts",
       "typings": "./build/_modules/oauth2/index.d.ts"
     },
+    "./rate-limit": {
+      "default": "./build/_modules/rate-limit/index.js",
+      "module": "./build/_modules/rate-limit/index.js",
+      "types": "./build/_modules/rate-limit/index.d.ts",
+      "typings": "./build/_modules/rate-limit/index.d.ts"
+    },
     "./server": {
       "default": "./build/_modules/server/index.js",
       "module": "./build/_modules/server/index.js",
@@ -277,6 +283,9 @@
       "oauth2": [
         "build/_modules/oauth2/index.d.ts"
       ],
+      "rate-limit": [
+        "build/_modules/rate-limit/index.d.ts"
+      ],
       "server": [
         "build/_modules/server/index.d.ts"
       ],
@@ -299,7 +308,7 @@
     "empty": ""
   },
   "peerDependencies": {
-    "@futdevpro/fsm-dynamo": "1.15.8",
+    "@futdevpro/fsm-dynamo": "1.15.13",
     "@types/express": "4.17.21",
     "@types/geoip-lite": "~1.4.1",
     "@types/node": "~24.1.0",
@@ -314,7 +323,7 @@
     "ts-node": "~10.9.2"
   },
   "devDependencies": {
-    "@futdevpro/dynamo-eslint": "1.15.7",
+    "@futdevpro/dynamo-eslint": "1.15.10",
     "@discordjs/opus": "^0.10.0",
     "@discordjs/voice": "^0.18.0",
     "@types/jasmine": "~4.3.5",

package/src/_modules/rate-limit/_models/rate-limit-config.interface.ts

@@ -0,0 +1,60 @@
+import { Request } from 'express';
+
+import { DyNTS_RateLimit_Policy } from './rate-limit-policy.interface';
+
+/**
+ * Config a `DyNTS_RateLimit_Middleware.configure(...)`-hoz.
+ *
+ * Minden mezo opcionalis — a default-ok megfelelnek a tipikus API
+ * rate-limit-elvarasoknak (100 req/min, sliding window, IP-alapu kulcs,
+ * path-alapu endpoint-csoportositas, X-RateLimit-* response header-ek).
+ */
+export interface DyNTS_RateLimit_Config {
+  /**
+   * Default request-limit `windowMs` alatt, ha az adott kulcsra nincs
+   * `setPolicyForKey()`-szel beallitott egyedi policy. Default: `100`.
+   */
+  defaultLimit?: number;
+
+  /**
+   * Default sliding-window hossza milliszekundumban. Default: `60000` (1 perc).
+   */
+  defaultWindowMs?: number;
+
+  /**
+   * Rate-limit subject-extractor. Visszater a karakterlanccal, ami azonositja
+   * a rate-limit alanyat (pl. IP-cim, API-kulcs ID, account ID).
+   *
+   * Default: a `req.headers['x-forwarded-for']` (csak az elso IP, ha lista)
+   * vagy ha hianyzik akkor `req.ip` vagy `'unknown'`. Ez webszerver elotti
+   * proxy/CDN-mentes setup-ra megfelelo; ha az nd-space mar identifikalja az
+   * API-kulcsot a `req`-ben, a host adhat sajat extractort ami a key-ID-t
+   * adja vissza.
+   */
+  keyExtractor?: (req: Request) => string;
+
+  /**
+   * Endpoint-csoportosito. Visszater a karakterlanccal, ami azonositja az
+   * adott endpoint-csoportot. A storage-key `${subject}|${endpoint}` lesz.
+   *
+   * Default: `req.path` — minden uri-path kulon vodorbe kerul. Csoportositas
+   * mas szempontok szerint (pl. "datasets" csoport = `/api/datasets/*`)
+   * a hostnal felulirhato.
+   */
+  endpointGrouper?: (req: Request) => string;
+
+  /**
+   * Beallitja-e a `X-RateLimit-Limit`, `X-RateLimit-Remaining`,
+   * `X-RateLimit-Reset` (es a 429-re `Retry-After`) response header-eket.
+   * Default: `true`.
+   *
+   * Test/dev kornyezetben opcionalisan kikapcsolhato.
+   */
+  responseHeaders?: boolean;
+
+  /**
+   * Per-policy override-ok az induloskor. A `setPolicyForKey()` runtime-ban is
+   * felulhatja ezeket.
+   */
+  initialKeyPolicies?: Record<string, DyNTS_RateLimit_Policy>;
+}

package/src/_modules/rate-limit/_models/rate-limit-policy.interface.ts

@@ -0,0 +1,16 @@
+/**
+ * Per-kulcs rate-limit policy.
+ *
+ * A `DyNTS_RateLimit_Middleware.setPolicyForKey(key, policy)` allitja be,
+ * vagy a `DyNTS_RateLimit_Config.initialKeyPolicies` map-en at.
+ *
+ * Tipikus use-case: subscription-tier-up — egy belepett user API-kulcsa
+ * magasabb `limit`-et kap, mint a default (anonim/IP-alapu) limit.
+ */
+export interface DyNTS_RateLimit_Policy {
+  /** Hany request engedelyezett a `windowMs` alatt. */
+  limit: number;
+
+  /** A sliding-window hossza milliszekundumban. */
+  windowMs: number;
+}

package/src/_modules/rate-limit/index.ts

@@ -0,0 +1,3 @@
+export { DyNTS_RateLimit_Middleware } from './rate-limit.middleware';
+export { DyNTS_RateLimit_Config } from './_models/rate-limit-config.interface';
+export { DyNTS_RateLimit_Policy } from './_models/rate-limit-policy.interface';

package/src/_modules/rate-limit/rate-limit.middleware.spec.ts

@@ -0,0 +1,211 @@
+import { Request, Response } from 'express';
+
+import { DyFM_Error } from '@futdevpro/fsm-dynamo';
+
+import { DyNTS_RateLimit_Middleware } from './rate-limit.middleware';
+
+
+/** Test-only — minimal Request mock-ot ad vissza. */
+const mockReq = (overrides: Partial<{ ip: string; path: string; headers: Record<string, string> }> = {}): Request => {
+  return {
+    ip:      overrides.ip ?? '127.0.0.1',
+    path:    overrides.path ?? '/api/test',
+    headers: overrides.headers ?? {},
+  } as unknown as Request;
+};
+
+/** Test-only — Response stub a setHeader-rel. */
+const mockRes = (): Response & { _headers: Record<string, string> } => {
+  const headers: Record<string, string> = {};
+  return {
+    _headers: headers,
+    setHeader: function(name: string, value: string): void {
+      headers[name] = value;
+    },
+  } as unknown as Response & { _headers: Record<string, string> };
+};
+
+
+describe('| DyNTS_RateLimit_Middleware', (): void => {
+  let svc: DyNTS_RateLimit_Middleware;
+
+  beforeEach((): void => {
+    svc = DyNTS_RateLimit_Middleware.getInstance();
+    svc._resetForTesting();
+  });
+
+  afterEach((): void => {
+    svc._resetForTesting();
+  });
+
+
+  describe('| singleton', (): void => {
+    it('| ugyanazt az instance-t adja vissza', (): void => {
+      const a: DyNTS_RateLimit_Middleware = DyNTS_RateLimit_Middleware.getInstance();
+      const b: DyNTS_RateLimit_Middleware = DyNTS_RateLimit_Middleware.getInstance();
+      expect(a).toBe(b);
+    });
+  });
+
+
+  describe('| check() — default limit', (): void => {
+    it('| atengedi az elso request-et', async (): Promise<void> => {
+      let thrown: any = null;
+      try { await svc.check(mockReq(), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).toBeNull();
+    });
+
+    it('| 429 amikor a limit-et eleri', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 3, defaultWindowMs: 10000 });
+
+      // 3 sikeres request a limit-en belul
+      await svc.check(mockReq(), mockRes());
+      await svc.check(mockReq(), mockRes());
+      await svc.check(mockReq(), mockRes());
+
+      // 4. request: 429
+      let thrown: any = null;
+      try { await svc.check(mockReq(), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).not.toBeNull();
+      expect(DyFM_Error.getErrorStatus(thrown)).toBe(429);
+      expect(DyFM_Error.getErrorCode(thrown)).toContain('DyNTS-RL-LIMIT');
+    });
+
+    it('| kulonbozo IP-k kulon vodorbe kerulnek', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 2, defaultWindowMs: 10000 });
+
+      await svc.check(mockReq({ ip: '1.1.1.1' }), mockRes());
+      await svc.check(mockReq({ ip: '1.1.1.1' }), mockRes());
+      // 1.1.1.1 most a limit-en van; 2.2.2.2 meg friss
+      let thrown: any = null;
+      try { await svc.check(mockReq({ ip: '2.2.2.2' }), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).toBeNull();
+    });
+
+    it('| kulonbozo endpoint-ok kulon vodorbe kerulnek', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 2, defaultWindowMs: 10000 });
+
+      await svc.check(mockReq({ path: '/api/a' }), mockRes());
+      await svc.check(mockReq({ path: '/api/a' }), mockRes());
+      // /api/a most a limit-en van; /api/b meg friss
+      let thrown: any = null;
+      try { await svc.check(mockReq({ path: '/api/b' }), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).toBeNull();
+    });
+  });
+
+
+  describe('| response headers', (): void => {
+    it('| beallitja az X-RateLimit-* header-eket sikeres request-nel', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 10, defaultWindowMs: 60000 });
+      const res = mockRes();
+      await svc.check(mockReq(), res);
+      expect(res._headers['X-RateLimit-Limit']).toBe('10');
+      expect(res._headers['X-RateLimit-Remaining']).toBe('9');
+      expect(res._headers['X-RateLimit-Reset']).toBeDefined();
+    });
+
+    it('| beallitja a Retry-After header-t 429-nel', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 1, defaultWindowMs: 10000 });
+      await svc.check(mockReq(), mockRes());
+
+      const res = mockRes();
+      let thrown: any = null;
+      try { await svc.check(mockReq(), res); } catch (e) { thrown = e; }
+      expect(thrown).not.toBeNull();
+      expect(res._headers['Retry-After']).toBeDefined();
+      expect(res._headers['X-RateLimit-Remaining']).toBe('0');
+    });
+
+    it('| nem allit be header-t ha responseHeaders=false', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 10, defaultWindowMs: 60000, responseHeaders: false });
+      const res = mockRes();
+      await svc.check(mockReq(), res);
+      expect(res._headers['X-RateLimit-Limit']).toBeUndefined();
+    });
+  });
+
+
+  describe('| setPolicyForKey() — subscription-tier-up', (): void => {
+    it('| egyedi limit a kulcsra felulhatja a default-ot', async (): Promise<void> => {
+      svc.configure({
+        defaultLimit:    2,
+        defaultWindowMs: 10000,
+        keyExtractor:    (req: Request): string => (req.headers['x-api-key'] as string) ?? req.ip ?? 'anon',
+      });
+      svc.setPolicyForKey('premium-key', { limit: 10, windowMs: 10000 });
+
+      // premium-key 10-et kap
+      for (let i: number = 0; i < 10; i++) {
+        await svc.check(mockReq({ headers: { 'x-api-key': 'premium-key' } }), mockRes());
+      }
+      let thrown: any = null;
+      try { await svc.check(mockReq({ headers: { 'x-api-key': 'premium-key' } }), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).not.toBeNull();
+      expect(DyFM_Error.getErrorStatus(thrown)).toBe(429);
+    });
+
+    it('| clearPolicyForKey visszaallit a default-ra', async (): Promise<void> => {
+      svc.configure({
+        defaultLimit:    1,
+        defaultWindowMs: 10000,
+        keyExtractor:    (req: Request): string => (req.headers['x-api-key'] as string) ?? 'anon',
+      });
+      svc.setPolicyForKey('k1', { limit: 5, windowMs: 10000 });
+      svc.clearPolicyForKey('k1');
+
+      // most a default 1-es limit ervenyes
+      await svc.check(mockReq({ headers: { 'x-api-key': 'k1' } }), mockRes());
+      let thrown: any = null;
+      try { await svc.check(mockReq({ headers: { 'x-api-key': 'k1' } }), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).not.toBeNull();
+    });
+  });
+
+
+  describe('| keyExtractor override', (): void => {
+    it('| custom keyExtractor felulhatja a default IP-alapu-t', async (): Promise<void> => {
+      svc.configure({
+        defaultLimit:    1,
+        defaultWindowMs: 10000,
+        keyExtractor:    (req: Request): string => (req.headers['x-api-key'] as string) ?? 'anon',
+      });
+      // ugyanaz a IP, kulonbozo api-key — kulon limit
+      await svc.check(mockReq({ ip: '1.1.1.1', headers: { 'x-api-key': 'k1' } }), mockRes());
+      await svc.check(mockReq({ ip: '1.1.1.1', headers: { 'x-api-key': 'k2' } }), mockRes());
+      // k1 most a limit-en, k2 meg friss; ujabb k1 → 429
+      let thrown: any = null;
+      try { await svc.check(mockReq({ ip: '1.1.1.1', headers: { 'x-api-key': 'k1' } }), mockRes()); } catch (e) { thrown = e; }
+      expect(thrown).not.toBeNull();
+    });
+  });
+
+
+  describe('| GC', (): void => {
+    it('| runGc eltavolitja az ures kulcsokat', async (): Promise<void> => {
+      svc.configure({ defaultLimit: 10, defaultWindowMs: 10 }); // 10ms-os window
+      await svc.check(mockReq(), mockRes());
+      expect(svc.getConfig().trackedStorageKeys).toBe(1);
+
+      // varjunk meg amig a window lejar
+      await new Promise<void>((resolve: () => void): void => { setTimeout(resolve, 50); });
+
+      svc.runGc();
+      expect(svc.getConfig().trackedStorageKeys).toBe(0);
+    });
+  });
+
+
+  describe('| getConfig() diagnosztika', (): void => {
+    it('| visszaadja az aktualis allapotot', (): void => {
+      svc.configure({ defaultLimit: 50, defaultWindowMs: 30000 });
+      svc.setPolicyForKey('a', { limit: 100, windowMs: 60000 });
+      svc.setPolicyForKey('b', { limit: 200, windowMs: 60000 });
+
+      const cfg = svc.getConfig();
+      expect(cfg.defaultLimit).toBe(50);
+      expect(cfg.defaultWindowMs).toBe(30000);
+      expect(cfg.activeKeyPolicies).toBe(2);
+    });
+  });
+});

package/src/_modules/rate-limit/rate-limit.middleware.ts

@@ -0,0 +1,310 @@
+import { Request, Response } from 'express';
+
+import { DyFM_Error } from '@futdevpro/fsm-dynamo';
+
+import { DyNTS_SingletonServiceBase } from '../../_services/base/singleton.service-base';
+import { DyNTS_global_settings } from '../../_collections/global-settings.const';
+
+import { DyNTS_RateLimit_Config } from './_models/rate-limit-config.interface';
+import { DyNTS_RateLimit_Policy } from './_models/rate-limit-policy.interface';
+
+
+/** Default request-limit per default-window. */
+const DEFAULT_LIMIT: number = 100;
+
+/** Default sliding-window hossza ms-ben (1 perc). */
+const DEFAULT_WINDOW_MS: number = 60000;
+
+/** Default response-header allitas. */
+const DEFAULT_RESPONSE_HEADERS: boolean = true;
+
+/** Periodikus garbage-collection intervallum ms-ben (5 perc).
+ * A request-log-bol takaritja a regen inaktiv kulcsokat (memory-leak prevention).
+ */
+const GC_INTERVAL_MS: number = 5 * 60 * 1000;
+
+/** Service-nev az error-okhoz. */
+const SERVICE_NAME: string = 'DyNTS_RateLimit_Middleware';
+
+/** ErrorCode-builder — system shortcode + sajat kod. */
+const buildErrorCode = (subcode: string): string => {
+  const sys: string = DyNTS_global_settings.systemShortCodeName ?? 'DyNTS';
+  return `${sys}|DyNTS-RL-${subcode}`;
+};
+
+
+/**
+ * Sliding-window HTTP rate-limit middleware — opt-in service-szel, a meglevo
+ * `DyNTS_Endpoint_Params.preProcesses` mechanizmus mellol mukodik.
+ *
+ * **Hasznalat (host app):**
+ * ```ts
+ * const rateLimit = DyNTS_RateLimit_Middleware.getInstance();
+ * rateLimit.configure({
+ *   defaultLimit: 100,            // 100 req/perc default
+ *   defaultWindowMs: 60_000,
+ *   keyExtractor: (req) => req.headers['x-api-key'] as string || req.ip,
+ * });
+ *
+ * new DyNTS_Endpoint_Params({
+ *   ...,
+ *   preProcesses: [rateLimit.check, ...other],
+ * });
+ *
+ * // subscription-tier-up: per-kulcs egyedi limit
+ * rateLimit.setPolicyForKey('subscriber-tier-key-123', {
+ *   limit: 1000,
+ *   windowMs: 60_000,
+ * });
+ * ```
+ *
+ * **Viselkedes:**
+ * - Sliding-window algoritmus: minden request egy timestamp; a window-on
+ *   kivuli timestamp-ek nem szamolnak. Tobb pontos mint a fix-bucket
+ *   (boundary-burst nincs).
+ * - In-memory storage — single-instance MVP-nek megfelelo. Multi-instance
+ *   prod-hoz Redis-backed extension kell (lasd a kozelebb dokumentumaltot).
+ * - Limit lepes: 429 DyFM_Error + `X-RateLimit-*` + `Retry-After` header-ek.
+ *
+ * **Storage:** `Map<storageKey, timestamps[]>` ahol storageKey = `${subject}|${endpoint}`.
+ * Periodikus GC takaritja a inaktiv kulcsokat.
+ *
+ * **Singleton:** `getInstance()`-szel hivd. A `.check` mezo binding-elve van
+ * `this`-re, igy direkt atadhato `preProcesses`-be ujracsomagolas nelkul.
+ */
+export class DyNTS_RateLimit_Middleware extends DyNTS_SingletonServiceBase {
+
+  static getInstance(): DyNTS_RateLimit_Middleware {
+    return DyNTS_RateLimit_Middleware.getSingletonInstance() as DyNTS_RateLimit_Middleware;
+  }
+
+  private defaultLimit: number = DEFAULT_LIMIT;
+  private defaultWindowMs: number = DEFAULT_WINDOW_MS;
+  private responseHeaders: boolean = DEFAULT_RESPONSE_HEADERS;
+
+  private keyExtractor: (req: Request) => string =
+    (req: Request): string => this.defaultKeyExtractor(req);
+  private endpointGrouper: (req: Request) => string =
+    (req: Request): string => req.path;
+
+  /** request-log: storageKey → timestamp-tomb (Date.now() ms). */
+  private requestLog: Map<string, number[]> = new Map();
+
+  /** Per-kulcs egyedi policy-k. */
+  private keyPolicies: Map<string, DyNTS_RateLimit_Policy> = new Map();
+
+  /** GC timer handle. */
+  private gcTimer: NodeJS.Timeout | null = null;
+
+
+  /**
+   * Konfig override. Hianyzo mezok a default-okat orzik. Hivhato barmikor —
+   * a `check()` a friss config-ot olvassa.
+   */
+  configure(config: DyNTS_RateLimit_Config): void {
+    if (config.defaultLimit !== undefined) {
+      this.defaultLimit = config.defaultLimit;
+    }
+    if (config.defaultWindowMs !== undefined) {
+      this.defaultWindowMs = config.defaultWindowMs;
+    }
+    if (config.keyExtractor !== undefined) {
+      this.keyExtractor = config.keyExtractor;
+    }
+    if (config.endpointGrouper !== undefined) {
+      this.endpointGrouper = config.endpointGrouper;
+    }
+    if (config.responseHeaders !== undefined) {
+      this.responseHeaders = config.responseHeaders;
+    }
+    if (config.initialKeyPolicies !== undefined) {
+      for (const [ key, policy ] of Object.entries(config.initialKeyPolicies)) {
+        this.keyPolicies.set(key, policy);
+      }
+    }
+    this.startGcTimer();
+  }
+
+  /**
+   * Aktualis konfig olvasasa (diagnosztika celokra).
+   */
+  getConfig(): {
+    defaultLimit: number;
+    defaultWindowMs: number;
+    responseHeaders: boolean;
+    activeKeyPolicies: number;
+    trackedStorageKeys: number;
+  } {
+    return {
+      defaultLimit:        this.defaultLimit,
+      defaultWindowMs:     this.defaultWindowMs,
+      responseHeaders:     this.responseHeaders,
+      activeKeyPolicies:   this.keyPolicies.size,
+      trackedStorageKeys:  this.requestLog.size,
+    };
+  }
+
+  /**
+   * Per-kulcs egyedi policy beallitas (pl. subscription-tier alapjan).
+   * A `key`-nek pontosan azzal a stringgel kell egyeznie, amit a `keyExtractor`
+   * visszaad.
+   */
+  setPolicyForKey(key: string, policy: DyNTS_RateLimit_Policy): void {
+    this.keyPolicies.set(key, policy);
+  }
+
+  /**
+   * Per-kulcs policy torlese (visszaall a default-ra).
+   */
+  clearPolicyForKey(key: string): void {
+    this.keyPolicies.delete(key);
+  }
+
+
+  /**
+   * Pre-process function — atadhato `DyNTS_Endpoint_Params.preProcesses`-be.
+   *
+   * Throws:
+   *   - 429 ha az aktualis request meghaladna a limit-et a sliding window-on
+   *
+   * Side-effect: ha `responseHeaders === true`, beallitja az `X-RateLimit-Limit`,
+   * `X-RateLimit-Remaining`, `X-RateLimit-Reset` header-eket; 429 eseten
+   * a `Retry-After` header-t is.
+   */
+  readonly check = async (req: Request, res: Response): Promise<void> => {
+    const subject: string = this.keyExtractor(req);
+    const endpoint: string = this.endpointGrouper(req);
+    const storageKey: string = `${subject}|${endpoint}`;
+
+    const policy: DyNTS_RateLimit_Policy = this.keyPolicies.get(subject) ?? {
+      limit:    this.defaultLimit,
+      windowMs: this.defaultWindowMs,
+    };
+
+    const now: number = Date.now();
+    const windowStart: number = now - policy.windowMs;
+
+    // sliding-window: tartomanyon kivuli timestamp-eket eldobjuk
+    const existing: number[] = this.requestLog.get(storageKey) ?? [];
+    const recent: number[] = existing.filter((t: number): boolean => t > windowStart);
+
+    if (recent.length >= policy.limit) {
+      const oldest: number = recent[0];
+      const resetAt: number = oldest + policy.windowMs;
+      const retryAfterSec: number = Math.max(1, Math.ceil((resetAt - now) / 1000));
+
+      if (this.responseHeaders) {
+        res.setHeader('X-RateLimit-Limit', policy.limit.toString());
+        res.setHeader('X-RateLimit-Remaining', '0');
+        res.setHeader('X-RateLimit-Reset', Math.ceil(resetAt / 1000).toString());
+        res.setHeader('Retry-After', retryAfterSec.toString());
+      }
+
+      // Frissitjuk a log-ot a kiszurt verzioval (felesleges regi timestamp-eket eldobtuk)
+      this.requestLog.set(storageKey, recent);
+
+      throw new DyFM_Error({
+        status:    429,
+        errorCode: buildErrorCode('LIMIT'),
+        addECToUserMsg: true,
+        message:   `Rate limit exceeded: ${policy.limit} req per ${policy.windowMs}ms for ${storageKey}`,
+        userMessage: `Too many requests, retry after ${retryAfterSec}s`,
+        issuerService: SERVICE_NAME,
+      });
+    }
+
+    // alatta vagyunk a limit-nek: append the current request
+    recent.push(now);
+    this.requestLog.set(storageKey, recent);
+
+    if (this.responseHeaders) {
+      res.setHeader('X-RateLimit-Limit', policy.limit.toString());
+      res.setHeader('X-RateLimit-Remaining', Math.max(0, policy.limit - recent.length).toString());
+      res.setHeader('X-RateLimit-Reset', Math.ceil((now + policy.windowMs) / 1000).toString());
+    }
+  };
+
+
+  /**
+   * Default key-extractor: x-forwarded-for vagy req.ip vagy 'unknown'.
+   * Csak akkor hasznalt, ha a host nem allit be sajat extractort a configure-ben.
+   */
+  private defaultKeyExtractor(req: Request): string {
+    const xff: unknown = req.headers['x-forwarded-for'];
+    if (typeof xff === 'string' && xff.length > 0) {
+      const first: string = xff.split(',')[0]?.trim() ?? '';
+      if (first.length > 0) {
+        return first;
+      }
+    }
+    if (Array.isArray(xff) && xff.length > 0) {
+      const first: string = xff[0]?.split(',')[0]?.trim() ?? '';
+      if (first.length > 0) {
+        return first;
+      }
+    }
+    return req.ip ?? 'unknown';
+  }
+
+
+  /**
+   * GC timer inditasa (idempotent). Periodikusan eltavolitja az inaktiv
+   * storage-key-eket a request-log-bol — memory-leak prevention.
+   */
+  private startGcTimer(): void {
+    if (this.gcTimer !== null) {
+      return;
+    }
+    this.gcTimer = setInterval((): void => {
+      this.runGc();
+    }, GC_INTERVAL_MS);
+    // unref hogy a process ne maradjon eletben a timer miatt
+    if (typeof this.gcTimer.unref === 'function') {
+      this.gcTimer.unref();
+    }
+  }
+
+  /**
+   * GC sweep — minden storage-key-rol levagja a regi timestamp-eket, es
+   * eltavolitja az ureseket. Hivhato kulonosen test-bol.
+   */
+  runGc(): void {
+    const now: number = Date.now();
+    const horizon: number = now - this.defaultWindowMs;
+
+    for (const [ key, timestamps ] of this.requestLog) {
+      const recent: number[] = timestamps.filter((t: number): boolean => t > horizon);
+      if (recent.length === 0) {
+        this.requestLog.delete(key);
+      } else {
+        this.requestLog.set(key, recent);
+      }
+    }
+  }
+
+  /**
+   * GC timer leallitasa (graceful shutdown vagy test-cleanup).
+   */
+  stopGcTimer(): void {
+    if (this.gcTimer !== null) {
+      clearInterval(this.gcTimer);
+      this.gcTimer = null;
+    }
+  }
+
+
+  /**
+   * Test-only: visszaallitja a default config-ot + uriti a state-et, hogy a
+   * specfajlok ne szivarogjak at egymas state-jet. Production code NE hivja.
+   */
+  _resetForTesting(): void {
+    this.defaultLimit     = DEFAULT_LIMIT;
+    this.defaultWindowMs  = DEFAULT_WINDOW_MS;
+    this.responseHeaders  = DEFAULT_RESPONSE_HEADERS;
+    this.keyExtractor     = (req: Request): string => this.defaultKeyExtractor(req);
+    this.endpointGrouper  = (req: Request): string => req.path;
+    this.requestLog.clear();
+    this.keyPolicies.clear();
+    this.stopGcTimer();
+  }
+}

package/src/_modules/server/errors/errors.data-service.ts

@@ -178,7 +178,7 @@ export class DyNTS_Errors_DataService<
         if (this.debugLog) DyFM_Log.error('Error:', errorsRecord);
 
         errorsRecord.priority = this.getPriorityMultiplierByLevel(errorsRecord?.level);
-        
+
         errorsRecord.duplications ??= [];
         errorsRecord.duplications.push(DyFM_Object.clone(errorsRecord));
 
@@ -187,7 +187,15 @@ export class DyNTS_Errors_DataService<
 
         this.duplicationCounter = 1;
 
-        await this.saveData();
+        // FR-027 (2026-05-24) — Pass `errorsRecord` explicitly. Korabban
+        // `saveData()` no-arg fallback `ensureData()`-on keresztul `this.data`-t
+        // hasznalt, ami a controller-szinten csak a `{issuer}` constructor
+        // wrapper, NEM az actual req.body adat. Eredmenykent minden client-
+        // forwarded error EMPTY rekordkent landolt: csak `issuer` mezo,
+        // semmilyen message/source/stackTrace/error/level/additionalContent
+        // mezo NEM kerult MongoDB-be. (Overseer-en 14454 ilyen empty record
+        // halmozodott fel — debug-level details elveszve.)
+        await this.saveData(errorsRecord);
         DyFM_Log.warn('error saved');
       }
     } catch (error) {