tlc-claude-code 1.4.7 → 1.4.9

package/server/lib/network/rate-limiter.js

@@ -0,0 +1,229 @@
+/**
+ * Rate Limiter
+ * Sliding window rate limiting with whitelist/blacklist support
+ */
+
+export const RATE_LIMIT_ALGORITHMS = {
+  SLIDING_WINDOW: 'sliding_window',
+  TOKEN_BUCKET: 'token_bucket',
+  FIXED_WINDOW: 'fixed_window',
+};
+
+/**
+ * Create a sliding window rate limiter store
+ */
+export function createSlidingWindow(options) {
+  const { windowMs, maxRequests } = options;
+  const store = new Map();
+
+  return {
+    increment(key) {
+      const now = Date.now();
+      const record = store.get(key);
+
+      if (!record || now - record.windowStart >= windowMs) {
+        // Start new window
+        store.set(key, { count: 1, windowStart: now });
+        return true;
+      }
+
+      if (record.count >= maxRequests) {
+        return false;
+      }
+
+      record.count++;
+      return true;
+    },
+
+    getCount(key) {
+      const record = store.get(key);
+      if (!record) return 0;
+
+      const now = Date.now();
+      if (now - record.windowStart >= windowMs) {
+        return 0;
+      }
+
+      return record.count;
+    },
+
+    reset(key) {
+      if (key) {
+        store.delete(key);
+      } else {
+        store.clear();
+      }
+    },
+  };
+}
+
+/**
+ * Check if an IP matches a CIDR range
+ */
+function ipMatchesCidr(ip, cidr) {
+  if (!cidr.includes('/')) {
+    return ip === cidr;
+  }
+
+  const [range, bits] = cidr.split('/');
+  const mask = parseInt(bits, 10);
+
+  const ipParts = ip.split('.').map(Number);
+  const rangeParts = range.split('.').map(Number);
+
+  const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
+  const rangeNum =
+    (rangeParts[0] << 24) | (rangeParts[1] << 16) | (rangeParts[2] << 8) | rangeParts[3];
+
+  const maskNum = ~((1 << (32 - mask)) - 1);
+
+  return (ipNum & maskNum) === (rangeNum & maskNum);
+}
+
+/**
+ * Check if IP is in whitelist
+ */
+export function isWhitelisted(ip, whitelist) {
+  if (!whitelist || whitelist.length === 0) {
+    return false;
+  }
+
+  return whitelist.some((entry) => ipMatchesCidr(ip, entry));
+}
+
+/**
+ * Check if IP is in blacklist
+ */
+export function isBlacklisted(ip, blacklist) {
+  if (!blacklist || blacklist.length === 0) {
+    return false;
+  }
+
+  return blacklist.some((entry) => ipMatchesCidr(ip, entry));
+}
+
+/**
+ * Check rate limit for a request
+ */
+export function checkRateLimit(options) {
+  const { ip, endpoint, limits, store } = options;
+
+  // Find the limit configuration for this endpoint
+  const limitConfig = limits[endpoint] || limits.default || { maxRequests: 100, windowMs: 60000 };
+  const { maxRequests, windowMs } = limitConfig;
+
+  const key = `${ip}:${endpoint}`;
+  const now = Date.now();
+
+  // Get or create record
+  let record = store.get(key);
+  if (!record || now - record.windowStart >= windowMs) {
+    record = { count: 0, windowStart: now };
+    store.set(key, record);
+  }
+
+  const resetTime = record.windowStart + windowMs;
+
+  if (record.count >= maxRequests) {
+    return {
+      allowed: false,
+      limit: maxRequests,
+      remaining: 0,
+      resetTime,
+    };
+  }
+
+  // Calculate remaining before incrementing
+  const remaining = Math.max(0, maxRequests - record.count);
+
+  // Increment counter
+  record.count++;
+
+  return {
+    allowed: true,
+    limit: maxRequests,
+    remaining,
+    resetTime,
+  };
+}
+
+/**
+ * Generate rate limit headers
+ */
+export function getRateLimitHeaders(options) {
+  const { limit, remaining, resetTime, blocked } = options;
+
+  const headers = {
+    'X-RateLimit-Limit': String(limit),
+    'X-RateLimit-Remaining': String(remaining),
+    'X-RateLimit-Reset': String(Math.ceil(resetTime / 1000)),
+  };
+
+  if (blocked) {
+    const retryAfter = Math.ceil((resetTime - Date.now()) / 1000);
+    headers['Retry-After'] = String(Math.max(1, retryAfter));
+  }
+
+  return headers;
+}
+
+/**
+ * Create a rate limiter instance
+ */
+export function createRateLimiter(config) {
+  const { limits, whitelist = [], blacklist = [] } = config;
+  const store = new Map();
+
+  return {
+    check(options) {
+      const { ip, endpoint } = options;
+
+      // Check blacklist first
+      if (isBlacklisted(ip, blacklist)) {
+        return {
+          allowed: false,
+          reason: 'IP is on blacklist',
+          limit: 0,
+          remaining: 0,
+        };
+      }
+
+      // Check whitelist
+      if (isWhitelisted(ip, whitelist)) {
+        // Find limit config just for the limit value
+        const limitConfig = limits[endpoint] || limits.default || { maxRequests: 100 };
+        return {
+          allowed: true,
+          limit: limitConfig.maxRequests,
+          remaining: limitConfig.maxRequests,
+          whitelisted: true,
+        };
+      }
+
+      // Normal rate limiting
+      return checkRateLimit({ ip, endpoint, limits, store });
+    },
+
+    getHeaders(result) {
+      return getRateLimitHeaders({
+        limit: result.limit,
+        remaining: result.remaining,
+        resetTime: result.resetTime || Date.now() + 60000,
+        blocked: !result.allowed,
+      });
+    },
+
+    reset(ip) {
+      if (ip) {
+        // Reset all entries for this IP
+        for (const key of store.keys()) {
+          if (key.startsWith(`${ip}:`)) {
+            store.delete(key);
+          }
+        }
+      } else {
+        store.clear();
+      }
+    },
+  };
+}

package/server/lib/network/rate-limiter.test.js

@@ -0,0 +1,293 @@
+/**
+ * Rate Limiter Tests
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import {
+  createRateLimiter,
+  checkRateLimit,
+  getRateLimitHeaders,
+  RATE_LIMIT_ALGORITHMS,
+  createSlidingWindow,
+  isWhitelisted,
+  isBlacklisted,
+} from './rate-limiter.js';
+
+describe('rate-limiter', () => {
+  describe('RATE_LIMIT_ALGORITHMS', () => {
+    it('defines algorithm constants', () => {
+      expect(RATE_LIMIT_ALGORITHMS.SLIDING_WINDOW).toBe('sliding_window');
+      expect(RATE_LIMIT_ALGORITHMS.TOKEN_BUCKET).toBe('token_bucket');
+      expect(RATE_LIMIT_ALGORITHMS.FIXED_WINDOW).toBe('fixed_window');
+    });
+  });
+
+  describe('createSlidingWindow', () => {
+    it('creates sliding window counter', () => {
+      const window = createSlidingWindow({
+        windowMs: 60000,
+        maxRequests: 100,
+      });
+
+      expect(window.increment).toBeDefined();
+      expect(window.getCount).toBeDefined();
+      expect(window.reset).toBeDefined();
+    });
+
+    it('tracks requests within window', () => {
+      const window = createSlidingWindow({
+        windowMs: 60000,
+        maxRequests: 100,
+      });
+
+      window.increment('192.168.1.1');
+      window.increment('192.168.1.1');
+
+      expect(window.getCount('192.168.1.1')).toBe(2);
+    });
+
+    it('respects max requests', () => {
+      const window = createSlidingWindow({
+        windowMs: 60000,
+        maxRequests: 2,
+      });
+
+      expect(window.increment('192.168.1.1')).toBe(true);
+      expect(window.increment('192.168.1.1')).toBe(true);
+      expect(window.increment('192.168.1.1')).toBe(false);
+    });
+
+    it('resets after window expires', async () => {
+      const window = createSlidingWindow({
+        windowMs: 50,
+        maxRequests: 1,
+      });
+
+      window.increment('192.168.1.1');
+      expect(window.increment('192.168.1.1')).toBe(false);
+
+      await new Promise((r) => setTimeout(r, 60));
+
+      expect(window.increment('192.168.1.1')).toBe(true);
+    });
+  });
+
+  describe('checkRateLimit', () => {
+    it('allows requests under limit', () => {
+      const result = checkRateLimit({
+        ip: '192.168.1.1',
+        endpoint: '/api/test',
+        limits: { '/api/test': { maxRequests: 100, windowMs: 60000 } },
+        store: new Map(),
+      });
+
+      expect(result.allowed).toBe(true);
+    });
+
+    it('blocks requests over limit', () => {
+      const store = new Map();
+      store.set('192.168.1.1:/api/test', { count: 100, windowStart: Date.now() });
+
+      const result = checkRateLimit({
+        ip: '192.168.1.1',
+        endpoint: '/api/test',
+        limits: { '/api/test': { maxRequests: 100, windowMs: 60000 } },
+        store,
+      });
+
+      expect(result.allowed).toBe(false);
+    });
+
+    it('tracks per-endpoint limits', () => {
+      const store = new Map();
+
+      const result1 = checkRateLimit({
+        ip: '192.168.1.1',
+        endpoint: '/api/fast',
+        limits: {
+          '/api/fast': { maxRequests: 10, windowMs: 60000 },
+          '/api/slow': { maxRequests: 100, windowMs: 60000 },
+        },
+        store,
+      });
+
+      const result2 = checkRateLimit({
+        ip: '192.168.1.1',
+        endpoint: '/api/slow',
+        limits: {
+          '/api/fast': { maxRequests: 10, windowMs: 60000 },
+          '/api/slow': { maxRequests: 100, windowMs: 60000 },
+        },
+        store,
+      });
+
+      expect(result1.limit).toBe(10);
+      expect(result2.limit).toBe(100);
+    });
+
+    it('returns remaining requests', () => {
+      const store = new Map();
+      store.set('192.168.1.1:/api/test', { count: 50, windowStart: Date.now() });
+
+      const result = checkRateLimit({
+        ip: '192.168.1.1',
+        endpoint: '/api/test',
+        limits: { '/api/test': { maxRequests: 100, windowMs: 60000 } },
+        store,
+      });
+
+      expect(result.remaining).toBe(50);
+    });
+  });
+
+  describe('getRateLimitHeaders', () => {
+    it('generates X-RateLimit-Limit header', () => {
+      const headers = getRateLimitHeaders({
+        limit: 100,
+        remaining: 50,
+        resetTime: Date.now() + 60000,
+      });
+
+      expect(headers['X-RateLimit-Limit']).toBe('100');
+    });
+
+    it('generates X-RateLimit-Remaining header', () => {
+      const headers = getRateLimitHeaders({
+        limit: 100,
+        remaining: 50,
+        resetTime: Date.now() + 60000,
+      });
+
+      expect(headers['X-RateLimit-Remaining']).toBe('50');
+    });
+
+    it('generates X-RateLimit-Reset header', () => {
+      const resetTime = Date.now() + 60000;
+      const headers = getRateLimitHeaders({
+        limit: 100,
+        remaining: 50,
+        resetTime,
+      });
+
+      expect(headers['X-RateLimit-Reset']).toBe(String(Math.ceil(resetTime / 1000)));
+    });
+
+    it('includes Retry-After when blocked', () => {
+      const headers = getRateLimitHeaders({
+        limit: 100,
+        remaining: 0,
+        resetTime: Date.now() + 60000,
+        blocked: true,
+      });
+
+      expect(headers['Retry-After']).toBeDefined();
+    });
+  });
+
+  describe('isWhitelisted', () => {
+    it('returns true for whitelisted IPs', () => {
+      const result = isWhitelisted('192.168.1.1', ['192.168.1.1', '10.0.0.1']);
+
+      expect(result).toBe(true);
+    });
+
+    it('returns false for non-whitelisted IPs', () => {
+      const result = isWhitelisted('192.168.1.2', ['192.168.1.1', '10.0.0.1']);
+
+      expect(result).toBe(false);
+    });
+
+    it('supports CIDR notation', () => {
+      const result = isWhitelisted('192.168.1.50', ['192.168.1.0/24']);
+
+      expect(result).toBe(true);
+    });
+
+    it('handles empty whitelist', () => {
+      const result = isWhitelisted('192.168.1.1', []);
+
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('isBlacklisted', () => {
+    it('returns true for blacklisted IPs', () => {
+      const result = isBlacklisted('192.168.1.1', ['192.168.1.1']);
+
+      expect(result).toBe(true);
+    });
+
+    it('returns false for non-blacklisted IPs', () => {
+      const result = isBlacklisted('192.168.1.2', ['192.168.1.1']);
+
+      expect(result).toBe(false);
+    });
+
+    it('supports CIDR notation', () => {
+      const result = isBlacklisted('10.0.0.50', ['10.0.0.0/24']);
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('createRateLimiter', () => {
+    it('creates rate limiter with methods', () => {
+      const limiter = createRateLimiter({
+        limits: {
+          default: { maxRequests: 100, windowMs: 60000 },
+        },
+      });
+
+      expect(limiter.check).toBeDefined();
+      expect(limiter.getHeaders).toBeDefined();
+      expect(limiter.reset).toBeDefined();
+    });
+
+    it('respects whitelist', () => {
+      const limiter = createRateLimiter({
+        limits: { default: { maxRequests: 1, windowMs: 60000 } },
+        whitelist: ['192.168.1.1'],
+      });
+
+      // Exhaust limit
+      limiter.check({ ip: '192.168.1.1', endpoint: '/api/test' });
+      limiter.check({ ip: '192.168.1.1', endpoint: '/api/test' });
+
+      const result = limiter.check({ ip: '192.168.1.1', endpoint: '/api/test' });
+      expect(result.allowed).toBe(true);
+    });
+
+    it('blocks blacklisted IPs immediately', () => {
+      const limiter = createRateLimiter({
+        limits: { default: { maxRequests: 100, windowMs: 60000 } },
+        blacklist: ['192.168.1.1'],
+      });
+
+      const result = limiter.check({ ip: '192.168.1.1', endpoint: '/api/test' });
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toContain('blacklist');
+    });
+
+    it('uses per-endpoint limits when available', () => {
+      const limiter = createRateLimiter({
+        limits: {
+          default: { maxRequests: 100, windowMs: 60000 },
+          '/api/auth/login': { maxRequests: 5, windowMs: 60000 },
+        },
+      });
+
+      const result = limiter.check({ ip: '192.168.1.1', endpoint: '/api/auth/login' });
+      expect(result.limit).toBe(5);
+    });
+
+    it('falls back to default limit', () => {
+      const limiter = createRateLimiter({
+        limits: {
+          default: { maxRequests: 100, windowMs: 60000 },
+        },
+      });
+
+      const result = limiter.check({ ip: '192.168.1.1', endpoint: '/api/unknown' });
+      expect(result.limit).toBe(100);
+    });
+  });
+});