chadstart 1.0.5 → 1.0.6

package/core/email.js

@@ -0,0 +1,170 @@
+'use strict';
+
+/**
+ * Email sending service for ChadStart.
+ *
+ * SMTP connection details can be configured in the YAML `email` section
+ * or via environment variables (env vars always take precedence):
+ *
+ *   SMTP_HOST      SMTP server hostname
+ *   SMTP_PORT      SMTP server port (default: 587)
+ *   SMTP_USER      SMTP username / login
+ *   SMTP_PASS      SMTP password (secret — env var only)
+ *   SMTP_FROM      Default "From" address (e.g. "App <noreply@example.com>")
+ *
+ * Templates support simple {{variable}} interpolation.
+ */
+
+const nodemailer = require('nodemailer');
+const logger = require('../utils/logger');
+
+/** @type {import('nodemailer').Transporter | null} */
+let _transporter = null;
+
+/** @type {{ host: string, port: number, from: string, secure: boolean } | null} */
+let _emailConfig = null;
+
+/**
+ * Derive email/SMTP configuration from YAML + environment variables.
+ * Returns null when no SMTP host is configured (email sending is disabled).
+ *
+ * @param {object|null} emailYaml  Value of `core.email` (may be null).
+ * @returns {{ host: string, port: number, user: string, pass: string, from: string, secure: boolean } | null}
+ */
+function getEmailConfig(emailYaml) {
+  const cfg = emailYaml || {};
+
+  const host = process.env.SMTP_HOST || cfg.host || '';
+  if (!host) return null;
+
+  const port = parseInt(process.env.SMTP_PORT || cfg.port || '587', 10);
+  const user = process.env.SMTP_USER || cfg.username || '';
+  const pass = process.env.SMTP_PASS || '';
+  const from = process.env.SMTP_FROM || cfg.from || '';
+  const secure = cfg.secure !== undefined
+    ? cfg.secure
+    : port === 465;
+
+  return { host, port, user, pass, from, secure };
+}
+
+/**
+ * Initialize the email transporter.
+ * Safe to call multiple times (recreates on each call for hot-reload support).
+ *
+ * @param {object|null} emailYaml  Value of `core.email` (may be null).
+ * @returns {{ host: string, port: number, from: string, secure: boolean } | null}  The resolved config, or null if disabled.
+ */
+function initEmail(emailYaml) {
+  _transporter = null;
+  _emailConfig = null;
+
+  const cfg = getEmailConfig(emailYaml);
+  if (!cfg) {
+    logger.info('  Email/SMTP not configured — email sending disabled.');
+    return null;
+  }
+
+  const transportOpts = {
+    host: cfg.host,
+    port: cfg.port,
+    secure: cfg.secure,
+  };
+
+  if (cfg.user) {
+    transportOpts.auth = { user: cfg.user, pass: cfg.pass };
+  }
+
+  _transporter = nodemailer.createTransport(transportOpts);
+  _emailConfig = { host: cfg.host, port: cfg.port, from: cfg.from, secure: cfg.secure };
+
+  logger.info(`  Email/SMTP configured (host: ${cfg.host}:${cfg.port})`);
+  return _emailConfig;
+}
+
+/**
+ * Replace `{{variable}}` placeholders in a template string.
+ *
+ * @param {string} template  Template with `{{key}}` placeholders.
+ * @param {Record<string, string>} vars  Key→value map.
+ * @returns {string}
+ */
+function interpolate(template, vars) {
+  if (!template) return '';
+  return template.replace(/\{\{(\w+)\}\}/g, (_match, key) => {
+    return Object.prototype.hasOwnProperty.call(vars, key) ? String(vars[key]) : '';
+  });
+}
+
+/**
+ * Send an email using the configured SMTP transporter.
+ *
+ * @param {object} options
+ * @param {string} options.to           Recipient email address.
+ * @param {string} options.subject      Email subject (supports {{var}} interpolation).
+ * @param {string} [options.text]       Plain-text body (supports {{var}} interpolation).
+ * @param {string} [options.html]       HTML body (supports {{var}} interpolation).
+ * @param {string} [options.from]       Override the default "From" address.
+ * @param {Record<string, string>} [options.vars]  Variables for template interpolation.
+ * @returns {Promise<object>}           Nodemailer send result.
+ * @throws {Error}                      When SMTP is not configured or sending fails.
+ */
+async function sendEmail({ to, subject, text, html, from, vars }) {
+  if (!_transporter || !_emailConfig) {
+    throw new Error('Email is not configured. Set SMTP_HOST or configure the email section in your YAML config.');
+  }
+
+  const templateVars = vars || {};
+  const mailOptions = {
+    from: from || _emailConfig.from,
+    to,
+    subject: interpolate(subject, templateVars),
+  };
+
+  if (text) mailOptions.text = interpolate(text, templateVars);
+  if (html) mailOptions.html = interpolate(html, templateVars);
+
+  return _transporter.sendMail(mailOptions);
+}
+
+/**
+ * Verify the SMTP connection by attempting a handshake with the server.
+ *
+ * @returns {Promise<{ success: boolean, message: string }>}
+ */
+async function verifyConnection() {
+  if (!_transporter || !_emailConfig) {
+    return { success: false, message: 'Email is not configured. Set SMTP_HOST or configure the email section in your YAML config.' };
+  }
+  try {
+    await _transporter.verify();
+    return { success: true, message: `SMTP connection to ${_emailConfig.host}:${_emailConfig.port} verified.` };
+  } catch (err) {
+    return { success: false, message: `SMTP verification failed: ${err.message}` };
+  }
+}
+
+/**
+ * Returns the current email configuration metadata (without secrets).
+ *
+ * @returns {{ configured: boolean, host?: string, port?: number, from?: string, secure?: boolean }}
+ */
+function getEmailStatus() {
+  if (!_emailConfig) return { configured: false };
+  return {
+    configured: true,
+    host: _emailConfig.host,
+    port: _emailConfig.port,
+    from: _emailConfig.from,
+    secure: _emailConfig.secure,
+  };
+}
+
+module.exports = {
+  getEmailConfig,
+  initEmail,
+  interpolate,
+  sendEmail,
+  verifyConnection,
+  getEmailStatus,
+};

package/core/entity-engine.js

@@ -60,6 +60,7 @@ function buildEntities(config) {
       tableName: toSnakeCase(name),
       slug: def.slug || toKebabCase(name),
       authenticable: def.authenticable === true,
+      requireEmailVerification: def.requireEmailVerification === true,
       single: def.single === true,
       mainProp: def.mainProp || null,
       nameSingular: def.nameSingular || null,
@@ -155,6 +156,9 @@ function buildCore(config) {
     port: parseInt(process.env.CHADSTART_PORT || process.env.PORT || config.port || 3000, 10),
     rateLimits,
     telemetry,
+    email: config.email || null,
+    logs: config.logs || null,
+    backup: config.backup || null,
     oauth: config.oauth || null,
     admin: {
       enable_app: adminCfg.enable_app !== false,

package/core/logs.js

@@ -0,0 +1,179 @@
+'use strict';
+
+/**
+ * Request logging module for ChadStart.
+ *
+ * Stores API request logs in the `_cs_logs` system table and provides
+ * a paginated, filterable query API for the admin dashboard.
+ *
+ * Configuration via YAML `logs` section:
+ *   logs:
+ *     retention: 30          # Days to keep logs (default: 30, 0 = forever)
+ *     exclude:               # Paths to exclude from logging
+ *       - /health
+ *       - /admin/vendor
+ */
+
+const db = require('./db');
+const { q } = db;
+const logger = require('../utils/logger');
+
+const _DB_ENGINE = db.DB_ENGINE;
+const _ID_T   = _DB_ENGINE === 'mysql' ? 'VARCHAR(36)' : 'TEXT';
+const _NAME_T = _DB_ENGINE === 'mysql' ? 'VARCHAR(255)' : 'TEXT';
+
+/** Default log retention in days. 0 = keep forever. */
+const DEFAULT_RETENTION_DAYS = 30;
+
+/**
+ * Initialize the _cs_logs system table.
+ * Must be called after initDb().
+ */
+async function initLogs() {
+  await db.exec(`
+    CREATE TABLE IF NOT EXISTS ${q('_cs_logs')} (
+      ${q('id')}         ${_ID_T} PRIMARY KEY,
+      ${q('method')}     ${_NAME_T},
+      ${q('path')}       TEXT,
+      ${q('statusCode')} INTEGER,
+      ${q('duration')}   INTEGER,
+      ${q('ip')}         ${_NAME_T},
+      ${q('userId')}     ${_NAME_T},
+      ${q('userEntity')} ${_NAME_T},
+      ${q('createdAt')}  TEXT NOT NULL
+    )
+  `);
+}
+
+/**
+ * Insert a log entry.
+ */
+async function insertLog({ method, path, statusCode, duration, ip, userId, userEntity }) {
+  const id = require('crypto').randomUUID();
+  const now = new Date().toISOString();
+  await db.queryRun(
+    `INSERT INTO ${q('_cs_logs')} (${q('id')},${q('method')},${q('path')},${q('statusCode')},${q('duration')},${q('ip')},${q('userId')},${q('userEntity')},${q('createdAt')})
+     VALUES (?,?,?,?,?,?,?,?,?)`,
+    [id, method, path, statusCode, duration, ip || null, userId || null, userEntity || null, now]
+  );
+}
+
+/**
+ * Express middleware that logs each request to the _cs_logs table.
+ *
+ * @param {object} opts
+ * @param {string[]} opts.exclude  Path prefixes to skip logging (e.g. ['/health']).
+ */
+function requestLoggerMiddleware(opts = {}) {
+  const exclude = opts.exclude || [];
+  return (req, res, next) => {
+    // Skip excluded paths
+    for (const prefix of exclude) {
+      if (req.path.startsWith(prefix)) return next();
+    }
+
+    const start = Date.now();
+
+    // Hook into response finish event
+    const originalEnd = res.end;
+    res.end = function (...args) {
+      res.end = originalEnd;
+      res.end(...args);
+
+      const duration = Date.now() - start;
+      const userId = (req.user && req.user.id) || null;
+      const userEntity = (req.user && req.user.entity) || null;
+
+      // Insert asynchronously (best-effort, don't block response)
+      insertLog({
+        method: req.method,
+        path: req.originalUrl || req.path,
+        statusCode: res.statusCode,
+        duration,
+        ip: req.ip || req.socket?.remoteAddress || null,
+        userId,
+        userEntity,
+      }).catch((e) => logger.warn('Log insert failed:', e.message));
+    };
+
+    next();
+  };
+}
+
+/**
+ * Query logs with pagination and filters.
+ *
+ * @param {object} filters  Optional filters: { method, statusCode, path, from, to }
+ * @param {object} opts     { page, perPage, order }
+ * @returns {{ data: object[], total: number, currentPage: number, lastPage: number, perPage: number }}
+ */
+async function queryLogs(filters = {}, opts = {}) {
+  const page = Math.max(1, parseInt(opts.page || 1, 10));
+  const perPage = Math.min(100, Math.max(1, parseInt(opts.perPage || 50, 10)));
+  const order = (opts.order || 'DESC').toUpperCase() === 'ASC' ? 'ASC' : 'DESC';
+
+  const where = [];
+  const params = [];
+
+  if (filters.method) {
+    where.push(`${q('method')} = ?`);
+    params.push(filters.method.toUpperCase());
+  }
+  if (filters.statusCode) {
+    where.push(`${q('statusCode')} = ?`);
+    params.push(parseInt(filters.statusCode, 10));
+  }
+  if (filters.path) {
+    where.push(`${q('path')} LIKE ?`);
+    params.push(`%${filters.path}%`);
+  }
+  if (filters.from) {
+    where.push(`${q('createdAt')} >= ?`);
+    params.push(filters.from);
+  }
+  if (filters.to) {
+    where.push(`${q('createdAt')} <= ?`);
+    params.push(filters.to);
+  }
+
+  const whereClause = where.length ? `WHERE ${where.join(' AND ')}` : '';
+
+  const countRow = await db.queryOne(
+    `SELECT COUNT(*) AS cnt FROM ${q('_cs_logs')} ${whereClause}`,
+    params
+  );
+  const total = countRow ? countRow.cnt : 0;
+  const lastPage = Math.max(1, Math.ceil(total / perPage));
+  const offset = (page - 1) * perPage;
+
+  const data = await db.queryAll(
+    `SELECT * FROM ${q('_cs_logs')} ${whereClause} ORDER BY ${q('createdAt')} ${order} LIMIT ? OFFSET ?`,
+    [...params, perPage, offset]
+  );
+
+  return { data, total, currentPage: page, lastPage, perPage };
+}
+
+/**
+ * Delete logs older than the specified number of days.
+ *
+ * @param {number} days  Log retention in days. 0 or negative = keep all.
+ * @returns {number}     Number of rows deleted.
+ */
+async function cleanupOldLogs(days) {
+  if (!days || days <= 0) return 0;
+  const cutoff = new Date(Date.now() - days * 24 * 60 * 60 * 1000).toISOString();
+  const result = await db.queryRun(
+    `DELETE FROM ${q('_cs_logs')} WHERE ${q('createdAt')} < ?`,
+    [cutoff]
+  );
+  return result?.changes || 0;
+}
+
+module.exports = {
+  initLogs,
+  insertLog,
+  requestLoggerMiddleware,
+  queryLogs,
+  cleanupOldLogs,
+};

package/core/openapi.js

@@ -30,8 +30,12 @@ function generateOpenApiSpec(core) {
     spec.components.schemas[`${e.name}AuthResponse`] = { type: 'object', properties: { token: { type: 'string' }, user: { $ref: `#/components/schemas/${e.name}` } } };
 
     spec.paths[`/api/auth/${slug}/signup`] = { post: { tags: [`Auth – ${e.name}`], summary: `Sign up as ${e.name}`, requestBody: jsonBody(`${e.name}Input`), responses: { 201: jsonResp(e.name + 'AuthResponse'), 400: desc('Validation error'), 409: desc('Email already registered') } } };
-    spec.paths[`/api/auth/${slug}/login`]  = { post: { tags: [`Auth – ${e.name}`], summary: `Login as ${e.name}`, requestBody: jsonBody(`${e.name}LoginInput`), responses: { 200: jsonResp(e.name + 'AuthResponse'), 401: desc('Invalid credentials') } } };
+    spec.paths[`/api/auth/${slug}/login`]  = { post: { tags: [`Auth – ${e.name}`], summary: `Login as ${e.name}`, requestBody: jsonBody(`${e.name}LoginInput`), responses: { 200: jsonResp(e.name + 'AuthResponse'), 401: desc('Invalid credentials'), 403: desc('Email not verified') } } };
     spec.paths[`/api/auth/${slug}/me`]     = { get: { tags: [`Auth – ${e.name}`], summary: `Get current ${e.name}`, security: [{ bearerAuth: [] }], responses: { 200: jsonResp(e.name), 401: desc('Unauthorized') } } };
+    spec.paths[`/api/auth/${slug}/request-verification`] = { post: { tags: [`Auth – ${e.name}`], summary: `Request email verification for ${e.name}`, security: [{ bearerAuth: [] }], responses: { 200: desc('Verification email sent'), 401: desc('Unauthorized') } } };
+    spec.paths[`/api/auth/${slug}/confirm-verification`] = { post: { tags: [`Auth – ${e.name}`], summary: `Confirm email verification for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['token'], properties: { token: { type: 'string' } } } } } }, responses: { 200: desc('Email verified'), 400: desc('Invalid token') } } };
+    spec.paths[`/api/auth/${slug}/request-password-reset`] = { post: { tags: [`Auth – ${e.name}`], summary: `Request password reset for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['email'], properties: { email: { type: 'string', format: 'email' } } } } } }, responses: { 200: desc('Password reset email sent (if account exists)') } } };
+    spec.paths[`/api/auth/${slug}/confirm-password-reset`] = { post: { tags: [`Auth – ${e.name}`], summary: `Confirm password reset for ${e.name}`, requestBody: { required: true, content: { 'application/json': { schema: { type: 'object', required: ['token', 'password'], properties: { token: { type: 'string' }, password: { type: 'string', format: 'password' } } } } } }, responses: { 200: desc('Password reset successful'), 400: desc('Invalid or expired token') } } };
   }
 
   // Entity CRUD endpoints
@@ -138,7 +142,7 @@ function entityInputSchema(e, all) {
 }
 
 function authSchema(e) {
-  const props = { id: { type: 'string', format: 'uuid', readOnly: true }, email: { type: 'string', format: 'email' }, createdAt: { type: 'string', format: 'date-time' }, updatedAt: { type: 'string', format: 'date-time' } };
+  const props = { id: { type: 'string', format: 'uuid', readOnly: true }, email: { type: 'string', format: 'email' }, emailVerified: { type: 'boolean' }, createdAt: { type: 'string', format: 'date-time' }, updatedAt: { type: 'string', format: 'date-time' } };
   for (const p of e.properties) {
     if (!p.hidden) props[p.name] = { type: OPENAPI_TYPE[p.type] || 'string' };
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chadstart",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "YAML-first Backend as a Service — define your entire backend in one YAML file",
   "main": "server/express-server.js",
   "bin": {
@@ -53,6 +53,7 @@
     "jsonwebtoken": "^9.0.3",
     "mysql2": "^3.20.0",
     "node-cron": "^4.2.1",
+    "nodemailer": "^8.0.4",
     "pg": "^8.20.0",
     "postgrator": "^8.0.0",
     "sharp": "^0.34.5",

package/server/express-server.js

@@ -24,6 +24,9 @@ const { initErrorReporter, getRequestHandler, attachErrorHandler } = require('..
 const { getTelemetryConfig, initTelemetry } = require('../core/telemetry');
 const { setupFunctions, cleanup: cleanupFunctions } = require('../core/functions-engine');
 const { registerOAuthRoutes } = require('../core/oauth');
+const { initEmail, sendEmail, verifyConnection, getEmailStatus } = require('../core/email');
+const { initLogs, requestLoggerMiddleware, queryLogs, cleanupOldLogs } = require('../core/logs');
+const { createBackup, restoreBackup, listBackups } = require('../core/backup');
 const logger = require('../utils/logger');
 
 function limiter(windowMs, max) {
@@ -100,11 +103,24 @@ async function buildApp(configPath, reloadFn) {
   const telConfig = getTelemetryConfig(core.telemetry);
   await initTelemetry(telConfig);
 
+  // Initialize email/SMTP service
+  initEmail(core.email);
+
   const dbPath = core.database
     ? path.resolve(path.dirname(configPath), core.database)
     : undefined;
   await initDb(core, dbPath);
   await initApiKeys();
+  await initLogs();
+
+  // Schedule periodic log cleanup
+  const logsCfg = core.logs || {};
+  const retentionDays = logsCfg.retention !== undefined ? logsCfg.retention : 30;
+  if (retentionDays > 0) {
+    // Run cleanup once at startup and then every 24 hours
+    cleanupOldLogs(retentionDays).catch(() => {});
+    setInterval(() => cleanupOldLogs(retentionDays).catch(() => {}), 24 * 60 * 60 * 1000).unref();
+  }
 
   initErrorReporter(core);
 
@@ -117,6 +133,10 @@ async function buildApp(configPath, reloadFn) {
   const sentryRequestHandler = getRequestHandler();
   if (sentryRequestHandler) app.use(sentryRequestHandler);
 
+  // Request logging middleware — placed after Sentry but before routes
+  const logExclude = (logsCfg.exclude || ['/health', '/admin/vendor']);
+  app.use(requestLoggerMiddleware({ exclude: logExclude }));
+
   // Public static files
   if (core.public && core.public.folder) {
     const publicDir = path.resolve(core.public.folder);
@@ -280,6 +300,43 @@ async function buildApp(configPath, reloadFn) {
     }
   });
 
+  // ── Admin email endpoints ──────────────────────────────────────────────
+  // GET /admin/email/status — check if SMTP is configured
+  app.get('/admin/email/status', adminRateLimiter, (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+    res.json(getEmailStatus());
+  });
+
+  // POST /admin/test-email — send a test email to verify SMTP configuration (auth required)
+  app.post('/admin/test-email', adminRateLimiter, async (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+
+    const { to } = req.body || {};
+    if (!to || typeof to !== 'string') return res.status(400).json({ error: 'to (email address) is required' });
+
+    // First verify the SMTP connection
+    const verification = await verifyConnection();
+    if (!verification.success) return res.status(503).json(verification);
+
+    try {
+      const safeName = escAdminHtml(core.name);
+      await sendEmail({
+        to,
+        subject: 'ChadStart Test Email',
+        text: `This is a test email from your ChadStart application "${core.name}".\n\nIf you received this, your SMTP configuration is working correctly.`,
+        html: `<h2>ChadStart Test Email</h2><p>This is a test email from your ChadStart application <strong>&quot;${safeName}&quot;</strong>.</p><p>If you received this, your SMTP configuration is working correctly. &#x2705;</p>`,
+      });
+      res.json({ success: true, message: `Test email sent to ${to}` });
+    } catch (e) {
+      logger.error('Test email failed:', e.message);
+      res.status(502).json({ success: false, message: `Failed to send test email: ${e.message}` });
+    }
+  });
+
   // ── Admin AI assistant endpoints ──────────────────────────────────────
   // GET /admin/ai/status — tell the UI whether AI chat is available
   app.get('/admin/ai/status', adminRateLimiter, (_req, res) => {
@@ -387,6 +444,62 @@ async function buildApp(configPath, reloadFn) {
     }
   });
 
+  // ── Admin logs endpoint ─────────────────────────────────────────────
+  app.get('/admin/logs', adminRateLimiter, async (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+    try {
+      const { method, statusCode, path: filterPath, from, to, page, perPage, order } = req.query;
+      const result = await queryLogs(
+        { method, statusCode, path: filterPath, from, to },
+        { page, perPage, order }
+      );
+      res.json(result);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // ── Admin backup endpoints ──────────────────────────────────────────
+  app.post('/admin/backup', adminRateLimiter, async (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+    try {
+      const result = await createBackup(core.backup);
+      res.json(result);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  app.post('/admin/restore', adminRateLimiter, async (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+    const { file } = req.body || {};
+    if (!file || typeof file !== 'string') return res.status(400).json({ error: 'file (backup filename) is required' });
+    try {
+      const result = await restoreBackup(file, core.backup);
+      if (!result.success) return res.status(404).json(result);
+      res.json(result);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  app.get('/admin/backups', adminRateLimiter, (req, res) => {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) return res.status(401).json({ error: 'Unauthorized' });
+    try { verifyToken(header.slice(7)); } catch { return res.status(401).json({ error: 'Invalid token' }); }
+    try {
+      res.json(listBackups(core.backup));
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
   // ── Admin seed endpoint ─────────────────────────────────────────────
   app.post('/admin/seed', adminRateLimiter, async (req, res) => {
     const header = req.headers.authorization;