spooder 6.1.1 → 6.1.2

package/README.md

@@ -603,6 +603,7 @@ server.stop(immediate: boolean): Promise<void>;
 // routing
 server.route(path: string, handler: RequestHandler, method?: HTTP_METHODS);
 server.json(path: string, handler: JSONRequestHandler, method?: HTTP_METHODS);
+server.throttle(delta: number, handler: JSONRequestHandler|RequestHandler);
 server.unroute(path: string);
 
 // fallback handlers
@@ -892,6 +893,24 @@ server.route('/test/route', () => {});
 server.unroute('/test/route');
 ```
 
+### 🔧 `server.throttle(delta: number, handler: JSONRequestHandler|RequestHandler)`
+
+Throttles requests going through the provided handler so that they take a **minimum** of `delta` milliseconds. Useful for preventing brute-force of sensitive endpoints.
+
+> [!IMPORTANT]
+> This is a rudimentary countermeasure for brute-force attacks, **not** a defence against timing-attacks. Always use constant-time/timing-safe comparison functions in sensitive endpoints.
+
+```ts
+server.json('/api/login', server.throttle(1000, (req, url, json) => {
+	// this endpoint will always take at least 1000ms to execute
+}));
+
+// works with regular routes
+server.route('/reset-password', server.throttle(1000, (req, url) => {
+	// this route will also take at least 1000ms to execute
+}));
+```
+
 ### 🔧 `server.json(path: string, handler: JSONRequestHandler, method?: HTTP_METHODS)`
 
 Register a JSON endpoint with automatic content validation. This method automatically validates that the request has the correct `Content-Type: application/json` header and that the request body contains a valid JSON object.

package/bun.lock

@@ -11,7 +11,7 @@
   "packages": {
     "@types/bun": ["@types/bun@1.3.1", "", { "dependencies": { "bun-types": "1.3.1" } }, "sha512-4jNMk2/K9YJtfqwoAa28c8wK+T7nvJFOjxI4h/7sORWcypRNxBpr+TPNaCfVWq70tLCJsqoFwcf0oI0JU/fvMQ=="],
 
-    "@types/node": ["@types/node@24.9.1", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-QoiaXANRkSXK6p0Duvt56W208du4P9Uye9hWLWgGMDTEoKPhuenzNcC4vGUmrNkiOKTlIrBoyNQYNpSwfEZXSg=="],
+    "@types/node": ["@types/node@24.9.2", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-uWN8YqxXxqFMX2RqGOrumsKeti4LlmIMIyV0lgut4jx7KQBcBiW6vkDtIBvHnHIquwNfJhk8v2OtmO8zXWHfPA=="],
 
     "@types/react": ["@types/react@19.2.2", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-6mDvHUFSjyT2B2yeNx2nUgMxh9LtOWvkhIU3uePn2I2oyNymUAX1NIsdgviM4CH+JSrp2D2hsMvJOkxY+0wNRA=="],
 

package/package.json

@@ -2,7 +2,7 @@
 	"name": "spooder",
 	"author": "Kruithne <kruithne@gmail.com>",
 	"type": "module",
-	"version": "6.1.1",
+	"version": "6.1.2",
 	"module": "./src/api.ts",
 	"bin": {
 		"spooder": "./src/cli.ts"

package/src/api.ts

@@ -1782,6 +1782,11 @@ export function http_serve(port: number, hostname?: string) {
 	
 	log_spooder(`server started on port {${port}} (host: {${hostname ?? 'unspecified'}})`);
 	
+	type ThrottleHandler = {
+		(delta: number, handler: JSONRequestHandler): JSONRequestHandler;
+		(delta: number, handler: RequestHandler): RequestHandler;
+	};
+
 	return {
 		/** Register a handler for a specific route. */
 		route: (path: string, handler: RequestHandler, method: HTTP_METHODS = 'GET'): void => {
@@ -1789,6 +1794,23 @@ export function http_serve(port: number, hostname?: string) {
 				path = path.slice(0, -1);
 			routes.push([path.split('/'), handler, method]);
 		},
+
+		/** Throttles an endpoint to take at least the specified delta time (in ms) */
+		throttle: ((delta: number, handler: JSONRequestHandler | RequestHandler): any => {
+			return async (req: Request, ...args: any[]) => {
+				const t_start = Date.now();
+				const result = await (handler as any)(req, ...args);
+
+				const t_elapsed = Date.now() - t_start;
+				const t_remaining = Math.max(0, delta - t_elapsed);
+
+				if (t_remaining > 0)
+					await Bun.sleep(t_remaining);
+
+				slow_requests.add(req);
+				return result;
+			};
+		}) as ThrottleHandler,
 		
 		/** Register a JSON endpoint with automatic content validation. */
 		json: (path: string, handler: JSONRequestHandler, method: HTTP_METHODS = 'POST'): void => {