add changes

middleware/rateLimiter.js

@@ -0,0 +1,150 @@
+const rateLimit = require('express-rate-limit');
+const logger = require('../config/logger');
+
+/**
+ * Create a custom rate limit handler
+ */
+const createRateLimitHandler = (req, res) => {
+  logger.logSecurityEvent('Rate limit exceeded', req);
+  
+  res.status(429).json({
+    status: 'error',
+    message: 'Too many requests from this IP, please try again later.',
+    retryAfter: res.getHeader('Retry-After')
+  });
+};
+
+/**
+ * General API rate limiter
+ * 100 requests per 15 minutes per IP
+ */
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: 'Too many requests from this IP, please try again after 15 minutes',
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  handler: createRateLimitHandler,
+  skip: (req) => {
+    // Skip rate limiting for health check endpoint
+    return req.path === '/health';
+  }
+});
+
+/**
+ * Strict rate limiter for authentication endpoints
+ * 5 requests per 15 minutes per IP
+ */
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // Limit each IP to 5 requests per windowMs
+  message: 'Too many authentication attempts, please try again after 15 minutes',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler,
+  skipSuccessfulRequests: false // Count all requests, including successful ones
+});
+
+/**
+ * Rate limiter for login attempts
+ * More restrictive - 5 attempts per 15 minutes
+ */
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: 'Too many login attempts, please try again after 15 minutes',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler,
+  skipFailedRequests: false // Count both successful and failed attempts
+});
+
+/**
+ * Rate limiter for registration
+ * 3 registrations per hour per IP
+ */
+const registerLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 3,
+  message: 'Too many accounts created from this IP, please try again after an hour',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+/**
+ * Rate limiter for password reset
+ * 3 requests per hour per IP
+ */
+const passwordResetLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 3,
+  message: 'Too many password reset attempts, please try again after an hour',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+/**
+ * Rate limiter for quiz creation
+ * 30 quizzes per hour per user
+ */
+const quizLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 30,
+  message: 'Too many quizzes started, please try again later',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+/**
+ * Rate limiter for admin operations
+ * 100 requests per 15 minutes
+ */
+const adminLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 100,
+  message: 'Too many admin requests, please try again later',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+/**
+ * Rate limiter for guest session creation
+ * 5 guest sessions per hour per IP
+ */
+const guestSessionLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 5,
+  message: 'Too many guest sessions created, please try again later',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+/**
+ * Rate limiter for API documentation
+ * Prevent abuse of documentation endpoint
+ */
+const docsLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 50,
+  message: 'Too many requests to documentation, please try again later',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: createRateLimitHandler
+});
+
+module.exports = {
+  apiLimiter,
+  authLimiter,
+  loginLimiter,
+  registerLimiter,
+  passwordResetLimiter,
+  quizLimiter,
+  adminLimiter,
+  guestSessionLimiter,
+  docsLimiter
+};