feat(security): integrate database for rate limiting

teycir · teycir · commit 86327008ef15 · 2025-12-22T18:41:46.000+01:00
Moves database initialization to route scope for better performance.
This enables persistent storage and more robust, scalable rate limiting mechanisms.
diff --git a/lib/routeHelper.ts b/lib/routeHelper.ts
@@ -4,6 +4,7 @@ import { createContainer } from './container';
 import { createHandler, HandlerContext } from './apiHandler';
 import { withRateLimit } from './rateLimit';
 import { getRequestFingerprint } from './security';
+import { createDatabase } from './database';
 
 interface RouteHandlerOptions {
   rateLimit?: { limit: number; window: number };
@@ -21,20 +22,20 @@ export function createAPIRoute(
   return async (request: NextRequest, routeParams?: any) => {
     const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
     const fingerprint = getRequestFingerprint(request);
+    const { env } = await getCloudflareContext<{ env: CloudflareEnv }>();
     
     const wrappedHandler = async () => {
       const apiHandler = createHandler(async (ctx: HandlerContext) => {
-        const { env } = await getCloudflareContext<{ env: CloudflareEnv }>();
         const container = createContainer(env);
         return handler({ ...ctx, container });
       });
       
-      const { env } = await getCloudflareContext<{ env: CloudflareEnv }>();
       return apiHandler({ request, ip, env });
     };
 
     if (options.rateLimit) {
-      return withRateLimit(request, wrappedHandler, { ...options.rateLimit, key: fingerprint });
+      const db = createDatabase(env);
+      return withRateLimit(request, wrappedHandler, { ...options.rateLimit, key: fingerprint, db });
     }
     
     return wrappedHandler();
diff --git a/tests/unit/securityDB.test.ts b/tests/unit/securityDB.test.ts
@@ -0,0 +1,90 @@
+import { describe, it, expect, beforeEach } from '@jest/globals';
+import { SealDatabase } from '../../lib/database';
+
+describe('DB-backed Security', () => {
+  let mockDB: any;
+  let db: SealDatabase;
+
+  beforeEach(() => {
+    const store = new Map<string, any>();
+    
+    mockDB = {
+      prepare: (sql: string) => ({
+        bind: (...args: any[]) => ({
+          run: async () => {
+            if (sql.includes('INSERT INTO rate_limits')) {
+              store.set(args[0], { count: 1, reset_at: args[1] });
+              return { success: true };
+            }
+            if (sql.includes('UPDATE rate_limits')) {
+              const existing = store.get(args[0]);
+              if (existing) existing.count++;
+              return { success: true };
+            }
+            if (sql.includes('INSERT INTO nonces')) {
+              if (store.has(`nonce:${args[0]}`)) throw new Error('Duplicate');
+              store.set(`nonce:${args[0]}`, args[1]);
+              return { success: true };
+            }
+            return { success: true };
+          },
+          first: async () => {
+            if (sql.includes('rate_limits')) {
+              return store.get(args[0]) || null;
+            }
+            return null;
+          },
+        }),
+      }),
+    };
+    
+    db = new SealDatabase(mockDB);
+  });
+
+  it('should enforce rate limits', async () => {
+    const key = 'test-fingerprint';
+    
+    const r1 = await db.checkRateLimit(key, 2, 60000);
+    expect(r1.allowed).toBe(true);
+    expect(r1.remaining).toBe(1);
+    
+    const r2 = await db.checkRateLimit(key, 2, 60000);
+    expect(r2.allowed).toBe(true);
+    expect(r2.remaining).toBeGreaterThanOrEqual(0);
+    
+    const r3 = await db.checkRateLimit(key, 2, 60000);
+    expect(r3.allowed).toBe(false);
+  });
+
+  it('should reset rate limits after window', async () => {
+    const key = 'test-fingerprint';
+    const now = Date.now();
+    
+    mockDB.prepare = (sql: string) => ({
+      bind: (...args: any[]) => ({
+        run: async () => ({ success: true }),
+        first: async () => {
+          if (sql.includes('rate_limits')) {
+            return { count: 2, reset_at: now - 1000 }; // Expired
+          }
+          return null;
+        },
+      }),
+    });
+    
+    const result = await db.checkRateLimit(key, 2, 60000);
+    expect(result.allowed).toBe(true);
+    expect(result.remaining).toBe(1);
+  });
+
+  it('should reject replay attacks', async () => {
+    const nonce = 'test-nonce-123';
+    const expiresAt = Date.now() + 300000;
+    
+    const first = await db.storeNonce(nonce, expiresAt);
+    expect(first).toBe(true);
+    
+    const replay = await db.storeNonce(nonce, expiresAt);
+    expect(replay).toBe(false);
+  });
+});
