import rateLimit, { ipKeyGenerator } from 'express-rate-limit' const trustProxy = process.env.NODE_ENV === 'production' const getClientIpKey = (req: Parameters[0]) => trustProxy ? ipKeyGenerator((req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() ?? req.ip ?? '') : ipKeyGenerator(req.ip ?? '') // Strict limiter for auth endpoints — prevents brute-force and credential stuffing export const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 960, standardHeaders: 'draft-7', legacyHeaders: false, skipSuccessfulRequests: false, keyGenerator: (req) => getClientIpKey(req), message: { error: 'too_many_requests', message: 'Too many attempts, please try again later', statusCode: 429 }, }) // Standard limiter for general authenticated API endpoints export const apiLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute max: 960, standardHeaders: 'draft-7', legacyHeaders: false, keyGenerator: (req) => { const ip = getClientIpKey(req) const companyId = (req as any).companyId ?? '' const renterId = (req as any).renterId ?? '' return `${ip}:${companyId || renterId}` }, message: { error: 'too_many_requests', message: 'Rate limit exceeded', statusCode: 429 }, }) // Tight limiter for public marketplace and site endpoints (no auth) export const publicLimiter = rateLimit({ windowMs: 60 * 1000, max: 960, standardHeaders: 'draft-7', legacyHeaders: false, keyGenerator: (req) => getClientIpKey(req), message: { error: 'too_many_requests', message: 'Rate limit exceeded', statusCode: 429 }, }) // Tight limiter for admin endpoints export const adminLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 960, standardHeaders: 'draft-7', legacyHeaders: false, keyGenerator: (req) => getClientIpKey(req), message: { error: 'too_many_requests', message: 'Too many admin requests', statusCode: 429 }, })