tasks-backend/middleware/rateLimiter.js

const rateLimit = require('express-rate-limit');
const logger = require('../config/logger');

/**
 * Create a custom rate limit handler
 */
const createRateLimitHandler = (req, res) => {
  logger.logSecurityEvent('Rate limit exceeded', req);
  
  res.status(429).json({
    status: 'error',
    message: 'Too many requests from this IP, please try again later.',
    retryAfter: res.getHeader('Retry-After')
  });
};

/**
 * General API rate limiter
 * 100 requests per 15 minutes per IP
 */
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again after 15 minutes',
  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
  handler: createRateLimitHandler,
  skip: (req) => {
    // Skip rate limiting for health check endpoint
    return req.path === '/health';
  }
});

/**
 * Strict rate limiter for authentication endpoints
 * 5 requests per 15 minutes per IP
 */
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // Limit each IP to 5 requests per windowMs
  message: 'Too many authentication attempts, please try again after 15 minutes',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler,
  skipSuccessfulRequests: false // Count all requests, including successful ones
});

/**
 * Rate limiter for login attempts
 * More restrictive - 5 attempts per 15 minutes
 */
const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5,
  message: 'Too many login attempts, please try again after 15 minutes',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler,
  skipFailedRequests: false // Count both successful and failed attempts
});

/**
 * Rate limiter for registration
 * 3 registrations per hour per IP
 */
const registerLimiter = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 3,
  message: 'Too many accounts created from this IP, please try again after an hour',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

/**
 * Rate limiter for password reset
 * 3 requests per hour per IP
 */
const passwordResetLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 3,
  message: 'Too many password reset attempts, please try again after an hour',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

/**
 * Rate limiter for quiz creation
 * 30 quizzes per hour per user
 */
const quizLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 30,
  message: 'Too many quizzes started, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

/**
 * Rate limiter for admin operations
 * 100 requests per 15 minutes
 */
const adminLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  message: 'Too many admin requests, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

/**
 * Rate limiter for guest session creation
 * 5 guest sessions per hour per IP
 */
const guestSessionLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 5,
  message: 'Too many guest sessions created, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

/**
 * Rate limiter for API documentation
 * Prevent abuse of documentation endpoint
 */
const docsLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 50,
  message: 'Too many requests to documentation, please try again later',
  standardHeaders: true,
  legacyHeaders: false,
  handler: createRateLimitHandler
});

module.exports = {
  apiLimiter,
  authLimiter,
  loginLimiter,
  registerLimiter,
  passwordResetLimiter,
  quizLimiter,
  adminLimiter,
  guestSessionLimiter,
  docsLimiter
};