implement rate limit

.env.sample

@@ -16,4 +16,9 @@ CRON_SECRET=
 # mainnet or sepolia
 # Note: Not everything is supported on sepolia
 # Default: mainnet
-NEXT_PUBLIC_NETWORK=mainnet
+NEXT_PUBLIC_NETWORK=mainnet
+UPSTASH_REDIS_REST_URL=
+UPSTASH_REDIS_REST_TOKEN=
+# Rate limiting configuration
+RATE_LIMIT_REQUESTS=50
+RATE_LIMIT_WINDOW="60 s"

package.json

@@ -13,7 +13,8 @@
     "format:check": "prettier --check \"**/*.{ts,tsx,json}\"",
     "format:fix": "prettier --write \"**/*.{ts,tsx,json}\"",
     "prepare": "husky",
-    "postinstall": "prisma generate"
+    "postinstall": "prisma generate",
+    "test:ratelimit": "ts-node --project tsconfig.server.json src/scripts/test-rate-limit.ts"
   },
   "files": [
     "CHANGELOG.md",
@@ -34,6 +35,8 @@
     "@tanstack/query-core": "5.28.0",
     "@types/mixpanel-browser": "2.49.0",
     "@types/mustache": "4.2.5",
+    "@upstash/ratelimit": "^2.0.5",
+    "@upstash/redis": "^1.34.3",
     "@vercel/analytics": "1.2.2",
     "@vercel/speed-insights": "1.0.12",
     "axios": "1.6.7",
@@ -86,6 +89,7 @@
     "prettier": "3.3.3",
     "prisma": "5.18.0",
     "tailwindcss": "3.3.0",
+    "ts-node": "^10.9.2",
     "typescript": "5"
   },
   "engines": {

src/app/api/price/[name]/route.ts

@@ -1,6 +1,8 @@
 import { NextResponse } from 'next/server';
 
 export const revalidate = 300; // 5 mins
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 // only meant for backend calls
 async function initRedis() {

src/app/api/raffle/luckyWinner/route.ts

@@ -3,6 +3,7 @@
 import { NextResponse } from 'next/server';
 
 export const dynamic = 'force-dynamic'; // static by default, unless reading the request
+export const runtime = 'nodejs';
 
 export async function GET(request: Request) {
   const authHeader = request.headers.get('authorization');
@@ -50,7 +51,7 @@
         userId: true,
       },
     });
     if (totalExistingWinners.length == raffleParticipants.length) {
       return NextResponse.json({
         success: false,
         message: 'No new participants found',
@@ -111,7 +112,7 @@
     }
 
     // Check if we were able to select enough winners
     if (luckyWinners.length == 0) {
       return NextResponse.json({
         success: false,
         message: 'No winner found',

src/app/api/raffle/route.ts

@@ -4,6 +4,9 @@ import { db } from '@/db';
 import { getStrategies } from '@/store/strategies.atoms';
 import { standariseAddress } from '@/utils';
 
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
 export async function POST(req: Request) {
   const { address, type } = await req.json();
 

src/app/api/referral/createUser/route.ts

@@ -3,6 +3,9 @@ import { NextResponse } from 'next/server';
 import { db } from '@/db';
 import { standariseAddress } from '@/utils';
 
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
 function isSixDigitAlphanumeric(str: string) {
   const regex = /^[a-zA-Z0-9]{6}$/;
   return regex.test(str);

src/app/api/stats/[address]/route.ts

@@ -3,6 +3,8 @@ import { standariseAddress } from '@/utils';
 import { NextResponse } from 'next/server';
 
 export const revalidate = 0;
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 export async function GET(_req: Request, context: any) {
   const { params } = context;

src/app/api/stats/route.ts

@@ -2,6 +2,8 @@ import { getStrategies } from '@/store/strategies.atoms';
 import { NextResponse } from 'next/server';
 
 export const revalidate = 1800;
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 export async function GET(_req: Request) {
   const strategies = getStrategies();

src/app/api/strategies/route.ts

@@ -11,6 +11,8 @@
 import { STRKFarmStrategyAPIResult } from '@/store/strkfarm.atoms';
 
 export const revalidate = 3600; // 1 hr
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 const allPoolsAtom = atom<PoolInfo[]>((get) => {
   const pools: PoolInfo[] = [];
@@ -25,7 +27,7 @@
   const hasRequiredPools = minProtocolsRequired.every((p) => {
     if (!allPools) return false;
     return allPools.some(
       (pool) => pool.protocol.name === p && pool.type == PoolType.Lending,
     );
   });
   const MAX_RETRIES = 120;
@@ -90,7 +92,7 @@
   };
 }
 
 export async function GET(req: Request) {
   const allPools = await getPools(MY_STORE);
   const strategies = getStrategies();
 

src/app/api/tnc/getUser/[address]/route.ts

@@ -2,6 +2,8 @@ import { NextResponse } from 'next/server';
 
 import { db } from '@/db';
 import { standariseAddress } from '@/utils';
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 export async function GET(req: Request, context: any) {
   const { params } = context;

src/app/api/tnc/signUser/route.ts

@@ -8,6 +8,9 @@
 import Mixpanel from 'mixpanel';
 const mixpanel = Mixpanel.init('118f29da6a372f0ccb6f541079cad56b');
 
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
 export async function POST(req: Request) {
   const { address, signature } = await req.json();
 
@@ -94,7 +97,7 @@
 
   if (!isValid) {
     try {
       const cls = await provider.getClassAt(address, 'pending');
       // means account is deployed
       return NextResponse.json({
         success: false,
@@ -178,7 +181,7 @@
       }),
     });
     console.debug('verifyMessageHash resp', resp);
     if (Number(resp[0]) == 0) {
       throw new Error('Invalid signature');
     }
     return true;

src/app/api/users/ognft/[address]/route.ts

@@ -4,6 +4,8 @@ import { standariseAddress } from '../../../../../utils';
 import OGNFTUsersJson from '../../../../../../public/og_nft_eligible_users.json';
 
 export const revalidate = 3600;
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
 
 export async function GET(req: Request, context: any) {
   try {

src/lib/redis.ts

@@ -0,0 +1,5 @@
+import { Redis } from '@upstash/redis';
+
+const redis = Redis.fromEnv();
+
+export default redis;

src/middleware.ts

@@ -0,0 +1,56 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { Ratelimit } from '@upstash/ratelimit';
+import redis from './lib/redis';
+
+export const config = {
+  matcher: ['/api/:path*'],
+};
+
+const RATE_LIMIT_REQUESTS = parseInt(
+  process.env.RATE_LIMIT_REQUESTS || '20',
+  10,
+);
+const RATE_LIMIT_WINDOW = process.env.RATE_LIMIT_WINDOW || '10 s';
+
+const ratelimit = new Ratelimit({
+  redis,
+  limiter: Ratelimit.slidingWindow(
+    RATE_LIMIT_REQUESTS,
+    RATE_LIMIT_WINDOW as `${number} s`,
+  ),
+  analytics: true,
+  prefix: '@upstash/ratelimit',
+});
+
+export async function middleware(request: NextRequest) {
+  const ip = request.headers.get('x-forwarded-for') || '127.0.0.1';
+  const identifier = ip;
+
+  let success, limit, remaining, reset;
+  try {
+    const result = await ratelimit.limit(identifier);
+    success = result.success;
+    limit = result.limit;
+    remaining = result.remaining;
+    reset = result.reset;
+  } catch (error) {
+    console.log(error);
+    return NextResponse.json(
+      { message: 'Internal Server Error' },
+      { status: 500 },
+    );
+  }
+
+  const response = success
+    ? NextResponse.next()
+    : NextResponse.json(
+        { message: 'Rate limit exceeded', limit, remaining, reset },
+        { status: 429 },
+      );
+
+  response.headers.set('X-RateLimit-Limit', limit.toString());
+  response.headers.set('X-RateLimit-Remaining', remaining.toString());
+  response.headers.set('X-RateLimit-Reset', reset.toString());
+
+  return response;
+}

src/scripts/test-rate-limit.ts

@@ -0,0 +1,30 @@
+async function testRateLimit(url: string, attempts: number) {
+  console.log(`Testing rate limit for ${url}`);
+  for (let i = 0; i < attempts; i++) {
+    const response = await fetch(url);
+    const remaining = response.headers.get('X-RateLimit-Remaining');
+    console.log(
+      `Attempt ${i + 1}: Status ${response.status}, Remaining: ${remaining}`,
+    );
+    await new Promise((resolve) => setTimeout(resolve, 100)); // Wait 100ms between requests
+  }
+  console.log('\n');
+}
+
+async function runTests() {
+  const baseUrl = 'http://localhost:3000/api';
+  await testRateLimit(`${baseUrl}/price`, 25);
+  await testRateLimit(`${baseUrl}/raffle`, 25);
+  await testRateLimit(`${baseUrl}/raffle/luckyWinner`, 25);
+  await testRateLimit(`${baseUrl}/referral/createUser`, 25);
+  await testRateLimit(`${baseUrl}/stats`, 25);
+  await testRateLimit(`${baseUrl}/stats/[address]`, 25);
+  await testRateLimit(`${baseUrl}/strategies`, 25);
+  await testRateLimit(`${baseUrl}/tnc/getUser`, 25);
+  await testRateLimit(`${baseUrl}/tnc/getUser/[address]`, 25);
+  await testRateLimit(`${baseUrl}/tnc/signUser`, 25);
+  await testRateLimit(`${baseUrl}/users/ognft`, 25);
+  await testRateLimit(`${baseUrl}/users/ognft/[address]`, 25);
+}
+
+runTests().catch(console.error);

src/types/redis.d.ts

@@ -0,0 +1,5 @@
+declare module 'lib/redis' {
+  import { Redis } from '@upstash/redis';
+  const redis: Redis;
+  export default redis;
+}

tsconfig.server.json

@@ -0,0 +1,11 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "module": "commonjs",
+    "outDir": "./dist",
+    "rootDir": "./",
+    "esModuleInterop": true,
+    "skipLibCheck": true
+  },
+  "include": ["scripts/**/*.ts"]
+}