update production setup

This commit is contained in:
root
2026-05-10 19:19:56 -04:00
parent 6322b7d2a1
commit 2a75f47693
8 changed files with 191 additions and 34 deletions
+1 -1
View File
@@ -5,7 +5,7 @@
"scripts": {
"dev": "node --env-file=../../.env.local ../../node_modules/.bin/ts-node-dev --respawn --transpile-only src/index.ts",
"build": "tsc",
"start": "node --env-file=../../.env.local dist/index.js",
"start": "node dist/index.js",
"type-check": "tsc --noEmit"
},
"dependencies": {
+6
View File
@@ -32,6 +32,12 @@ import paymentsRouter from './routes/payments'
const app = express()
const server = http.createServer(app)
// Trust the first hop from a reverse proxy so req.ip and rate-limiting
// use the real client IP (from X-Forwarded-For) rather than the proxy's IP.
if (process.env.NODE_ENV === 'production') {
app.set('trust proxy', 1)
}
const v1 = '/api/v1'
const defaultCorsOrigins = [
'http://localhost:3000',
+8 -10
View File
@@ -1,15 +1,13 @@
import rateLimit, { ipKeyGenerator } from 'express-rate-limit'
import type { Request } from 'express'
const trustProxy = process.env.NODE_ENV === 'production'
const getClientIpKey = (req: Parameters<typeof ipKeyGenerator>[0]) =>
trustProxy
? ipKeyGenerator((req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() ?? req.ip ?? '')
: ipKeyGenerator(req.ip ?? '')
// req.ip is already the real client IP when app.set('trust proxy', 1) is configured
const getClientIpKey = (req: Request) => ipKeyGenerator(req.ip ?? '')
// Strict limiter for auth endpoints — prevents brute-force and credential stuffing
export const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 960,
max: 20,
standardHeaders: 'draft-7',
legacyHeaders: false,
skipSuccessfulRequests: false,
@@ -20,7 +18,7 @@ export const authLimiter = rateLimit({
// Standard limiter for general authenticated API endpoints
export const apiLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 960,
max: 120,
standardHeaders: 'draft-7',
legacyHeaders: false,
keyGenerator: (req) => {
@@ -32,10 +30,10 @@ export const apiLimiter = rateLimit({
message: { error: 'too_many_requests', message: 'Rate limit exceeded', statusCode: 429 },
})
// Tight limiter for public marketplace and site endpoints (no auth)
// Limiter for public marketplace and site endpoints (no auth)
export const publicLimiter = rateLimit({
windowMs: 60 * 1000,
max: 960,
max: 60,
standardHeaders: 'draft-7',
legacyHeaders: false,
keyGenerator: (req) => getClientIpKey(req),
@@ -45,7 +43,7 @@ export const publicLimiter = rateLimit({
// Tight limiter for admin endpoints
export const adminLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 960,
max: 100,
standardHeaders: 'draft-7',
legacyHeaders: false,
keyGenerator: (req) => getClientIpKey(req),