@orpc/experimental-ratelimit 0.0.0-next.3312214

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 oRPC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,81 @@
+<div align="center">
+  <image align="center" src="https://orpc.unnoq.com/logo.webp" width=280 alt="oRPC logo" />
+</div>
+
+<h1></h1>
+
+<div align="center">
+  <a href="https://codecov.io/gh/unnoq/orpc">
+    <img alt="codecov" src="https://codecov.io/gh/unnoq/orpc/branch/main/graph/badge.svg">
+  </a>
+  <a href="https://www.npmjs.com/package/@orpc/experimental-ratelimit">
+    <img alt="weekly downloads" src="https://img.shields.io/npm/dw/%40orpc%2Fexperimental-ratelimit?logo=npm" />
+  </a>
+  <a href="https://github.com/unnoq/orpc/blob/main/LICENSE">
+    <img alt="MIT License" src="https://img.shields.io/github/license/unnoq/orpc?logo=open-source-initiative" />
+  </a>
+  <a href="https://discord.gg/TXEbwRBvQn">
+    <img alt="Discord" src="https://img.shields.io/discord/1308966753044398161?color=7389D8&label&logo=discord&logoColor=ffffff" />
+  </a>
+  <a href="https://deepwiki.com/unnoq/orpc">
+    <img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki">
+  </a>
+</div>
+
+<h3 align="center">Typesafe APIs Made Simple 🪄</h3>
+
+**oRPC is a powerful combination of RPC and OpenAPI**, makes it easy to build APIs that are end-to-end type-safe and adhere to OpenAPI standards
+
+---
+
+## Highlights
+
+- **🔗 End-to-End Type Safety**: Ensure type-safe inputs, outputs, and errors from client to server.
+- **📘 First-Class OpenAPI**: Built-in support that fully adheres to the OpenAPI standard.
+- **📝 Contract-First Development**: Optionally define your API contract before implementation.
+- **🔍 First-Class OpenTelemetry**: Seamlessly integrate with OpenTelemetry for observability.
+- **⚙️ Framework Integrations**: Seamlessly integrate with TanStack Query (React, Vue, Solid, Svelte, Angular), SWR, Pinia Colada, and more.
+- **🚀 Server Actions**: Fully compatible with React Server Actions on Next.js, TanStack Start, and other platforms.
+- **🔠 Standard Schema Support**: Works out of the box with Zod, Valibot, ArkType, and other schema validators.
+- **🗃️ Native Types**: Supports native types like Date, File, Blob, BigInt, URL, and more.
+- **⏱️ Lazy Router**: Enhance cold start times with our lazy routing feature.
+- **📡 SSE & Streaming**: Enjoy full type-safe support for SSE and streaming.
+- **🌍 Multi-Runtime Support**: Fast and lightweight on Cloudflare, Deno, Bun, Node.js, and beyond.
+- **🔌 Extendability**: Easily extend functionality with plugins, middleware, and interceptors.
+
+## Documentation
+
+You can find the full documentation [here](https://orpc.unnoq.com).
+
+## Packages
+
+- [@orpc/contract](https://www.npmjs.com/package/@orpc/contract): Build your API contract.
+- [@orpc/server](https://www.npmjs.com/package/@orpc/server): Build your API or implement API contract.
+- [@orpc/client](https://www.npmjs.com/package/@orpc/client): Consume your API on the client with type-safety.
+- [@orpc/openapi](https://www.npmjs.com/package/@orpc/openapi): Generate OpenAPI specs and handle OpenAPI requests.
+- [@orpc/otel](https://www.npmjs.com/package/@orpc/otel): [OpenTelemetry](https://opentelemetry.io/) integration for observability.
+- [@orpc/nest](https://www.npmjs.com/package/@orpc/nest): Deeply integrate oRPC with [NestJS](https://nestjs.com/).
+- [@orpc/react](https://www.npmjs.com/package/@orpc/react): Utilities for integrating oRPC with React and React Server Actions.
+- [@orpc/tanstack-query](https://www.npmjs.com/package/@orpc/tanstack-query): [TanStack Query](https://tanstack.com/query/latest) integration.
+- [@orpc/experimental-react-swr](https://www.npmjs.com/package/@orpc/experimental-react-swr): [SWR](https://swr.vercel.app/) integration.
+- [@orpc/vue-colada](https://www.npmjs.com/package/@orpc/vue-colada): Integration with [Pinia Colada](https://pinia-colada.esm.dev/).
+- [@orpc/hey-api](https://www.npmjs.com/package/@orpc/hey-api): [Hey API](https://heyapi.dev/) integration.
+- [@orpc/zod](https://www.npmjs.com/package/@orpc/zod): More schemas that [Zod](https://zod.dev/) doesn't support yet.
+- [@orpc/valibot](https://www.npmjs.com/package/@orpc/valibot): OpenAPI spec generation from [Valibot](https://valibot.dev/).
+- [@orpc/arktype](https://www.npmjs.com/package/@orpc/arktype): OpenAPI spec generation from [ArkType](https://arktype.io/).
+
+## `@orpc/experimental-ratelimit`
+
+Rate Limiting Feature for oRPC
+
+## Sponsors
+
+<p align="center">
+  <a href="https://cdn.jsdelivr.net/gh/unnoq/unnoq/sponsors.svg">
+    <img src='https://cdn.jsdelivr.net/gh/unnoq/unnoq/sponsors.svg'/>
+  </a>
+</p>
+
+## License
+
+Distributed under the MIT License. See [LICENSE](https://github.com/unnoq/orpc/blob/main/LICENSE) for more information.

package/dist/adapters/memory.d.mts

@@ -0,0 +1,34 @@
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.mjs';
+
+interface MemoryRatelimiterOptions {
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * Maximum number of requests allowed within the window.
+     */
+    maxRequests: number;
+    /**
+     * The duration of the sliding window in milliseconds.
+     */
+    window: number;
+}
+declare class MemoryRatelimiter implements Ratelimiter {
+    private readonly maxRequests;
+    private readonly window;
+    private readonly blockingUntilReady;
+    private readonly store;
+    private lastCleanupTime;
+    constructor(options: MemoryRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+    private cleanup;
+    private checkLimit;
+    private blockUntilReady;
+}
+
+export { MemoryRatelimiter };
+export type { MemoryRatelimiterOptions };

package/dist/adapters/memory.d.ts

@@ -0,0 +1,34 @@
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.js';
+
+interface MemoryRatelimiterOptions {
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * Maximum number of requests allowed within the window.
+     */
+    maxRequests: number;
+    /**
+     * The duration of the sliding window in milliseconds.
+     */
+    window: number;
+}
+declare class MemoryRatelimiter implements Ratelimiter {
+    private readonly maxRequests;
+    private readonly window;
+    private readonly blockingUntilReady;
+    private readonly store;
+    private lastCleanupTime;
+    constructor(options: MemoryRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+    private cleanup;
+    private checkLimit;
+    private blockUntilReady;
+}
+
+export { MemoryRatelimiter };
+export type { MemoryRatelimiterOptions };

package/dist/adapters/memory.mjs

@@ -0,0 +1,74 @@
+class MemoryRatelimiter {
+  maxRequests;
+  window;
+  blockingUntilReady;
+  store;
+  lastCleanupTime = null;
+  constructor(options) {
+    this.maxRequests = options.maxRequests;
+    this.window = options.window;
+    this.blockingUntilReady = options.blockingUntilReady;
+    this.store = /* @__PURE__ */ new Map();
+  }
+  limit(key) {
+    this.cleanup();
+    if (this.blockingUntilReady?.enabled) {
+      return this.blockUntilReady(key, this.blockingUntilReady.timeout);
+    }
+    return this.checkLimit(key);
+  }
+  cleanup() {
+    const now = Date.now();
+    if (this.lastCleanupTime !== null && this.lastCleanupTime + this.window > now) {
+      return;
+    }
+    this.lastCleanupTime = now;
+    const windowStart = now - this.window;
+    for (const [key, timestamps] of this.store) {
+      const idx = timestamps.findIndex((timestamp) => timestamp >= windowStart);
+      timestamps.splice(0, idx === -1 ? timestamps.length : idx);
+      if (timestamps.length === 0) {
+        this.store.delete(key);
+      }
+    }
+  }
+  async checkLimit(key) {
+    const now = Date.now();
+    const windowStart = now - this.window;
+    let timestamps = this.store.get(key);
+    if (timestamps) {
+      const idx = timestamps.findIndex((timestamp) => timestamp >= windowStart);
+      timestamps.splice(0, idx === -1 ? timestamps.length : idx);
+    } else {
+      this.store.set(key, timestamps = []);
+    }
+    const reset = timestamps[0] !== void 0 ? timestamps[0] + this.window : now + this.window;
+    if (timestamps.length >= this.maxRequests) {
+      return {
+        success: false,
+        limit: this.maxRequests,
+        remaining: 0,
+        reset
+      };
+    }
+    timestamps.push(now);
+    return {
+      success: true,
+      limit: this.maxRequests,
+      remaining: this.maxRequests - timestamps.length,
+      reset
+    };
+  }
+  async blockUntilReady(key, timeoutMs) {
+    const deadlineAtMs = Date.now() + timeoutMs;
+    while (true) {
+      const result = await this.checkLimit(key);
+      if (result.success || result.reset > deadlineAtMs) {
+        return result;
+      }
+      await new Promise((resolve) => setTimeout(resolve, result.reset - Date.now()));
+    }
+  }
+}
+
+export { MemoryRatelimiter };

package/dist/adapters/redis.d.mts

@@ -0,0 +1,40 @@
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.mjs';
+
+interface RedisRatelimiterOptions {
+    eval: (script: string, numKeys: number, ...rest: string[]) => Promise<unknown>;
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * The prefix to use for Redis keys.
+     *
+     * @default orpc:ratelimit:
+     */
+    prefix?: string;
+    /**
+     * Maximum number of requests allowed within the window.
+     */
+    maxRequests: number;
+    /**
+     * The duration of the sliding window in milliseconds.
+     */
+    window: number;
+}
+declare class RedisRatelimiter implements Ratelimiter {
+    private readonly eval;
+    private readonly prefix;
+    private readonly maxRequests;
+    private readonly window;
+    private readonly blockingUntilReady;
+    constructor(options: RedisRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+    private checkLimit;
+    private blockUntilReady;
+}
+
+export { RedisRatelimiter };
+export type { RedisRatelimiterOptions };

package/dist/adapters/redis.d.ts

@@ -0,0 +1,40 @@
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.js';
+
+interface RedisRatelimiterOptions {
+    eval: (script: string, numKeys: number, ...rest: string[]) => Promise<unknown>;
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * The prefix to use for Redis keys.
+     *
+     * @default orpc:ratelimit:
+     */
+    prefix?: string;
+    /**
+     * Maximum number of requests allowed within the window.
+     */
+    maxRequests: number;
+    /**
+     * The duration of the sliding window in milliseconds.
+     */
+    window: number;
+}
+declare class RedisRatelimiter implements Ratelimiter {
+    private readonly eval;
+    private readonly prefix;
+    private readonly maxRequests;
+    private readonly window;
+    private readonly blockingUntilReady;
+    constructor(options: RedisRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+    private checkLimit;
+    private blockUntilReady;
+}
+
+export { RedisRatelimiter };
+export type { RedisRatelimiterOptions };

package/dist/adapters/redis.mjs

@@ -0,0 +1,95 @@
+import { fallback } from '@orpc/shared';
+
+const SLIDING_WINDOW_LOG_LUA_SCRIPT = `
+local key = KEYS[1]
+local now_ms = tonumber(ARGV[1])
+local window_ms = tonumber(ARGV[2])
+local limit = tonumber(ARGV[3])
+
+local window_start_ms = now_ms - window_ms
+
+-- Remove old entries outside the current window
+redis.call('ZREMRANGEBYSCORE', key, '-inf', window_start_ms)
+
+-- Count requests in the current window
+local current_count = redis.call('ZCARD', key)
+
+-- Calculate reset time (end of current window)
+local oldest_entry = redis.call('ZRANGE', key, 0, 0, 'WITHSCORES')
+local reset_at
+if #oldest_entry > 0 then
+  reset_at = tonumber(oldest_entry[2]) + window_ms
+else
+  reset_at = now_ms + window_ms
+end
+
+if current_count < limit then
+  -- Add current request
+  redis.call('ZADD', key, now_ms, now_ms .. ':' .. math.random())
+  redis.call('PEXPIRE', key, window_ms)
+
+  return {1, limit, limit - current_count - 1, reset_at}
+else
+  return {0, limit, 0, reset_at}
+end
+`;
+class RedisRatelimiter {
+  eval;
+  prefix;
+  maxRequests;
+  window;
+  blockingUntilReady;
+  constructor(options) {
+    this.eval = options.eval;
+    this.prefix = fallback(options.prefix, "orpc:ratelimit:");
+    this.maxRequests = options.maxRequests;
+    this.window = options.window;
+    this.blockingUntilReady = options.blockingUntilReady;
+  }
+  async limit(key) {
+    const prefixedKey = `${this.prefix}${key}`;
+    if (this.blockingUntilReady?.enabled) {
+      return await this.blockUntilReady(prefixedKey, this.blockingUntilReady.timeout);
+    }
+    return await this.checkLimit(prefixedKey);
+  }
+  async checkLimit(key) {
+    const result = await this.eval(
+      SLIDING_WINDOW_LOG_LUA_SCRIPT,
+      1,
+      key,
+      Date.now().toString(),
+      this.window.toString(),
+      this.maxRequests.toString()
+    );
+    if (!Array.isArray(result) || result.length !== 4) {
+      throw new TypeError("Invalid response from rate limit script");
+    }
+    const numbers = result.map((item) => {
+      const num = Number(item);
+      if (!Number.isInteger(num)) {
+        throw new TypeError("Invalid response from rate limit script");
+      }
+      return num;
+    });
+    const [success, limit, remaining, reset] = numbers;
+    return {
+      success: success === 1,
+      limit,
+      remaining,
+      reset
+    };
+  }
+  async blockUntilReady(key, timeoutMs) {
+    const deadlineAtMs = Date.now() + timeoutMs;
+    while (true) {
+      const result = await this.checkLimit(key);
+      if (result.success || result.reset > deadlineAtMs) {
+        return result;
+      }
+      await new Promise((resolve) => setTimeout(resolve, result.reset - Date.now()));
+    }
+  }
+}
+
+export { RedisRatelimiter };

package/dist/adapters/upstash-ratelimit.d.mts

@@ -0,0 +1,35 @@
+import { Ratelimit } from '@upstash/ratelimit';
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.mjs';
+
+interface UpstashRatelimiterOptions {
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * For the MultiRegion setup we do some synchronizing in the background, after returning the current limit.
+     * Or when analytics is enabled, we send the analytics asynchronously after returning the limit.
+     * In most case you can simply ignore this.
+     *
+     * On Vercel Edge or Cloudflare workers, you might need `.bind` before assign:
+     * ```ts
+     * const ratelimiter = new UpstashRatelimiter(ratelimit, {
+     *   waitUntil: ctx.waitUntil.bind(ctx),
+     * })
+     * ```
+     */
+    waitUntil?: (promise: Promise<any>) => any;
+}
+declare class UpstashRatelimiter implements Ratelimiter {
+    private readonly ratelimit;
+    private blockingUntilReady;
+    private waitUntil;
+    constructor(ratelimit: Ratelimit, options?: UpstashRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+}
+
+export { UpstashRatelimiter };
+export type { UpstashRatelimiterOptions };

package/dist/adapters/upstash-ratelimit.d.ts

@@ -0,0 +1,35 @@
+import { Ratelimit } from '@upstash/ratelimit';
+import { a as Ratelimiter, R as RatelimiterLimitResult } from '../shared/experimental-ratelimit.C8zlaHwR.js';
+
+interface UpstashRatelimiterOptions {
+    /**
+     * Block until the request may pass or timeout is reached.
+     */
+    blockingUntilReady?: {
+        enabled: boolean;
+        timeout: number;
+    };
+    /**
+     * For the MultiRegion setup we do some synchronizing in the background, after returning the current limit.
+     * Or when analytics is enabled, we send the analytics asynchronously after returning the limit.
+     * In most case you can simply ignore this.
+     *
+     * On Vercel Edge or Cloudflare workers, you might need `.bind` before assign:
+     * ```ts
+     * const ratelimiter = new UpstashRatelimiter(ratelimit, {
+     *   waitUntil: ctx.waitUntil.bind(ctx),
+     * })
+     * ```
+     */
+    waitUntil?: (promise: Promise<any>) => any;
+}
+declare class UpstashRatelimiter implements Ratelimiter {
+    private readonly ratelimit;
+    private blockingUntilReady;
+    private waitUntil;
+    constructor(ratelimit: Ratelimit, options?: UpstashRatelimiterOptions);
+    limit(key: string): Promise<Required<RatelimiterLimitResult>>;
+}
+
+export { UpstashRatelimiter };
+export type { UpstashRatelimiterOptions };

package/dist/adapters/upstash-ratelimit.mjs

@@ -0,0 +1,16 @@
+class UpstashRatelimiter {
+  constructor(ratelimit, options = {}) {
+    this.ratelimit = ratelimit;
+    this.blockingUntilReady = options.blockingUntilReady;
+    this.waitUntil = options.waitUntil;
+  }
+  blockingUntilReady;
+  waitUntil;
+  async limit(key) {
+    const result = this.blockingUntilReady?.enabled ? await this.ratelimit.blockUntilReady(key, this.blockingUntilReady.timeout) : await this.ratelimit.limit(key);
+    this.waitUntil?.(result.pending);
+    return result;
+  }
+}
+
+export { UpstashRatelimiter };

package/dist/index.d.mts

@@ -0,0 +1,65 @@
+import { Context, Meta, MiddlewareOptions, Middleware } from '@orpc/server';
+import { StandardHandlerPlugin, StandardHandlerOptions } from '@orpc/server/standard';
+import { R as RatelimiterLimitResult, a as Ratelimiter } from './shared/experimental-ratelimit.C8zlaHwR.mjs';
+import { Value, Promisable } from '@orpc/shared';
+
+declare const RATELIMIT_HANDLER_CONTEXT_SYMBOL: unique symbol;
+interface RatelimitHandlerPluginContext {
+    [RATELIMIT_HANDLER_CONTEXT_SYMBOL]?: {
+        /**
+         * The result of the ratelimiter after applying limits
+         */
+        ratelimitResult?: RatelimiterLimitResult;
+    };
+}
+/**
+ * Automatically adds HTTP rate-limiting headers (RateLimit-* and Retry-After) to responses
+ * when used with middleware created by createRatelimitMiddleware.
+ *
+ * @see {@link https://orpc.unnoq.com/docs/helpers/ratelimit#handler-plugin Ratelimit handler plugin}
+ */
+declare class RatelimitHandlerPlugin<T extends Context> implements StandardHandlerPlugin<T> {
+    init(options: StandardHandlerOptions<T>): void;
+}
+
+declare const RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL: unique symbol;
+interface RatelimiterMiddlewareContext {
+    [RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL]?: {
+        /**
+         * The applied limits in this request, mainly for deduplication purposes
+         */
+        limits: {
+            limiter: Ratelimiter;
+            key: string;
+        }[];
+    };
+}
+interface CreateRatelimitMiddlewareOptions<TInContext extends Context, TInput, TMeta extends Meta> {
+    /**
+     * The rule set to use for rate limiting
+     */
+    limiter: Value<Promisable<Ratelimiter>, [middlewareOptions: MiddlewareOptions<TInContext, unknown, Record<never, never>, TMeta>, input: TInput]>;
+    /**
+     * The key to identify the user/requester
+     */
+    key: Value<Promisable<string>, [middlewareOptions: MiddlewareOptions<TInContext, unknown, Record<never, never>, TMeta>, input: TInput]>;
+    /**
+     * If your ratelimit middleware is used multiple times
+     * or you invoke a procedure inside another procedure (shared the same context) that also has
+     * ratelimit middleware **with the same limiter and key**, this option
+     * will ensure that the limit is only applied once per request.
+     *
+     * @default true
+     */
+    dedupe?: boolean;
+}
+/**
+ * Creates a middleware that enforces rate limits in oRPC procedures.
+ * Supports per-request deduplication and integrates with the ratelimit handler plugin.
+ *
+ * @see {@link https://orpc.unnoq.com/docs/helpers/ratelimit#createratelimitmiddleware Ratelimit middleware}
+ */
+declare function createRatelimitMiddleware<TInContext extends Context, TInput = unknown, TMeta extends Meta = Record<never, never>>({ dedupe, ...options }: CreateRatelimitMiddlewareOptions<TInContext, TInput, TMeta>): Middleware<TInContext, Record<never, never>, TInput, any, any, TMeta>;
+
+export { RATELIMIT_HANDLER_CONTEXT_SYMBOL, RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL, RatelimitHandlerPlugin, Ratelimiter, RatelimiterLimitResult, createRatelimitMiddleware };
+export type { CreateRatelimitMiddlewareOptions, RatelimitHandlerPluginContext, RatelimiterMiddlewareContext };

package/dist/index.d.ts

@@ -0,0 +1,65 @@
+import { Context, Meta, MiddlewareOptions, Middleware } from '@orpc/server';
+import { StandardHandlerPlugin, StandardHandlerOptions } from '@orpc/server/standard';
+import { R as RatelimiterLimitResult, a as Ratelimiter } from './shared/experimental-ratelimit.C8zlaHwR.js';
+import { Value, Promisable } from '@orpc/shared';
+
+declare const RATELIMIT_HANDLER_CONTEXT_SYMBOL: unique symbol;
+interface RatelimitHandlerPluginContext {
+    [RATELIMIT_HANDLER_CONTEXT_SYMBOL]?: {
+        /**
+         * The result of the ratelimiter after applying limits
+         */
+        ratelimitResult?: RatelimiterLimitResult;
+    };
+}
+/**
+ * Automatically adds HTTP rate-limiting headers (RateLimit-* and Retry-After) to responses
+ * when used with middleware created by createRatelimitMiddleware.
+ *
+ * @see {@link https://orpc.unnoq.com/docs/helpers/ratelimit#handler-plugin Ratelimit handler plugin}
+ */
+declare class RatelimitHandlerPlugin<T extends Context> implements StandardHandlerPlugin<T> {
+    init(options: StandardHandlerOptions<T>): void;
+}
+
+declare const RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL: unique symbol;
+interface RatelimiterMiddlewareContext {
+    [RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL]?: {
+        /**
+         * The applied limits in this request, mainly for deduplication purposes
+         */
+        limits: {
+            limiter: Ratelimiter;
+            key: string;
+        }[];
+    };
+}
+interface CreateRatelimitMiddlewareOptions<TInContext extends Context, TInput, TMeta extends Meta> {
+    /**
+     * The rule set to use for rate limiting
+     */
+    limiter: Value<Promisable<Ratelimiter>, [middlewareOptions: MiddlewareOptions<TInContext, unknown, Record<never, never>, TMeta>, input: TInput]>;
+    /**
+     * The key to identify the user/requester
+     */
+    key: Value<Promisable<string>, [middlewareOptions: MiddlewareOptions<TInContext, unknown, Record<never, never>, TMeta>, input: TInput]>;
+    /**
+     * If your ratelimit middleware is used multiple times
+     * or you invoke a procedure inside another procedure (shared the same context) that also has
+     * ratelimit middleware **with the same limiter and key**, this option
+     * will ensure that the limit is only applied once per request.
+     *
+     * @default true
+     */
+    dedupe?: boolean;
+}
+/**
+ * Creates a middleware that enforces rate limits in oRPC procedures.
+ * Supports per-request deduplication and integrates with the ratelimit handler plugin.
+ *
+ * @see {@link https://orpc.unnoq.com/docs/helpers/ratelimit#createratelimitmiddleware Ratelimit middleware}
+ */
+declare function createRatelimitMiddleware<TInContext extends Context, TInput = unknown, TMeta extends Meta = Record<never, never>>({ dedupe, ...options }: CreateRatelimitMiddlewareOptions<TInContext, TInput, TMeta>): Middleware<TInContext, Record<never, never>, TInput, any, any, TMeta>;
+
+export { RATELIMIT_HANDLER_CONTEXT_SYMBOL, RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL, RatelimitHandlerPlugin, Ratelimiter, RatelimiterLimitResult, createRatelimitMiddleware };
+export type { CreateRatelimitMiddlewareOptions, RatelimitHandlerPluginContext, RatelimiterMiddlewareContext };

package/dist/index.mjs

@@ -0,0 +1,76 @@
+import { ORPCError } from '@orpc/server';
+import { value, toArray } from '@orpc/shared';
+
+const RATELIMIT_HANDLER_CONTEXT_SYMBOL = Symbol("ORPC_RATE_LIMIT_HANDLER_CONTEXT");
+class RatelimitHandlerPlugin {
+  init(options) {
+    options.rootInterceptors ??= [];
+    options.rootInterceptors.unshift(async (interceptorOptions) => {
+      const handlerContext = {};
+      const result = await interceptorOptions.next({
+        ...interceptorOptions,
+        context: {
+          ...interceptorOptions.context,
+          [RATELIMIT_HANDLER_CONTEXT_SYMBOL]: handlerContext
+        }
+      });
+      if (result.matched && handlerContext.ratelimitResult) {
+        return {
+          ...result,
+          response: {
+            ...result.response,
+            headers: {
+              ...result.response.headers,
+              "ratelimit-limit": handlerContext.ratelimitResult.limit?.toString(),
+              "ratelimit-remaining": handlerContext.ratelimitResult.remaining?.toString(),
+              "ratelimit-reset": handlerContext.ratelimitResult.reset?.toString(),
+              "retry-after": !handlerContext.ratelimitResult.success && result.response.status === 429 && handlerContext.ratelimitResult.reset !== void 0 ? Math.max(0, Math.ceil((handlerContext.ratelimitResult.reset - Date.now()) / 1e3)).toString() : void 0
+            }
+          }
+        };
+      }
+      return result;
+    });
+  }
+}
+
+const RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL = Symbol("ORPC_RATE_LIMIT_MIDDLEWARE_CONTEXT");
+function createRatelimitMiddleware({ dedupe = true, ...options }) {
+  return async function ratelimit(middlewareOptions, input) {
+    const [limiter, key] = await Promise.all([
+      value(options.limiter, middlewareOptions, input),
+      value(options.key, middlewareOptions, input)
+    ]);
+    const middlewareContext = middlewareOptions.context[RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL];
+    if (dedupe && middlewareContext?.limits.some((l) => l.key === key && l.limiter === limiter)) {
+      return middlewareOptions.next();
+    }
+    const result = await limiter.limit(key);
+    const pluginContext = middlewareOptions.context[RATELIMIT_HANDLER_CONTEXT_SYMBOL];
+    if (pluginContext) {
+      pluginContext.ratelimitResult = result;
+    }
+    if (!result.success) {
+      throw new ORPCError("TOO_MANY_REQUESTS", {
+        data: {
+          limit: result.limit,
+          remaining: result.remaining,
+          reset: result.reset
+        }
+      });
+    }
+    return middlewareOptions.next({
+      context: {
+        [RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL]: {
+          ...middlewareContext,
+          limits: [
+            ...toArray(middlewareContext?.limits),
+            { limiter, key }
+          ]
+        }
+      }
+    });
+  };
+}
+
+export { RATELIMIT_HANDLER_CONTEXT_SYMBOL, RATELIMIT_MIDDLEWARE_CONTEXT_SYMBOL, RatelimitHandlerPlugin, createRatelimitMiddleware };

package/dist/shared/experimental-ratelimit.C8zlaHwR.d.mts

@@ -0,0 +1,23 @@
+interface RatelimiterLimitResult {
+    /**
+     * Whether the request may pass(true) or exceeded the limit(false)
+     */
+    success: boolean;
+    /**
+     * Maximum number of requests allowed within a window.
+     */
+    limit?: number;
+    /**
+     * How many requests the user has left within the current window.
+     */
+    remaining?: number;
+    /**
+     * Unix timestamp in milliseconds when the limits are reset.
+     */
+    reset?: number;
+}
+interface Ratelimiter {
+    limit(key: string): Promise<RatelimiterLimitResult>;
+}
+
+export type { RatelimiterLimitResult as R, Ratelimiter as a };

package/dist/shared/experimental-ratelimit.C8zlaHwR.d.ts

@@ -0,0 +1,23 @@
+interface RatelimiterLimitResult {
+    /**
+     * Whether the request may pass(true) or exceeded the limit(false)
+     */
+    success: boolean;
+    /**
+     * Maximum number of requests allowed within a window.
+     */
+    limit?: number;
+    /**
+     * How many requests the user has left within the current window.
+     */
+    remaining?: number;
+    /**
+     * Unix timestamp in milliseconds when the limits are reset.
+     */
+    reset?: number;
+}
+interface Ratelimiter {
+    limit(key: string): Promise<RatelimiterLimitResult>;
+}
+
+export type { RatelimiterLimitResult as R, Ratelimiter as a };

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@orpc/experimental-ratelimit",
+  "type": "module",
+  "version": "0.0.0-next.3312214",
+  "license": "MIT",
+  "homepage": "https://orpc.unnoq.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/unnoq/orpc.git",
+    "directory": "packages/ratelimit"
+  },
+  "keywords": [
+    "orpc",
+    "ratelimit"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "import": "./dist/index.mjs",
+      "default": "./dist/index.mjs"
+    },
+    "./memory": {
+      "types": "./dist/adapters/memory.d.mts",
+      "import": "./dist/adapters/memory.mjs",
+      "default": "./dist/adapters/memory.mjs"
+    },
+    "./redis": {
+      "types": "./dist/adapters/redis.d.mts",
+      "import": "./dist/adapters/redis.mjs",
+      "default": "./dist/adapters/redis.mjs"
+    },
+    "./upstash-ratelimit": {
+      "types": "./dist/adapters/upstash-ratelimit.d.mts",
+      "import": "./dist/adapters/upstash-ratelimit.mjs",
+      "default": "./dist/adapters/upstash-ratelimit.mjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "@upstash/ratelimit": ">=2.0.7"
+  },
+  "peerDependenciesMeta": {
+    "@upstash/ratelimit": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@orpc/client": "0.0.0-next.3312214",
+    "@orpc/standard-server": "0.0.0-next.3312214",
+    "@orpc/shared": "0.0.0-next.3312214",
+    "@orpc/server": "0.0.0-next.3312214"
+  },
+  "devDependencies": {
+    "@upstash/ratelimit": "^2.0.7",
+    "@upstash/redis": "^1.35.6",
+    "ioredis": "^5.8.2"
+  },
+  "scripts": {
+    "build": "unbuild",
+    "build:watch": "pnpm run build --watch",
+    "type:check": "tsc -b"
+  }
+}