@qwickapps/server 1.3.1 → 1.5.0

package/dist/plugins/rate-limit/stores/postgres-store.js

@@ -0,0 +1,320 @@
+/**
+ * PostgreSQL Rate Limit Store
+ *
+ * Rate limit storage implementation using PostgreSQL with Row-Level Security (RLS).
+ * Follows the same pattern as the preferences plugin's postgres-store.
+ *
+ * RLS Context Pattern:
+ * Each operation uses an explicit transaction and sets `app.current_user_id`
+ * as a transaction-local configuration variable. The RLS policy checks this
+ * variable to enforce that users can only access their own rate limits.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+/**
+ * Execute a function within an RLS-protected transaction
+ *
+ * This helper ensures that:
+ * 1. All queries run within the same transaction
+ * 2. The RLS context is set before any data access
+ * 3. The transaction is properly committed or rolled back
+ *
+ * @param pool PostgreSQL pool
+ * @param userId User ID to set as the RLS context (optional for IP-only limits)
+ * @param callback Function to execute within the transaction
+ */
+async function withRLSContext(pool, userId, callback) {
+    const client = await pool.connect();
+    try {
+        await client.query('BEGIN');
+        // Set transaction-local user context for RLS
+        // If no userId, set to empty string (allows IP-only limits via RLS policy)
+        await client.query("SELECT set_config('app.current_user_id', $1, true)", [userId || '']);
+        const result = await callback(client);
+        await client.query('COMMIT');
+        return result;
+    }
+    catch (error) {
+        await client.query('ROLLBACK');
+        throw error;
+    }
+    finally {
+        client.release();
+    }
+}
+/**
+ * Create a PostgreSQL rate limit store with RLS
+ *
+ * @param config Configuration including a pg Pool instance
+ * @returns RateLimitStore implementation
+ *
+ * @example
+ * ```ts
+ * import { Pool } from 'pg';
+ * import { postgresRateLimitStore } from '@qwickapps/server';
+ *
+ * const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ * const store = postgresRateLimitStore({ pool });
+ *
+ * // Or with lazy initialization:
+ * const store = postgresRateLimitStore({ pool: () => getPostgres().getPool() });
+ * ```
+ */
+export function postgresRateLimitStore(config) {
+    const { pool: poolOrFn, tableName = 'rate_limits', schema = 'public', autoCreateTables = true, enableRLS = true, } = config;
+    // Helper to get pool (supports lazy initialization via function)
+    const getPool = () => {
+        const pool = typeof poolOrFn === 'function' ? poolOrFn() : poolOrFn;
+        if (!pool || typeof pool.query !== 'function') {
+            throw new Error('Invalid pool: must have query method');
+        }
+        return pool;
+    };
+    const tableFullName = `"${schema}"."${tableName}"`;
+    return {
+        name: 'postgres',
+        async initialize() {
+            if (!autoCreateTables)
+                return;
+            const pool = getPool();
+            // Create table
+            await pool.query(`
+        CREATE TABLE IF NOT EXISTS ${tableFullName} (
+          id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+
+          -- Scope identifiers (nullable, use what applies)
+          user_id UUID,
+          tenant_id UUID,
+          ip_address INET,
+
+          -- Limit key (composite identifier)
+          limit_key VARCHAR(500) NOT NULL,
+
+          -- Strategy and configuration
+          strategy VARCHAR(50) NOT NULL DEFAULT 'sliding-window',
+          max_requests INTEGER NOT NULL,
+          window_ms INTEGER NOT NULL,
+
+          -- Current state
+          current_count INTEGER DEFAULT 0,
+          window_start TIMESTAMPTZ NOT NULL,
+          window_end TIMESTAMPTZ NOT NULL,
+
+          -- Token bucket specific (nullable)
+          tokens_remaining NUMERIC,
+          last_refill TIMESTAMPTZ,
+
+          -- Metadata
+          metadata JSONB,
+          created_at TIMESTAMPTZ DEFAULT NOW(),
+          updated_at TIMESTAMPTZ DEFAULT NOW()
+        );
+      `);
+            // Create indexes
+            await pool.query(`
+        CREATE INDEX IF NOT EXISTS idx_${tableName}_key ON ${tableFullName}(limit_key);
+        CREATE INDEX IF NOT EXISTS idx_${tableName}_key_window ON ${tableFullName}(limit_key, window_start);
+        CREATE INDEX IF NOT EXISTS idx_${tableName}_user ON ${tableFullName}(user_id) WHERE user_id IS NOT NULL;
+        CREATE INDEX IF NOT EXISTS idx_${tableName}_tenant ON ${tableFullName}(tenant_id) WHERE tenant_id IS NOT NULL;
+        CREATE INDEX IF NOT EXISTS idx_${tableName}_cleanup ON ${tableFullName}(window_end);
+      `);
+            // Enable RLS if configured
+            if (enableRLS) {
+                await pool.query(`
+          ALTER TABLE ${tableFullName} ENABLE ROW LEVEL SECURITY;
+          ALTER TABLE ${tableFullName} FORCE ROW LEVEL SECURITY;
+        `);
+                // Create or replace the RLS policy
+                // Drop existing policy first to avoid errors on re-initialization
+                await pool.query(`
+          DROP POLICY IF EXISTS "${tableName}_access" ON ${tableFullName};
+        `);
+                // RLS policy: Users can access their own limits OR IP-only limits (no user)
+                await pool.query(`
+          CREATE POLICY "${tableName}_access" ON ${tableFullName}
+            FOR ALL
+            USING (
+              user_id::text = current_setting('app.current_user_id', true)
+              OR (user_id IS NULL AND current_setting('app.current_user_id', true) = '')
+            )
+            WITH CHECK (
+              user_id::text = current_setting('app.current_user_id', true)
+              OR (user_id IS NULL AND current_setting('app.current_user_id', true) = '')
+            );
+        `);
+            }
+        },
+        async get(key, userId) {
+            return withRLSContext(getPool(), userId, async (client) => {
+                const result = await client.query(`SELECT * FROM ${tableFullName}
+           WHERE limit_key = $1
+           AND window_end > NOW()
+           ORDER BY window_start DESC
+           LIMIT 1`, [key]);
+                if (result.rows.length === 0) {
+                    return null;
+                }
+                const row = result.rows[0];
+                return {
+                    id: row.id,
+                    key: row.limit_key,
+                    count: row.current_count,
+                    maxRequests: row.max_requests,
+                    windowMs: row.window_ms,
+                    windowStart: new Date(row.window_start),
+                    windowEnd: new Date(row.window_end),
+                    strategy: row.strategy,
+                    userId: row.user_id,
+                    tenantId: row.tenant_id,
+                    ipAddress: row.ip_address,
+                    tokensRemaining: row.tokens_remaining,
+                    lastRefill: row.last_refill ? new Date(row.last_refill) : undefined,
+                    createdAt: new Date(row.created_at),
+                    updatedAt: new Date(row.updated_at),
+                };
+            });
+        },
+        async increment(key, options) {
+            const { maxRequests, windowMs, strategy, userId, tenantId, ipAddress, amount = 1 } = options;
+            return withRLSContext(getPool(), userId, async (client) => {
+                const now = new Date();
+                const windowStart = new Date(now.getTime() - (now.getTime() % windowMs));
+                const windowEnd = new Date(windowStart.getTime() + windowMs);
+                // For token bucket, handle differently
+                if (strategy === 'token-bucket') {
+                    // Get existing record or create new one
+                    const existing = await client.query(`SELECT * FROM ${tableFullName}
+             WHERE limit_key = $1
+             ORDER BY created_at DESC
+             LIMIT 1`, [key]);
+                    if (existing.rows.length > 0) {
+                        const row = existing.rows[0];
+                        const lastRefill = row.last_refill ? new Date(row.last_refill).getTime() : now.getTime();
+                        const tokensRemaining = row.tokens_remaining ?? maxRequests;
+                        // Calculate refill
+                        const elapsed = now.getTime() - lastRefill;
+                        const refillRate = maxRequests / windowMs;
+                        const newTokens = Math.min(maxRequests, tokensRemaining + elapsed * refillRate - 1);
+                        await client.query(`UPDATE ${tableFullName}
+               SET tokens_remaining = $1,
+                   last_refill = $2,
+                   current_count = $3,
+                   updated_at = NOW()
+               WHERE id = $4`, [newTokens, now, Math.floor(maxRequests - newTokens), row.id]);
+                        return {
+                            id: row.id,
+                            key,
+                            count: Math.floor(maxRequests - newTokens),
+                            maxRequests,
+                            windowMs,
+                            windowStart: new Date(row.window_start),
+                            windowEnd: new Date(row.window_end),
+                            strategy,
+                            userId,
+                            tenantId,
+                            ipAddress,
+                            tokensRemaining: newTokens,
+                            lastRefill: now,
+                            createdAt: new Date(row.created_at),
+                            updatedAt: now,
+                        };
+                    }
+                    // Create new record with full bucket minus 1
+                    const newTokens = maxRequests - 1;
+                    const insertResult = await client.query(`INSERT INTO ${tableFullName}
+             (limit_key, strategy, max_requests, window_ms, current_count,
+              window_start, window_end, user_id, tenant_id, ip_address,
+              tokens_remaining, last_refill)
+             VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+             RETURNING *`, [key, strategy, maxRequests, windowMs, 1, windowStart, windowEnd,
+                        userId || null, tenantId || null, ipAddress || null, newTokens, now]);
+                    const row = insertResult.rows[0];
+                    return {
+                        id: row.id,
+                        key,
+                        count: 1,
+                        maxRequests,
+                        windowMs,
+                        windowStart,
+                        windowEnd,
+                        strategy,
+                        userId,
+                        tenantId,
+                        ipAddress,
+                        tokensRemaining: newTokens,
+                        lastRefill: now,
+                        createdAt: now,
+                        updatedAt: now,
+                    };
+                }
+                // For sliding-window and fixed-window, use UPDATE-then-INSERT pattern
+                // This avoids needing a unique constraint on (limit_key, window_start)
+                // First try to update existing record in current window
+                const updateResult = await client.query(`UPDATE ${tableFullName}
+           SET current_count = current_count + $1,
+               updated_at = NOW()
+           WHERE limit_key = $2
+             AND window_start = $3
+           RETURNING *`, [amount, key, windowStart]);
+                if (updateResult.rows.length > 0) {
+                    const row = updateResult.rows[0];
+                    return {
+                        id: row.id,
+                        key,
+                        count: row.current_count,
+                        maxRequests,
+                        windowMs,
+                        windowStart,
+                        windowEnd,
+                        strategy,
+                        userId,
+                        tenantId,
+                        ipAddress,
+                        createdAt: new Date(row.created_at),
+                        updatedAt: now,
+                    };
+                }
+                // No existing record - insert new
+                const insertResult = await client.query(`INSERT INTO ${tableFullName}
+           (limit_key, strategy, max_requests, window_ms, current_count,
+            window_start, window_end, user_id, tenant_id, ip_address)
+           VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+           RETURNING *`, [key, strategy, maxRequests, windowMs, amount, windowStart, windowEnd,
+                    userId || null, tenantId || null, ipAddress || null]);
+                const row = insertResult.rows[0];
+                return {
+                    id: row.id,
+                    key,
+                    count: amount,
+                    maxRequests,
+                    windowMs,
+                    windowStart,
+                    windowEnd,
+                    strategy,
+                    userId,
+                    tenantId,
+                    ipAddress,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+            });
+        },
+        async clear(key, userId) {
+            return withRLSContext(getPool(), userId, async (client) => {
+                const result = await client.query(`DELETE FROM ${tableFullName} WHERE limit_key = $1`, [key]);
+                return (result.rowCount ?? 0) > 0;
+            });
+        },
+        async cleanup() {
+            const pool = getPool();
+            // Cleanup runs without RLS context as it's a system operation
+            // We use a direct query without user context
+            const result = await pool.query(`DELETE FROM ${tableFullName} WHERE window_end < NOW()`);
+            return result.rowCount ?? 0;
+        },
+        async shutdown() {
+            // Pool is managed externally, nothing to do here
+        },
+    };
+}
+//# sourceMappingURL=postgres-store.js.map

package/dist/plugins/rate-limit/stores/postgres-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres-store.js","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/stores/postgres-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAoBH;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,cAAc,CAC3B,IAAY,EACZ,MAA0B,EAC1B,QAA8C;IAE9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC5B,6CAA6C;QAC7C,2EAA2E;QAC3E,MAAM,MAAM,CAAC,KAAK,CAChB,oDAAoD,EACpD,CAAC,MAAM,IAAI,EAAE,CAAC,CACf,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,KAAK,CAAC;IACd,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAoC;IACzE,MAAM,EACJ,IAAI,EAAE,QAAQ,EACd,SAAS,GAAG,aAAa,EACzB,MAAM,GAAG,QAAQ,EACjB,gBAAgB,GAAG,IAAI,EACvB,SAAS,GAAG,IAAI,GACjB,GAAG,MAAM,CAAC;IAEX,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAW,EAAE;QAC3B,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;QACpE,IAAI,CAAC,IAAI,IAAI,OAAQ,IAAe,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,IAAc,CAAC;IACxB,CAAC,CAAC;IAEF,MAAM,aAAa,GAAG,IAAI,MAAM,MAAM,SAAS,GAAG,CAAC;IAEnD,OAAO;QACL,IAAI,EAAE,UAAU;QAEhB,KAAK,CAAC,UAAU;YACd,IAAI,CAAC,gBAAgB;gBAAE,OAAO;YAE9B,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YAEvB,eAAe;YACf,MAAM,IAAI,CAAC,KAAK,CAAC;qCACc,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8B3C,CAAC,CAAC;YAEH,iBAAiB;YACjB,MAAM,IAAI,CAAC,KAAK,CAAC;yCACkB,SAAS,WAAW,aAAa;yCACjC,SAAS,kBAAkB,aAAa;yCACxC,SAAS,YAAY,aAAa;yCAClC,SAAS,cAAc,aAAa;yCACpC,SAAS,eAAe,aAAa;OACvE,CAAC,CAAC;YAEH,2BAA2B;YAC3B,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,KAAK,CAAC;wBACD,aAAa;wBACb,aAAa;SAC5B,CAAC,CAAC;gBAEH,mCAAmC;gBACnC,kEAAkE;gBAClE,MAAM,IAAI,CAAC,KAAK,CAAC;mCACU,SAAS,eAAe,aAAa;SAC/D,CAAC,CAAC;gBAEH,4EAA4E;gBAC5E,MAAM,IAAI,CAAC,KAAK,CAAC;2BACE,SAAS,eAAe,aAAa;;;;;;;;;;SAUvD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,MAAe;YACpC,OAAO,cAAc,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBACxD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAC/B,iBAAiB,aAAa;;;;mBAIrB,EACT,CAAC,GAAG,CAAC,CACN,CAAC;gBAEF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAA4B,CAAC;gBACtD,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,EAAY;oBACpB,GAAG,EAAE,GAAG,CAAC,SAAmB;oBAC5B,KAAK,EAAE,GAAG,CAAC,aAAuB;oBAClC,WAAW,EAAE,GAAG,CAAC,YAAsB;oBACvC,QAAQ,EAAE,GAAG,CAAC,SAAmB;oBACjC,WAAW,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,YAAsB,CAAC;oBACjD,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;oBAC7C,QAAQ,EAAE,GAAG,CAAC,QAAmC;oBACjD,MAAM,EAAE,GAAG,CAAC,OAA6B;oBACzC,QAAQ,EAAE,GAAG,CAAC,SAA+B;oBAC7C,SAAS,EAAE,GAAG,CAAC,UAAgC;oBAC/C,eAAe,EAAE,GAAG,CAAC,gBAAsC;oBAC3D,UAAU,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,WAAqB,CAAC,CAAC,CAAC,CAAC,SAAS;oBAC7E,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;oBAC7C,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;iBAC9C,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,OAAyB;YACpD,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC;YAE7F,OAAO,cAAc,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBACxD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;gBACzE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,QAAQ,CAAC,CAAC;gBAE7D,uCAAuC;gBACvC,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;oBAChC,wCAAwC;oBACxC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CACjC,iBAAiB,aAAa;;;qBAGrB,EACT,CAAC,GAAG,CAAC,CACN,CAAC;oBAEF,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAA4B,CAAC;wBACxD,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,WAAqB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;wBACnG,MAAM,eAAe,GAAG,GAAG,CAAC,gBAA0B,IAAI,WAAW,CAAC;wBAEtE,mBAAmB;wBACnB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC;wBAC3C,MAAM,UAAU,GAAG,WAAW,GAAG,QAAQ,CAAC;wBAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,eAAe,GAAG,OAAO,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC;wBAEpF,MAAM,MAAM,CAAC,KAAK,CAChB,UAAU,aAAa;;;;;6BAKR,EACf,CAAC,SAAS,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAC9D,CAAC;wBAEF,OAAO;4BACL,EAAE,EAAE,GAAG,CAAC,EAAY;4BACpB,GAAG;4BACH,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;4BAC1C,WAAW;4BACX,QAAQ;4BACR,WAAW,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,YAAsB,CAAC;4BACjD,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;4BAC7C,QAAQ;4BACR,MAAM;4BACN,QAAQ;4BACR,SAAS;4BACT,eAAe,EAAE,SAAS;4BAC1B,UAAU,EAAE,GAAG;4BACf,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;4BAC7C,SAAS,EAAE,GAAG;yBACf,CAAC;oBACJ,CAAC;oBAED,6CAA6C;oBAC7C,MAAM,SAAS,GAAG,WAAW,GAAG,CAAC,CAAC;oBAClC,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,KAAK,CACrC,eAAe,aAAa;;;;;yBAKf,EACb,CAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,SAAS;wBAC/D,MAAM,IAAI,IAAI,EAAE,QAAQ,IAAI,IAAI,EAAE,SAAS,IAAI,IAAI,EAAE,SAAS,EAAE,GAAG,CAAC,CACtE,CAAC;oBAEF,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAA4B,CAAC;oBAC5D,OAAO;wBACL,EAAE,EAAE,GAAG,CAAC,EAAY;wBACpB,GAAG;wBACH,KAAK,EAAE,CAAC;wBACR,WAAW;wBACX,QAAQ;wBACR,WAAW;wBACX,SAAS;wBACT,QAAQ;wBACR,MAAM;wBACN,QAAQ;wBACR,SAAS;wBACT,eAAe,EAAE,SAAS;wBAC1B,UAAU,EAAE,GAAG;wBACf,SAAS,EAAE,GAAG;wBACd,SAAS,EAAE,GAAG;qBACf,CAAC;gBACJ,CAAC;gBAED,sEAAsE;gBACtE,uEAAuE;gBAEvE,wDAAwD;gBACxD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,KAAK,CACrC,UAAU,aAAa;;;;;uBAKV,EACb,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,CAAC,CAC3B,CAAC;gBAEF,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAA4B,CAAC;oBAC5D,OAAO;wBACL,EAAE,EAAE,GAAG,CAAC,EAAY;wBACpB,GAAG;wBACH,KAAK,EAAE,GAAG,CAAC,aAAuB;wBAClC,WAAW;wBACX,QAAQ;wBACR,WAAW;wBACX,SAAS;wBACT,QAAQ;wBACR,MAAM;wBACN,QAAQ;wBACR,SAAS;wBACT,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;wBAC7C,SAAS,EAAE,GAAG;qBACf,CAAC;gBACJ,CAAC;gBAED,kCAAkC;gBAClC,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,KAAK,CACrC,eAAe,aAAa;;;;uBAIf,EACb,CAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS;oBACpE,MAAM,IAAI,IAAI,EAAE,QAAQ,IAAI,IAAI,EAAE,SAAS,IAAI,IAAI,CAAC,CACtD,CAAC;gBAEF,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAA4B,CAAC;gBAC5D,OAAO;oBACL,EAAE,EAAE,GAAG,CAAC,EAAY;oBACpB,GAAG;oBACH,KAAK,EAAE,MAAM;oBACb,WAAW;oBACX,QAAQ;oBACR,WAAW;oBACX,SAAS;oBACT,QAAQ;oBACR,MAAM;oBACN,QAAQ;oBACR,SAAS;oBACT,SAAS,EAAE,GAAG;oBACd,SAAS,EAAE,GAAG;iBACf,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,MAAe;YACtC,OAAO,cAAc,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBACxD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAC/B,eAAe,aAAa,uBAAuB,EACnD,CAAC,GAAG,CAAC,CACN,CAAC;gBACF,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,OAAO;YACX,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,8DAA8D;YAC9D,6CAA6C;YAC7C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B,eAAe,aAAa,2BAA2B,CACxD,CAAC;YACF,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;QAC9B,CAAC;QAED,KAAK,CAAC,QAAQ;YACZ,iDAAiD;QACnD,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/rate-limit/strategies/fixed-window.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Fixed Window Rate Limit Strategy
+ *
+ * Implements a simple fixed window algorithm where requests are counted
+ * within discrete time windows. When a new window starts, the count resets.
+ *
+ * Pros:
+ * - Simple to implement and understand
+ * - Low memory overhead
+ *
+ * Cons:
+ * - Burst at boundary: allows 2x requests if timed at window edge
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import type { Strategy } from '../types.js';
+/**
+ * Create the fixed window strategy
+ */
+export declare function createFixedWindowStrategy(): Strategy;
+//# sourceMappingURL=fixed-window.d.ts.map

package/dist/plugins/rate-limit/strategies/fixed-window.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fixed-window.d.ts","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/strategies/fixed-window.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,QAAQ,EAKT,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,QAAQ,CAwFpD"}

package/dist/plugins/rate-limit/strategies/fixed-window.js

@@ -0,0 +1,97 @@
+/**
+ * Fixed Window Rate Limit Strategy
+ *
+ * Implements a simple fixed window algorithm where requests are counted
+ * within discrete time windows. When a new window starts, the count resets.
+ *
+ * Pros:
+ * - Simple to implement and understand
+ * - Low memory overhead
+ *
+ * Cons:
+ * - Burst at boundary: allows 2x requests if timed at window edge
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+/**
+ * Create the fixed window strategy
+ */
+export function createFixedWindowStrategy() {
+    return {
+        name: 'fixed-window',
+        async check(key, options, context) {
+            const { maxRequests, windowMs, increment = true } = options;
+            const { store, cache, userId, tenantId, ipAddress } = context;
+            const now = Date.now();
+            const windowStart = now - (now % windowMs); // Align to window boundary
+            const windowEnd = windowStart + windowMs;
+            // Try cache first
+            let cached = await cache.get(key);
+            let currentCount = 0;
+            if (cached && cached.windowStart === windowStart) {
+                // Cache hit and same window
+                currentCount = cached.count;
+            }
+            else if (cached && cached.windowEnd <= now) {
+                // Window expired - reset count
+                currentCount = 0;
+            }
+            else {
+                // Cache miss - check store
+                const stored = await store.get(key, userId);
+                if (stored) {
+                    const storedWindowStart = stored.windowStart.getTime();
+                    if (storedWindowStart === windowStart) {
+                        currentCount = stored.count;
+                    }
+                    // If different window, count is 0 (new window)
+                }
+            }
+            // Check if limited
+            const limited = currentCount >= maxRequests;
+            const remaining = Math.max(0, maxRequests - currentCount - (increment && !limited ? 1 : 0));
+            const resetAt = Math.ceil(windowEnd / 1000);
+            const retryAfter = Math.max(0, Math.ceil((windowEnd - now) / 1000));
+            // Increment if requested and not limited
+            if (increment && !limited) {
+                // Increment in store
+                const updated = await store.increment(key, {
+                    maxRequests,
+                    windowMs,
+                    strategy: 'fixed-window',
+                    userId,
+                    tenantId,
+                    ipAddress,
+                    amount: 1,
+                });
+                // Update cache
+                const newCached = {
+                    count: updated.count,
+                    maxRequests,
+                    windowStart,
+                    windowEnd,
+                    strategy: 'fixed-window',
+                };
+                await cache.set(key, newCached, windowMs);
+                return {
+                    limited: false,
+                    current: updated.count,
+                    limit: maxRequests,
+                    remaining: Math.max(0, maxRequests - updated.count),
+                    resetAt,
+                    retryAfter,
+                };
+            }
+            // Return status without incrementing
+            return {
+                limited,
+                current: currentCount,
+                limit: maxRequests,
+                remaining,
+                resetAt,
+                retryAfter,
+            };
+        },
+    };
+}
+//# sourceMappingURL=fixed-window.js.map

package/dist/plugins/rate-limit/strategies/fixed-window.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fixed-window.js","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/strategies/fixed-window.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAUH;;GAEG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO;QACL,IAAI,EAAE,cAAc;QAEpB,KAAK,CAAC,KAAK,CACT,GAAW,EACX,OAAwB,EACxB,OAAwB;YAExB,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;YAC5D,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;YAE9D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,2BAA2B;YACvE,MAAM,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;YAEzC,kBAAkB;YAClB,IAAI,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,YAAY,GAAG,CAAC,CAAC;YAErB,IAAI,MAAM,IAAI,MAAM,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;gBACjD,4BAA4B;gBAC5B,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;YAC9B,CAAC;iBAAM,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBAC7C,+BAA+B;gBAC/B,YAAY,GAAG,CAAC,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,2BAA2B;gBAC3B,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC5C,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,iBAAiB,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;oBACvD,IAAI,iBAAiB,KAAK,WAAW,EAAE,CAAC;wBACtC,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;oBAC9B,CAAC;oBACD,+CAA+C;gBACjD,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,MAAM,OAAO,GAAG,YAAY,IAAI,WAAW,CAAC;YAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,YAAY,GAAG,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5F,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;YAEpE,yCAAyC;YACzC,IAAI,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC1B,qBAAqB;gBACrB,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,EAAE;oBACzC,WAAW;oBACX,QAAQ;oBACR,QAAQ,EAAE,cAAc;oBACxB,MAAM;oBACN,QAAQ;oBACR,SAAS;oBACT,MAAM,EAAE,CAAC;iBACV,CAAC,CAAC;gBAEH,eAAe;gBACf,MAAM,SAAS,GAAgB;oBAC7B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW;oBACX,WAAW;oBACX,SAAS;oBACT,QAAQ,EAAE,cAAc;iBACzB,CAAC;gBACF,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;gBAE1C,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,OAAO,CAAC,KAAK;oBACtB,KAAK,EAAE,WAAW;oBAClB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC;oBACnD,OAAO;oBACP,UAAU;iBACX,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,OAAO;gBACL,OAAO;gBACP,OAAO,EAAE,YAAY;gBACrB,KAAK,EAAE,WAAW;gBAClB,SAAS;gBACT,OAAO;gBACP,UAAU;aACX,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/rate-limit/strategies/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Rate Limit Strategies
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { createSlidingWindowStrategy } from './sliding-window.js';
+export { createFixedWindowStrategy } from './fixed-window.js';
+export { createTokenBucketStrategy } from './token-bucket.js';
+import type { Strategy, RateLimitStrategy } from '../types.js';
+/**
+ * Get a strategy by name
+ */
+export declare function getStrategy(name: RateLimitStrategy): Strategy;
+//# sourceMappingURL=index.d.ts.map

package/dist/plugins/rate-limit/strategies/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/strategies/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAE9D,OAAO,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAK/D;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,iBAAiB,GAAG,QAAQ,CAW7D"}

package/dist/plugins/rate-limit/strategies/index.js

@@ -0,0 +1,27 @@
+/**
+ * Rate Limit Strategies
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+export { createSlidingWindowStrategy } from './sliding-window.js';
+export { createFixedWindowStrategy } from './fixed-window.js';
+export { createTokenBucketStrategy } from './token-bucket.js';
+import { createSlidingWindowStrategy } from './sliding-window.js';
+import { createFixedWindowStrategy } from './fixed-window.js';
+import { createTokenBucketStrategy } from './token-bucket.js';
+/**
+ * Get a strategy by name
+ */
+export function getStrategy(name) {
+    switch (name) {
+        case 'sliding-window':
+            return createSlidingWindowStrategy();
+        case 'fixed-window':
+            return createFixedWindowStrategy();
+        case 'token-bucket':
+            return createTokenBucketStrategy();
+        default:
+            throw new Error(`Unknown rate limit strategy: ${name}`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/plugins/rate-limit/strategies/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/strategies/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAG9D,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAE9D;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAuB;IACjD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,gBAAgB;YACnB,OAAO,2BAA2B,EAAE,CAAC;QACvC,KAAK,cAAc;YACjB,OAAO,yBAAyB,EAAE,CAAC;QACrC,KAAK,cAAc;YACjB,OAAO,yBAAyB,EAAE,CAAC;QACrC;YACE,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC"}

package/dist/plugins/rate-limit/strategies/sliding-window.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Sliding Window Rate Limit Strategy
+ *
+ * Implements a sliding window algorithm that provides smooth rate limiting
+ * without the "burst at boundary" problem of fixed windows.
+ *
+ * The algorithm works by:
+ * 1. Tracking request timestamps within a sliding window
+ * 2. On each request, counting requests in the current window
+ * 3. Old requests "slide out" as time passes
+ *
+ * For performance, we approximate using weighted window counting:
+ * - current_window_count + (previous_window_count * overlap_percentage)
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import type { Strategy } from '../types.js';
+/**
+ * Create the sliding window strategy
+ */
+export declare function createSlidingWindowStrategy(): Strategy;
+//# sourceMappingURL=sliding-window.d.ts.map

package/dist/plugins/rate-limit/strategies/sliding-window.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sliding-window.d.ts","sourceRoot":"","sources":["../../../../src/plugins/rate-limit/strategies/sliding-window.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EACV,QAAQ,EAKT,MAAM,aAAa,CAAC;AAmBrB;;GAEG;AACH,wBAAgB,2BAA2B,IAAI,QAAQ,CA+GtD"}

package/dist/plugins/rate-limit/strategies/sliding-window.js

@@ -0,0 +1,122 @@
+/**
+ * Sliding Window Rate Limit Strategy
+ *
+ * Implements a sliding window algorithm that provides smooth rate limiting
+ * without the "burst at boundary" problem of fixed windows.
+ *
+ * The algorithm works by:
+ * 1. Tracking request timestamps within a sliding window
+ * 2. On each request, counting requests in the current window
+ * 3. Old requests "slide out" as time passes
+ *
+ * For performance, we approximate using weighted window counting:
+ * - current_window_count + (previous_window_count * overlap_percentage)
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+/**
+ * Calculate the sliding window count using weighted approximation
+ */
+function calculateSlidingCount(currentCount, previousCount, windowMs, windowStart) {
+    const now = Date.now();
+    const elapsed = now - windowStart;
+    const overlap = Math.max(0, windowMs - elapsed) / windowMs;
+    // Weighted count: all of current window + portion of previous that overlaps
+    return Math.floor(currentCount + previousCount * overlap);
+}
+/**
+ * Create the sliding window strategy
+ */
+export function createSlidingWindowStrategy() {
+    return {
+        name: 'sliding-window',
+        async check(key, options, context) {
+            const { maxRequests, windowMs, increment = true } = options;
+            const { store, cache, userId, tenantId, ipAddress } = context;
+            const now = Date.now();
+            const windowStart = now - (now % windowMs); // Align to window boundary
+            const windowEnd = windowStart + windowMs;
+            // Try cache first
+            let cached = await cache.get(key);
+            let currentCount = 0;
+            let previousCount = 0;
+            if (cached && cached.windowEnd > now) {
+                // Cache hit and window is still valid
+                currentCount = cached.count;
+                // For sliding window, we also need previous window's count
+                // This is stored in the cache with a special key
+                const prevCached = await cache.get(`${key}:prev`);
+                if (prevCached) {
+                    previousCount = prevCached.count;
+                }
+            }
+            else {
+                // Cache miss or expired - check store
+                const stored = await store.get(key, userId);
+                if (stored && stored.windowEnd.getTime() > now) {
+                    currentCount = stored.count;
+                }
+            }
+            // Calculate sliding window count
+            const slidingCount = calculateSlidingCount(currentCount, previousCount, windowMs, windowStart);
+            // Check if limited
+            const limited = slidingCount >= maxRequests;
+            const remaining = Math.max(0, maxRequests - slidingCount - (increment && !limited ? 1 : 0));
+            const resetAt = Math.ceil(windowEnd / 1000);
+            const retryAfter = Math.max(0, Math.ceil((windowEnd - now) / 1000));
+            // Increment if requested and not limited
+            if (increment && !limited) {
+                // Check if we're in a new window - if so, save old count as previous
+                if (cached && cached.windowStart !== windowStart && cached.windowStart > 0) {
+                    // Window rolled over - save old window's data as previous
+                    const prevCached = {
+                        count: cached.count,
+                        maxRequests,
+                        windowStart: cached.windowStart,
+                        windowEnd: cached.windowEnd,
+                        strategy: 'sliding-window',
+                    };
+                    // Save previous window for overlap calculation (keep for 2x window duration)
+                    await cache.set(`${key}:prev`, prevCached, windowMs * 2);
+                }
+                // Increment in store
+                const updated = await store.increment(key, {
+                    maxRequests,
+                    windowMs,
+                    strategy: 'sliding-window',
+                    userId,
+                    tenantId,
+                    ipAddress,
+                    amount: 1,
+                });
+                // Update cache with current window
+                const newCached = {
+                    count: updated.count,
+                    maxRequests,
+                    windowStart,
+                    windowEnd,
+                    strategy: 'sliding-window',
+                };
+                await cache.set(key, newCached, windowMs);
+                return {
+                    limited: false,
+                    current: updated.count,
+                    limit: maxRequests,
+                    remaining: Math.max(0, maxRequests - updated.count),
+                    resetAt,
+                    retryAfter,
+                };
+            }
+            // Return status without incrementing
+            return {
+                limited,
+                current: slidingCount,
+                limit: maxRequests,
+                remaining,
+                resetAt,
+                retryAfter,
+            };
+        },
+    };
+}
+//# sourceMappingURL=sliding-window.js.map