feat(auth): named rate limiters (skip in tests)

packages/backend/package.json

@@ -22,6 +22,7 @@
     "cookie-parser": "^1.4.7",
     "drizzle-orm": "^0.33.0",
     "express": "^4.19.0",
+    "express-rate-limit": "^8.5.2",
     "multer": "^1.4.5-lts.1",
     "nodemailer": "^8.0.7",
     "xlsx": "^0.18.5",

packages/backend/src/middleware/rate-limit.ts

@@ -0,0 +1,21 @@
+import rateLimit from 'express-rate-limit';
+
+const fifteenMin = 15 * 60 * 1000;
+
+function makeLimiter(max: number, codeMessage = 'Too many attempts, please try again later') {
+  return rateLimit({
+    windowMs: fifteenMin,
+    limit: max,
+    standardHeaders: 'draft-7',
+    legacyHeaders: false,
+    skip: () => process.env.NODE_ENV === 'test',
+    handler: (_req, res) => {
+      res.status(429).json({ error: { code: 'RATE_LIMITED', message: codeMessage } });
+    },
+  });
+}
+
+export const loginLimiter = makeLimiter(10);
+export const registerLimiter = makeLimiter(5);
+export const forgotPasswordLimiter = makeLimiter(5);
+export const tokenLimiter = makeLimiter(20);