Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -353,3 +353,17 @@ All contributors will be recognized in the project. We value every contribution
<br />
<sub>Built with ❤️ by the FlipTrack community</sub>
</div>

---

## Rate Limiting

A reusable `rateLimit(request, limit, windowMs)` utility is available in `app/utils/rate-limit.server.ts`.

Example:

```ts
await rateLimit(request, 5, 60_000);
```

This implementation currently uses an in-memory store. Because FlipTrack is deployed on Vercel, the in-memory cache is per serverless invocation and is not shared across instances. For production deployments requiring distributed rate limiting, consider using a shared backend such as Upstash Redis or Vercel KV.
3 changes: 3 additions & 0 deletions app/routes/api.insights.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
import type { Route } from "./+types/api.insights";
import { getSupabaseServerClient } from "~/utils/supabase.server";
import { rateLimit } from "~/utils/rate-limit.server";
import { PrismaClient } from "@prisma/client";
import { generateText } from "ai";
import { createGroq } from "@ai-sdk/groq";

const prisma = new PrismaClient();

export async function action({ request }: Route.ActionArgs) {
await rateLimit(request, 10, 60_000);

const groq = createGroq({ apiKey: process.env.GROQ_API_KEY });
const { supabase } = getSupabaseServerClient(request);
const { data: { user } } = await supabase.auth.getUser();
Expand Down
4 changes: 4 additions & 0 deletions app/routes/login-page.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { LoginForm } from "~/blocks/login-page/login-form";
import { OAuthOptions } from "~/blocks/login-page/o-auth-options";
import { MagicLinkOption } from "~/blocks/login-page/magic-link-option";
import { SignupLink } from "~/blocks/login-page/signup-link";
import { rateLimit } from "~/utils/rate-limit.server";

export async function loader({ request }: Route.LoaderArgs) {
const { supabase, headers } = getSupabaseServerClient(request);
Expand All @@ -15,7 +16,10 @@ export async function loader({ request }: Route.LoaderArgs) {
}

export async function action({ request }: Route.ActionArgs) {
await rateLimit(request, 5, 60_000);

const { supabase, headers } = getSupabaseServerClient(request);

const formData = await request.formData();
const email = formData.get("email") as string;
const password = formData.get("password") as string;
Expand Down
4 changes: 4 additions & 0 deletions app/routes/signup-page.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import { SignupForm } from "~/blocks/signup-page/signup-form";
import { OAuthSignup } from "~/blocks/signup-page/o-auth-signup";
import { LoginLink } from "~/blocks/signup-page/login-link";
import { TermsAcceptance } from "~/blocks/signup-page/terms-acceptance";
import { rateLimit } from "~/utils/rate-limit.server";

const prisma = new PrismaClient();

Expand All @@ -18,7 +19,10 @@ export async function loader({ request }: Route.LoaderArgs) {
}

export async function action({ request }: Route.ActionArgs) {
await rateLimit(request, 5, 60_000);

const { supabase, headers } = getSupabaseServerClient(request);

const formData = await request.formData();
const name = formData.get("name") as string;
const email = formData.get("email") as string;
Expand Down
63 changes: 63 additions & 0 deletions app/utils/rate-limit.server.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
import { PrismaClient } from "@prisma/client";

const prisma = new PrismaClient();

export function getClientIp(request: Request): string {
return (
request.headers.get("x-vercel-forwarded-for") ||
request.headers.get("x-real-ip") ||
request.headers.get("x-forwarded-for")?.split(",")[0].trim() ||
"unknown_ip"
);
}

export async function rateLimit(
request: Request,
limit = 5,
windowMs = 60_000
) {
const ip = getClientIp(request);
const now = new Date();

const resetAt = new Date(now.getTime() + windowMs);

const result = await prisma.rateLimit.upsert({
where: { ip },
create: {
ip,
count: 1,
resetAt,
},
update: {
count: {
increment: 1,
},
},
});

if (result.resetAt <= now) {
await prisma.rateLimit.update({
where: { ip },
data: {
count: 1,
resetAt,
},
});

return;
}

if (result.count > limit) {
throw new Response(
JSON.stringify({
error: "Too many attempts. Please try again later.",
}),
{
status: 429,
headers: {
"Content-Type": "application/json",
},
}
);
}
}
56 changes: 20 additions & 36 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading