@od-oneapp/security 2026.1.1301

package/dist/rate-limit-DStYbhoa.mjs

@@ -0,0 +1,736 @@
+import "server-only";
+import { createHash } from "node:crypto";
+import { Ratelimit } from "@integrations/upstash/redis-client";
+import { getServerClient } from "@od-oneapp/db-upstash-redis/server";
+import { logError, logWarn } from "@od-oneapp/shared/logger";
+import { createEnv } from "@t3-oss/env-core";
+import { z } from "zod/v4";
+
+//#region env.ts
+/**
+* @fileoverview env.ts
+*/
+/**
+* Default logger implementation using structured JSON logging
+*/
+let loggerInstance = {
+	warn: (message, context) => {
+		if (process.env.NODE_ENV !== "test") logWarn(message, context);
+	},
+	error: (message, context) => {
+		if (process.env.NODE_ENV !== "test") logError(message, {
+			...context,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+	}
+};
+/**
+* Set a custom logger implementation for the security package
+*
+* This allows you to integrate your preferred logging solution (pino, winston, etc.)
+* with the security package's internal logging.
+*
+* @param customLogger - Custom logger implementation conforming to the Logger interface
+*
+* @example
+* ```typescript
+* import { setLogger } from '@od-oneapp/security/server';
+* import pino from 'pino';
+*
+* const logger = pino({ level: 'info' });
+* setLogger({
+*   warn: (msg, ctx) => logger.warn(ctx, msg),
+*   error: (msg, ctx) => logger.error(ctx, msg),
+* });
+* ```
+*
+* @example
+* ```typescript
+* // Winston integration
+* import winston from 'winston';
+* import { setLogger } from '@od-oneapp/security/server';
+*
+* const logger = winston.createLogger({
+*   level: 'info',
+*   format: winston.format.json(),
+*   transports: [new winston.transports.Console()],
+* });
+*
+* setLogger({
+*   warn: (msg, ctx) => logger.warn(msg, ctx),
+*   error: (msg, ctx) => logger.error(msg, ctx),
+* });
+* ```
+*/
+function setLogger(customLogger) {
+	loggerInstance = customLogger;
+}
+/**
+* Get the current logger instance
+*
+* Returns the active logger (default JSON logger or custom logger set via setLogger).
+* The default logger outputs structured JSON logs to console and is silent in test environments.
+*
+* @returns The current logger instance
+*
+* @example
+* ```typescript
+* import { getLogger } from '@od-oneapp/security/server';
+*
+* const logger = getLogger();
+* logger.warn('Rate limiting disabled', { reason: 'no Redis config' });
+* logger.error('Security check failed', { error: 'timeout' });
+* ```
+*/
+function getLogger() {
+	return loggerInstance;
+}
+/**
+* Validated environment variables for the security package
+*
+* Type-safe environment configuration with automatic validation using @t3-oss/env-core.
+* In production, validation errors throw. In development, they log warnings and use fallback values.
+*
+* @example
+* ```typescript
+* import { env } from '@od-oneapp/security/server';
+*
+* // Access validated environment variables
+* const arcjetKey = env.ARCJET_KEY;
+* const redisToken = env.UPSTASH_REDIS_REST_TOKEN;
+* const isProduction = env.NODE_ENV === 'production';
+* ```
+*
+* @see {@link https://env.t3.gg/docs/core | @t3-oss/env-core Documentation}
+*/
+const env = createEnv({
+	server: {
+		ARCJET_KEY: z.string().startsWith("ajkey_").optional(),
+		UPSTASH_REDIS_REST_TOKEN: z.string().min(1).optional(),
+		UPSTASH_REDIS_REST_URL: z.string().url().optional(),
+		NODE_ENV: z.enum([
+			"development",
+			"test",
+			"production"
+		]).default("development")
+	},
+	runtimeEnv: process.env,
+	emptyStringAsUndefined: true,
+	onValidationError: (error) => {
+		const message = Array.isArray(error) ? error.map((e) => e.message).join(", ") : String(error);
+		if (process.env.NODE_ENV === "production") {
+			loggerInstance.error("Security environment validation failed in production", {
+				error: message,
+				env: process.env.NODE_ENV,
+				module: "@od-oneapp/security"
+			});
+			throw new Error(`Security configuration error: ${message}`);
+		}
+		loggerInstance.warn("Security environment validation failed", {
+			error: message,
+			env: process.env.NODE_ENV,
+			module: "@od-oneapp/security"
+		});
+		throw new Error(`Security environment validation failed: ${message}`);
+	}
+});
+/**
+* Safe access to environment variables with fallback handling
+*
+* Provides resilient access to environment variables in non-Next.js contexts
+* (Node.js, workers, tests). Returns validated env or fallback values if validation fails.
+*
+* **Semantics:**
+* - If `env` is successfully validated by `@t3-oss/env-core`, returns the validated env object
+* - If validation fails (e.g., invalid format), returns fallback values matching the same structure
+* - The return type is always compatible with `SecurityEnv` (typeof env)
+* - Helper functions (`isProduction`, `hasArcjetConfig`, `hasUpstashConfig`) rely on this
+* consistent return structure for type safety
+*
+* @returns Environment variables object (validated or fallback values)
+* Always matches the structure of `SecurityEnv` for type safety
+*
+* @example
+* ```typescript
+* import { safeEnv } from '@od-oneapp/security/server';
+*
+* const env = safeEnv();
+* if (env.ARCJET_KEY) {
+*   // Bot protection is configured
+* }
+* ```
+*
+* @example
+* ```typescript
+* // Use in rate limiter initialization
+* const env = safeEnv();
+* const isProduction = env.NODE_ENV === 'production';
+* if (!env.UPSTASH_REDIS_REST_TOKEN && isProduction) {
+*   throw new Error('Redis required in production');
+* }
+* ```
+*/
+function safeEnv() {
+	return env;
+}
+/**
+* Check if the current environment is production
+*
+* Useful for conditional logic that should only run in production
+* (e.g., strict rate limiting, fail-closed security checks).
+*
+* @returns True if NODE_ENV is 'production'
+*
+* @example
+* ```typescript
+* import { isProduction } from '@od-oneapp/security/server';
+*
+* if (isProduction()) {
+*   // Enforce strict security policies
+*   await secure([], request); // Block all bots
+* } else {
+*   // Development: allow some bots for testing
+*   await secure(['GOOGLEBOT'], request);
+* }
+* ```
+*/
+function isProduction() {
+	return safeEnv().NODE_ENV === "production";
+}
+/**
+* Check if Arcjet is configured
+*
+* Returns true if ARCJET_KEY environment variable is set.
+* Use this to conditionally enable bot detection when Arcjet is available.
+*
+* @returns True if ARCJET_KEY environment variable is set
+*
+* @example
+* ```typescript
+* import { hasArcjetConfig, secure } from '@od-oneapp/security/server/next';
+*
+* export async function POST(request: Request) {
+*   if (hasArcjetConfig()) {
+*     await secure(['GOOGLEBOT', 'BINGBOT'], request);
+*   }
+*   // Continue with request processing
+* }
+* ```
+*
+* @see {@link https://docs.arcjet.com | Arcjet Documentation}
+*/
+function hasArcjetConfig() {
+	const envVars = safeEnv();
+	return Boolean(envVars.ARCJET_KEY);
+}
+/**
+* Check if Upstash Redis is configured
+*
+* Returns true if both UPSTASH_REDIS_REST_TOKEN and UPSTASH_REDIS_REST_URL
+* environment variables are set. Use this to conditionally enable rate limiting.
+*
+* @returns True if both UPSTASH_REDIS_REST_TOKEN and UPSTASH_REDIS_REST_URL are set
+*
+* @example
+* ```typescript
+* import { hasUpstashConfig, createRateLimiter } from '@od-oneapp/security/server';
+* import { Ratelimit } from '@upstash/ratelimit';
+*
+* export async function POST(request: Request) {
+*   if (hasUpstashConfig()) {
+*     const limiter = createRateLimiter({
+*       limiter: Ratelimit.slidingWindow(10, '1 m'),
+*     });
+*     const result = await limiter.limit('user-123');
+*     if (!result.success) {
+*       return new Response('Rate limited', { status: 429 });
+*     }
+*   }
+*   // Continue with request processing
+* }
+* ```
+*
+* @see {@link https://upstash.com/docs/oss/sdks/ts/ratelimit/overview | Upstash Rate Limiting}
+*/
+function hasUpstashConfig() {
+	const envVars = safeEnv();
+	return Boolean(envVars.UPSTASH_REDIS_REST_TOKEN && envVars.UPSTASH_REDIS_REST_URL);
+}
+
+//#endregion
+//#region rate-limit.ts
+/**
+* Sliding window rate limiting algorithm
+*
+* Provides smooth rate limiting by distributing requests across a rolling time window.
+* More accurate than fixed windows as it prevents burst traffic at window boundaries.
+*
+* @param tokens - Maximum number of requests allowed in the time window
+* @param window - Time window duration (e.g., '10 s', '1 m', '1 h')
+* @returns Rate limiter configuration
+*
+* @example
+* ```typescript
+* const limiter = createRateLimiter({
+*   limiter: slidingWindow(100, '1 m'), // 100 requests per minute
+* });
+* ```
+*/
+const { slidingWindow } = Ratelimit;
+/**
+* Fixed window rate limiting algorithm
+*
+* Resets the counter at fixed time intervals. Simpler but can allow bursts
+* at window boundaries (e.g., 100 requests at 00:59, 100 more at 01:00).
+*
+* @param tokens - Maximum number of requests allowed in the time window
+* @param window - Time window duration (e.g., '10 s', '1 m', '1 h')
+* @returns Rate limiter configuration
+*
+* @example
+* ```typescript
+* const limiter = createRateLimiter({
+*   limiter: fixedWindow(1000, '1 h'), // 1000 requests per hour
+* });
+* ```
+*/
+const { fixedWindow } = Ratelimit;
+/**
+* Token bucket rate limiting algorithm
+*
+* Allows burst traffic while maintaining average rate. Tokens refill at a constant rate,
+* and requests consume tokens. Good for APIs that need to handle occasional spikes.
+*
+* @param refillRate - Rate at which tokens are refilled
+* @param interval - Refill interval (e.g., '10 s', '1 m')
+* @returns Rate limiter configuration
+*
+* @example
+* ```typescript
+* const limiter = createRateLimiter({
+*   limiter: tokenBucket(50, '10 s'), // 50 tokens, refills every 10s
+* });
+* ```
+*/
+const { tokenBucket } = Ratelimit;
+/**
+* No-op rate limiter implementation for development when Redis is not configured
+* This is type-safe and doesn't bypass TypeScript's type checking
+*/
+var NoOpRateLimiter = class {
+	logger = getLogger();
+	async getRemaining(_identifier) {
+		this.logger.warn("Rate limiting is disabled - no Redis configuration", { nodeEnv: safeEnv().NODE_ENV });
+		return {
+			remaining: 999999,
+			reset: Date.now() + 6e4,
+			limit: 999999
+		};
+	}
+	async limit(_identifier) {
+		this.logger.warn("Rate limiting is disabled - no Redis configuration", {
+			message: "Set UPSTASH_REDIS_REST_TOKEN and UPSTASH_REDIS_REST_URL to enable rate limiting",
+			nodeEnv: safeEnv().NODE_ENV
+		});
+		return {
+			success: true,
+			limit: 999999,
+			remaining: 999999,
+			reset: Date.now() + 6e4,
+			pending: Promise.resolve(void 0)
+		};
+	}
+	async resetUsedTokens(_identifier) {}
+};
+/**
+* Hash identifiers containing unsafe characters (emails, URLs, etc.)
+*
+* Creates a stable SHA-256 hash for identifiers with special characters that
+* aren't allowed in rate limit keys. Use this for emails, user IDs with slashes,
+* or any identifier that fails `validateIdentifier()`.
+*
+* **Note:** This function truncates the SHA-256 hash from 64 to 32 hex characters,
+* reducing entropy from 256 bits to 128 bits. This is intentional and provides
+* sufficient collision resistance for rate limiting use cases while keeping
+* identifier lengths manageable. 128 bits of entropy is cryptographically secure
+* and exceeds the collision resistance needed for rate limit identifiers.
+*
+* @param identifier - The identifier to hash (can contain any characters)
+* @returns Hexadecimal hash (32 characters, safe for rate limiting)
+*
+* @example
+* ```typescript
+* // For email addresses
+* const userId = hashIdentifier('user@example.com');
+* await applyRateLimit(userId, 'api');
+* ```
+*
+* @example
+* ```typescript
+* // For URLs
+* const pathHash = hashIdentifier('/api/users/123/profile');
+* await applyRateLimit(pathHash, 'api');
+* ```
+*/
+function hashIdentifier(identifier) {
+	return createHash("sha256").update(identifier).digest("hex").slice(0, 32);
+}
+/**
+* Wraps a promise with a timeout
+* @param promise - The promise to wrap
+* @param timeoutMs - Timeout in milliseconds
+* @param errorMessage - Error message to throw on timeout
+* @returns The promise result or throws on timeout
+*/
+async function withTimeout(promise, timeoutMs, errorMessage) {
+	const timeout = new Promise((_resolve, reject) => {
+		setTimeout(() => reject(new Error(errorMessage)), timeoutMs);
+	});
+	return Promise.race([promise, timeout]);
+}
+const DEFAULT_RATE_LIMIT_TIMEOUT_MS = 5e3;
+const rateLimitInfoCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 1e3;
+const MAX_CACHE_SIZE = 1e3;
+const pendingRequests = /* @__PURE__ */ new Map();
+/**
+* Cleanup expired cache entries periodically
+* Runs every 5 seconds to prevent memory leaks
+*/
+function cleanupCache() {
+	const now = Date.now();
+	const entries = Array.from(rateLimitInfoCache.entries());
+	for (const [key, value] of entries) if (value.expires <= now) rateLimitInfoCache.delete(key);
+	if (rateLimitInfoCache.size > MAX_CACHE_SIZE) {
+		const toDelete = entries.sort((a, b) => a[1].expires - b[1].expires).slice(0, rateLimitInfoCache.size - MAX_CACHE_SIZE);
+		toDelete.forEach(([key]) => rateLimitInfoCache.delete(key));
+		getLogger().warn("Rate limit cache size limit exceeded, evicted old entries", {
+			evicted: toDelete.length,
+			remaining: rateLimitInfoCache.size
+		});
+	}
+}
+setInterval(() => {
+	try {
+		cleanupCache();
+	} catch (error) {
+		getLogger().error("Cache cleanup failed", { error: error instanceof Error ? error.message : String(error) });
+	}
+}, 5e3).unref();
+/**
+* Create a rate limiter with shared Redis backend
+*
+* Returns a configured rate limiter using the shared Upstash Redis instance.
+* In development without Redis, returns a no-op limiter with `disabled: true`.
+* In production without Redis, throws an error.
+*
+* @param props - Rate limiter configuration (limiter algorithm, prefix, analytics)
+* @returns Configured Ratelimit instance
+* @throws {Error} In production if Redis is not configured
+*
+* @example
+* ```typescript
+* const limiter = createRateLimiter({
+*   limiter: slidingWindow(100, '1 m'),
+*   prefix: 'api:v1',
+* });
+* const result = await limiter.limit('user-123');
+* ```
+*
+* @example
+* ```typescript
+* // Custom burst handling
+* const burstLimiter = createRateLimiter({
+*   limiter: tokenBucket(50, '10 s'),
+*   prefix: 'uploads',
+*   analytics: true,
+* });
+* ```
+*/
+const createRateLimiter = (props) => {
+	const env = safeEnv();
+	if (!env.UPSTASH_REDIS_REST_TOKEN || !env.UPSTASH_REDIS_REST_URL) {
+		if (env.NODE_ENV === "production") throw new Error("Rate limiting requires Redis configuration. Set UPSTASH_REDIS_REST_TOKEN and UPSTASH_REDIS_REST_URL environment variables.");
+		return new NoOpRateLimiter();
+	}
+	try {
+		const redisClient = getServerClient();
+		return new Ratelimit({
+			limiter: props.limiter,
+			prefix: props.prefix ?? "forge",
+			redis: redisClient.redis,
+			analytics: props.analytics ?? false,
+			ephemeralCache: props.ephemeralCache ?? void 0
+		});
+	} catch (error) {
+		getLogger().error("Failed to create rate limiter", {
+			error: error instanceof Error ? error.message : String(error),
+			nodeEnv: env.NODE_ENV
+		});
+		if (env.NODE_ENV === "production") throw new Error("Rate limiter initialization failed. Check Redis configuration.");
+		return new NoOpRateLimiter();
+	}
+};
+/**
+* Default rate limiter configurations for common use cases
+*
+* Readonly configurations optimized for different endpoint types.
+* All use sliding window algorithm for smooth rate limiting.
+*
+* @example
+* ```typescript
+* // Use pre-configured limiters
+* const result = await rateLimiters.api.limit('user-123');
+*
+* // Or create custom limiter from config
+* const customLimiter = createRateLimiter(rateLimitConfigs.api);
+* ```
+*/
+const rateLimitConfigs = {
+	api: {
+		limiter: Ratelimit.slidingWindow(100, "1 m"),
+		prefix: "ratelimit:api"
+	},
+	auth: {
+		limiter: Ratelimit.slidingWindow(5, "15 m"),
+		prefix: "ratelimit:auth"
+	},
+	upload: {
+		limiter: Ratelimit.slidingWindow(10, "1 h"),
+		prefix: "ratelimit:upload"
+	},
+	webhook: {
+		limiter: Ratelimit.slidingWindow(1e3, "1 h"),
+		prefix: "ratelimit:webhook"
+	},
+	search: {
+		limiter: Ratelimit.slidingWindow(500, "1 m"),
+		prefix: "ratelimit:search"
+	}
+};
+/**
+* Pre-configured, ready-to-use rate limiters
+*
+* Instantiated limiters for common use cases. Use these directly
+* or create custom limiters with `createRateLimiter()`.
+*
+* @example
+* ```typescript
+* // Direct usage
+* const result = await rateLimiters.api.limit('192.168.1.1');
+* if (!result.success) {
+*   return new Response('Too many requests', { status: 429 });
+* }
+* ```
+*
+* @example
+* ```typescript
+* // Different limiters for different endpoints
+* await rateLimiters.auth.limit(userId); // Strict limits
+* await rateLimiters.search.limit(ip);   // Higher limits
+* ```
+*/
+const rateLimiters = {
+	get api() {
+		return getCachedRateLimiter("api");
+	},
+	set api(value) {
+		cachedRateLimiters.api = value;
+	},
+	get auth() {
+		return getCachedRateLimiter("auth");
+	},
+	set auth(value) {
+		cachedRateLimiters.auth = value;
+	},
+	get upload() {
+		return getCachedRateLimiter("upload");
+	},
+	set upload(value) {
+		cachedRateLimiters.upload = value;
+	},
+	get webhook() {
+		return getCachedRateLimiter("webhook");
+	},
+	set webhook(value) {
+		cachedRateLimiters.webhook = value;
+	},
+	get search() {
+		return getCachedRateLimiter("search");
+	},
+	set search(value) {
+		cachedRateLimiters.search = value;
+	}
+};
+const cachedRateLimiters = {};
+function getCachedRateLimiter(key) {
+	const existing = cachedRateLimiters[key];
+	if (existing) return existing;
+	const created = createRateLimiter(rateLimitConfigs[key]);
+	cachedRateLimiters[key] = created;
+	return created;
+}
+/**
+* Validates a rate limit identifier
+*
+* @param identifier - The identifier to validate
+* @returns Validated identifier (unchanged if valid)
+* @throws {Error} If identifier is invalid
+*
+* @remarks
+* Valid characters: alphanumeric, hyphens, underscores, colons, dots
+* For identifiers with special characters (emails, etc.), use hashIdentifier()
+*
+* @example
+* ```typescript
+* // Valid
+* validateIdentifier('user-123');
+* validateIdentifier('192.168.1.1');
+* validateIdentifier('api:v1:users');
+*
+* // Invalid - use hashIdentifier instead
+* hashIdentifier('user@example.com');
+* ```
+*/
+function validateIdentifier(identifier) {
+	if (!identifier || typeof identifier !== "string") throw new Error("Rate limit identifier must be a non-empty string");
+	if (identifier.length > 255) throw new Error("Rate limit identifier must be 255 characters or less");
+	if (/[^a-zA-Z0-9\-_:.]/.test(identifier)) throw new Error(`Rate limit identifier contains invalid characters. Only alphanumeric, hyphens, underscores, colons, and dots are allowed. Got: "${identifier}". Consider using hashIdentifier() for email addresses or complex identifiers.`);
+	return identifier;
+}
+/**
+* Apply rate limiting to a request
+* @param identifier - Unique identifier for the request (e.g., IP address, user ID).
+* Must be a non-empty string, max 255 characters.
+* Invalid characters will be sanitized.
+* @param type - Type of rate limiter to use. Defaults to 'api'.
+* Options: 'api', 'auth', 'upload', 'webhook', 'search'
+* @returns Rate limit result with success status and limit information
+* @throws {Error} If identifier is invalid or type doesn't exist
+*
+* @example
+* ```typescript
+* const result = await applyRateLimit('192.168.1.1', 'api');
+* if (!result.success) {
+*   return new Response('Too many requests', { status: 429 });
+* }
+* ```
+*
+* @example
+* ```typescript
+* // For authenticated users
+* const result = await applyRateLimit(userId, 'auth');
+* ```
+*/
+const applyRateLimit = async (identifier, type = "api") => {
+	const validatedIdentifier = validateIdentifier(identifier);
+	if (!(type in rateLimiters)) throw new Error(`Invalid rate limiter type: ${type}. Must be one of: ${Object.keys(rateLimiters).join(", ")}`);
+	const limiter = rateLimiters[type];
+	try {
+		const result = await withTimeout(limiter.limit(validatedIdentifier), DEFAULT_RATE_LIMIT_TIMEOUT_MS, "Rate limit check timed out");
+		return {
+			success: result.success,
+			limit: result.limit,
+			remaining: result.remaining,
+			reset: result.reset,
+			retryAfter: result.success ? void 0 : result.reset - Date.now()
+		};
+	} catch (error) {
+		if (safeEnv().NODE_ENV === "production") throw error;
+		return {
+			success: true,
+			limit: 999999,
+			remaining: 999999,
+			reset: Date.now() + 6e4,
+			disabled: true
+		};
+	}
+};
+/**
+* Check if a request is rate limited
+*
+* @param identifier - Unique identifier for the request (e.g., IP address, user ID).
+* Must be a non-empty string, max 255 characters.
+* Invalid characters will be sanitized.
+* @param type - Type of rate limiter to check. Defaults to 'api'.
+* Options: 'api', 'auth', 'upload', 'webhook', 'search'
+* @returns True if request should be blocked due to rate limiting
+* @throws {Error} If identifier is invalid or type doesn't exist
+*
+* @example
+* ```typescript
+* const isLimited = await isRateLimited('192.168.1.1', 'api');
+* if (isLimited) {
+*   return new Response('Too many requests', { status: 429 });
+* }
+* ```
+*/
+const isRateLimited = async (identifier, type = "api") => {
+	return !(await applyRateLimit(identifier, type)).success;
+};
+/**
+* Get rate limit info without applying limits
+* Uses request coalescing to prevent cache stampede
+*
+* @param identifier - Unique identifier for the request (e.g., IP address, user ID).
+* Must be a non-empty string, max 255 characters.
+* Only alphanumeric, hyphens, underscores, colons, dots allowed.
+* @param type - Type of rate limiter to query. Defaults to 'api'.
+* Options: 'api', 'auth', 'upload', 'webhook', 'search'
+* @returns Rate limit information excluding success status
+* @throws {Error} If identifier is invalid or type doesn't exist
+*
+* @example
+* ```typescript
+* const info = await getRateLimitInfo('192.168.1.1', 'api');
+* console.log(`Limit: ${info.limit}, Remaining: ${info.remaining}`);
+* ```
+*
+* @example
+* ```typescript
+* // For identifiers with special characters, use hashIdentifier
+* const safeId = hashIdentifier('user@example.com');
+* const info = await getRateLimitInfo(safeId, 'api');
+* ```
+*/
+const getRateLimitInfo = async (identifier, type = "api") => {
+	const validatedIdentifier = validateIdentifier(identifier);
+	if (!(type in rateLimiters)) throw new Error(`Invalid rate limiter type: ${type}. Must be one of: ${Object.keys(rateLimiters).join(", ")}`);
+	const limiter = rateLimiters[type];
+	const cacheKey = `${type}:${validatedIdentifier}`;
+	const cached = rateLimitInfoCache.get(cacheKey);
+	if (cached && cached.expires > Date.now()) return cached.data;
+	const pending = pendingRequests.get(cacheKey);
+	if (pending) return pending;
+	const requestPromise = (async () => {
+		try {
+			const result = await withTimeout(limiter.limit(validatedIdentifier), DEFAULT_RATE_LIMIT_TIMEOUT_MS, "Rate limit info check timed out");
+			const data = {
+				limit: result.limit,
+				remaining: result.remaining,
+				reset: result.reset
+			};
+			rateLimitInfoCache.set(cacheKey, {
+				data,
+				expires: Date.now() + CACHE_TTL_MS
+			});
+			return data;
+		} catch (error) {
+			if (safeEnv().NODE_ENV === "production") throw error;
+			return {
+				limit: 999999,
+				remaining: 999999,
+				reset: Date.now() + 6e4,
+				disabled: true
+			};
+		} finally {
+			pendingRequests.delete(cacheKey);
+		}
+	})();
+	pendingRequests.set(cacheKey, requestPromise);
+	return requestPromise;
+};
+
+//#endregion
+export { setLogger as _, hashIdentifier as a, rateLimiters as c, env as d, getLogger as f, safeEnv as g, isProduction as h, getRateLimitInfo as i, slidingWindow as l, hasUpstashConfig as m, createRateLimiter as n, isRateLimited as o, hasArcjetConfig as p, fixedWindow as r, rateLimitConfigs as s, applyRateLimit as t, tokenBucket as u };
+//# sourceMappingURL=rate-limit-DStYbhoa.mjs.map