fix: centralize ratelimiting

ankur-arch · ankur-arch · commit c85291936bbe · 2025-09-10T16:31:21.000+06:00
diff --git a/claim-db-worker/app/api/analytics/route.ts b/claim-db-worker/app/api/analytics/route.ts
@@ -1,12 +1,12 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getEnv } from "@/lib/env";
-import { getClientIP } from "@/lib/utils";
+import { buildRateLimitKey } from "@/lib/server/ratelimit";
 
 export async function POST(request: NextRequest) {
   const env = getEnv();
 
   const url = new URL(request.url);
-  const key = `${getClientIP(request)}:${request.url}`;
+  const key = buildRateLimitKey(request);
 
   // --- Simple rate limiting ---
   const { success } = await env.CLAIM_DB_RATE_LIMITER.limit({ key });
diff --git a/claim-db-worker/app/api/auth/callback/route.ts b/claim-db-worker/app/api/auth/callback/route.ts
@@ -1,4 +1,4 @@
-import { NextRequest } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
 import { getEnv } from "@/lib/env";
 import { exchangeCodeForToken, validateProject } from "@/lib/auth-utils";
 import {
@@ -7,6 +7,7 @@ import {
   getBaseUrl,
 } from "@/lib/response-utils";
 import { transferProject } from "@/lib/project-transfer";
+import { buildRateLimitKey } from "@/lib/server/ratelimit";
 
 async function sendServerAnalyticsEvent(
   event: string,
@@ -46,21 +47,25 @@ async function sendServerAnalyticsEvent(
 export async function GET(request: NextRequest) {
   try {
     const env = getEnv();
-    const { searchParams } = new URL(request.url);
+    const url = new URL(request.url);
+    const { searchParams } = url;
 
     const code = searchParams.get("code");
     const state = searchParams.get("state");
     const projectID = searchParams.get("projectID");
 
-    // Rate limiting
-    const rateLimitResult = await env.CLAIM_DB_RATE_LIMITER.limit({
-      key: request.url,
-    });
-    if (!rateLimitResult.success) {
-      return redirectToError(
-        request,
-        "Rate Limited",
-        "We're experiencing high demand. Please try again later."
+    const key = buildRateLimitKey(request);
+
+    // --- Simple rate limiting ---
+    const { success } = await env.CLAIM_DB_RATE_LIMITER.limit({ key });
+    if (!success) {
+      return NextResponse.json(
+        {
+          error: "rate_limited",
+          message: "Rate limit exceeded. Please try again later.",
+          path: url.pathname,
+        },
+        { status: 429 }
       );
     }
 
diff --git a/claim-db-worker/app/api/claim/route.ts b/claim-db-worker/app/api/claim/route.ts
@@ -1,12 +1,13 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getEnv } from "@/lib/env";
 import { sendAnalyticsEvent } from "@/lib/analytics";
-import { getClientIP } from "@/lib/utils";
+import { buildRateLimitKey } from "@/lib/server/ratelimit";
 
 export async function GET(request: NextRequest) {
   const env = getEnv();
+
   const url = new URL(request.url);
-  const key = `${getClientIP(request)}:${request.url}`;
+  const key = buildRateLimitKey(request);
 
   // --- Simple rate limiting ---
   const { success } = await env.CLAIM_DB_RATE_LIMITER.limit({ key });
diff --git a/claim-db-worker/lib/server/ratelimit.ts b/claim-db-worker/lib/server/ratelimit.ts
@@ -0,0 +1,17 @@
+import type { NextRequest } from "next/server";
+
+export function getClientIP(req: NextRequest): string {
+  // OpenNext on CF Workers exposes the Request headers directly
+  // Consider: prefer CF header in prod; only then fall back to XFF/X-Real-IP/Forwarded.
+  return (
+    req.headers.get("cf-connecting-ip") ||
+    req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
+    req.headers.get("x-real-ip") ||
+    "unknown-ip"
+  );
+}
+
+export function buildRateLimitKey(req: NextRequest) {
+  const url = new URL(req.url);
+  return `${req.method}:${getClientIP(req)}:${url.pathname}`;
+}
diff --git a/claim-db-worker/lib/utils.ts b/claim-db-worker/lib/utils.ts
@@ -1,5 +1,3 @@
-import { NextRequest } from "next/server";
-
 export const cookieUtils = {
   set: (name: string, value: string, days: number = 1) => {
     const expires = new Date();
@@ -24,13 +22,3 @@ export const cookieUtils = {
     document.cookie = `${name}=;expires=Thu, 01 Jan 1970 00:00:00 UTC;path=/;`;
   },
 };
-
-export function getClientIP(req: NextRequest): string {
-  // OpenNext on CF Workers exposes the Request headers directly
-  return (
-    req.headers.get("cf-connecting-ip") ||
-    req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
-    req.headers.get("x-real-ip") ||
-    "unknown-ip"
-  );
-}
