feat: add Redis-backed API rate limits by snkk2x-collab · Pull Request #62 · Zcorehub/ZCore-dev

snkk2x-collab · 2026-06-19T22:47:05Z

Summary

Implements Redis-backed public API rate limiting for #42 using Upstash Redis REST without adding a production SDK dependency.

Added a reusable rate-limit.middleware.ts with route-specific limits:
- POST /api/auth/challenge: 10/min per IP
- POST /api/auth/*/signed: 5/min per IP
- POST /api/events/report: 100/min per API key
- GET /api/user/{wallet}/score: 60/min per lender API key
Returns HTTP 429 with Retry-After and readable JSON when the limit is exceeded.
Fails open with a warning if Upstash is not configured or temporarily unavailable.
Added Vitest coverage for allow-without-Redis, 429 responses, and Redis failure fallback.
Documented UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN in .env.example and README.

pnpm --dir Server exec vitest run src/middleware/__tests__/rate-limit.middleware.test.ts
pnpm --dir Server exec vitest run
pnpm --dir Server exec tsc --noEmit --declaration false

Closes #42

snkk2x-collab mentioned this pull request Jun 19, 2026

Redis-backed rate limiting on public API endpoints #42

Closed

6 tasks

snkk2x-collab force-pushed the codex/redis-rate-limit-42 branch from d7f7718 to 9c9f674 Compare June 19, 2026 23:02

feat: add Redis-backed API rate limits

e9eb058

snkk2x-collab force-pushed the codex/redis-rate-limit-42 branch from e4b4e68 to e9eb058 Compare June 19, 2026 23:06

fix: align rate limiting with upstream

284bd3d