Implement rate limiting for analytics and mutation endpoints; update EADME and add tests

README.md

@@ -173,11 +173,16 @@ The backend includes abuse-oriented security instrumentation middleware.
   - `security.failed_login_attempt`
   - `security.rate_limit_triggered`
   - `security.suspicious_pattern`
+- Rate-limit logs include the limiter profile, request method, request path, threshold, and window without logging raw API keys or user identifiers.
 
 ### Thresholds (env-configurable)
 
 | Env var | Default | Meaning |
 |---|---|---|
+| `ANALYTICS_RATE_LIMIT_WINDOW_MS` | `900000` | Analytics read rate-limit window |
+| `ANALYTICS_RATE_LIMIT_MAX` | `120` | Max analytics requests per client key or IP in the analytics window |
+| `MUTATION_RATE_LIMIT_WINDOW_MS` | `900000` | Mutation endpoint rate-limit window for `POST`, `PUT`, `PATCH`, `DELETE` |
+| `MUTATION_RATE_LIMIT_MAX` | `40` | Max mutation requests per client key or IP in the mutation window |
 | `SECURITY_RATE_LIMIT_WINDOW_MS` | `60000` | Rate-limit lookback window |
 | `SECURITY_RATE_LIMIT_MAX_REQUESTS` | `120` | Max requests per IP in rate-limit window |
 | `SECURITY_SUSPICIOUS_WINDOW_MS` | `300000` | Lookback window for suspicious pattern checks |

package.json

@@ -8,8 +8,8 @@
     "build": "tsc",
     "start": "node dist/index.js",
     "lint": "eslint src --ext .ts",
-    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
-    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --config jest.config.ts",
+    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --config jest.config.ts --watch",
     "test:api-keys": "tsx --test src/routes/apiKeys.test.ts",
     "test:vaults": "tsx --test src/routes/vaults.test.ts",
     "migrate:make": "knex migrate:make --knexfile knexfile.cjs --migrations-directory db/migrations --extension cjs",

src/index.ts

@@ -5,7 +5,12 @@ import { createJobsRouter } from './routes/jobs.js'
 import { BackgroundJobSystem } from './jobs/system.js'
 import { authRouter } from './routes/auth.js'
 import { analyticsRouter } from './routes/analytics.js'
-import { healthRateLimiter, vaultsRateLimiter } from './middleware/rateLimiter.js'
+import {
+  analyticsRateLimiter,
+  healthRateLimiter,
+  mutationRateLimiter,
+  vaultsRateLimiter,
+} from './middleware/rateLimiter.js'
 import { createExportRouter } from './routes/exports.js'
 import { transactionsRouter } from './routes/transactions.js'
 import { privacyRouter } from './routes/privacy.js'
@@ -37,13 +42,14 @@ app.use(securityMetricsMiddleware)
 app.use(securityRateLimitMiddleware)
 
 app.use('/api/health', healthRateLimiter, createHealthRouter(jobSystem))
+app.use('/api', mutationRateLimiter)
 app.use('/api/jobs', createJobsRouter(jobSystem))
 app.use('/api/vaults', vaultsRateLimiter, vaultsRouter)
 app.use('/api/vaults/:vaultId/milestones', milestonesRouter)
 app.use('/api/auth', authRouter)
 app.use('/api/exports', createExportRouter([]))
 app.use('/api/transactions', transactionsRouter)
-app.use('/api/analytics', analyticsRouter)
+app.use('/api/analytics', analyticsRateLimiter, analyticsRouter)
 app.use('/api/privacy', privacyRouter)
 app.use('/api/organizations', orgVaultsRouter)
 app.use('/api/organizations', orgAnalyticsRouter)