webupdate

backend/config/rateLimiter.js

@@ -7,15 +7,28 @@ const createRateLimiter = (config, limitType = "API") => {
     windowMs: config.windowMs,
     max: config.max,
     skipSuccessfulRequests: config.skipSuccessfulRequests || false,
+    skipFailedRequests: config.skipFailedRequests || false,
     message: {
       success: false,
       message: config.message,
     },
     standardHeaders: true,
     legacyHeaders: false,
+    // Use X-Forwarded-For header from nginx/proxy - properly handle IPv6
+    keyGenerator: (req, res) => {
+      const ip =
+        req.headers["x-forwarded-for"]?.split(",")[0]?.trim() ||
+        req.headers["x-real-ip"] ||
+        req.ip ||
+        req.connection.remoteAddress;
+      // Normalize IPv6 addresses to prevent bypass
+      return ip.includes(":") ? ip.replace(/:/g, "-") : ip;
+    },
     handler: (req, res) => {
+      const clientIp =
+        req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.ip;
       logger.warn(`${limitType} rate limit exceeded`, {
-        ip: req.ip,
+        ip: clientIp,
         path: req.path,
         email: req.body?.email,
       });
@@ -35,7 +48,7 @@ const apiLimiter = createRateLimiter(
     max: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS) || RATE_LIMITS.API.max,
     message: "Too many requests from this IP, please try again later.",
   },
-  "API"
+  "API",
 );
 
 // Strict limiter for authentication endpoints
@@ -46,7 +59,7 @@ const authLimiter = createRateLimiter(
     skipSuccessfulRequests: true,
     message: "Too many login attempts, please try again after 15 minutes.",
   },
-  "Auth"
+  "Auth",
 );
 
 // File upload limiter
@@ -56,7 +69,7 @@ const uploadLimiter = createRateLimiter(
     max: RATE_LIMITS.UPLOAD.max,
     message: "Upload limit reached, please try again later.",
   },
-  "Upload"
+  "Upload",
 );
 
 module.exports = {