feat(shared-hono): add rate limiting middleware

In-memory sliding window rate limiter with per-IP tracking, configurable limits, and automatic stale entry cleanup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-14 21:21:10 +02:00 · 2026-04-01 14:55:22 +02:00 · 2026-04-01 14:55:22 +02:00 · 408762e2d6
commit 408762e2d6
parent cb85fba820
3 changed files with 73 additions and 1 deletions
--- a/packages/shared-hono/package.json
+++ b/packages/shared-hono/package.json
@ -13,7 +13,8 @@
 		"./health": "./src/health.ts",
 		"./admin": "./src/admin.ts",
 		"./error": "./src/error.ts",
-		"./credits": "./src/credits.ts"
+		"./credits": "./src/credits.ts",
+		"./rate-limit": "./src/rate-limit.ts"
 	},
 	"scripts": {
 		"type-check": "tsc --noEmit"
--- a/packages/shared-hono/src/index.ts
+++ b/packages/shared-hono/src/index.ts
@ -40,4 +40,5 @@ export { adminRoutes } from './admin';
 export { errorHandler, notFoundHandler } from './error';
 export { getBalance, validateCredits, consumeCredits, refundCredits } from './credits';
 export type { CreditBalance, CreditValidationResult } from './credits';
+export { rateLimitMiddleware } from './rate-limit';
 export type { CurrentUserData, AuthVariables } from './types';
--- a/packages/shared-hono/src/rate-limit.ts
+++ b/packages/shared-hono/src/rate-limit.ts
@ -0,0 +1,70 @@
+/**
+ * Simple in-memory rate limiting middleware for Hono servers.
+ *
+ * Uses a sliding window counter per IP address.
+ * Suitable for single-instance deployments (Mac Mini).
+ *
+ * Usage:
+ * ```ts
+ * import { rateLimitMiddleware } from '@manacore/shared-hono/rate-limit';
+ * app.use('/api/*', rateLimitMiddleware({ max: 100, windowMs: 60_000 }));
+ * ```
+ */
+
+import type { Context, Next } from 'hono';
+
+interface RateLimitOptions {
+	/** Maximum requests per window (default: 100) */
+	max?: number;
+	/** Window duration in milliseconds (default: 60_000 = 1 minute) */
+	windowMs?: number;
+	/** Key extractor — defaults to IP address */
+	keyFn?: (c: Context) => string;
+}
+
+interface WindowEntry {
+	count: number;
+	resetAt: number;
+}
+
+const store = new Map<string, WindowEntry>();
+
+// Cleanup stale entries every 5 minutes
+setInterval(() => {
+	const now = Date.now();
+	for (const [key, entry] of store) {
+		if (entry.resetAt <= now) store.delete(key);
+	}
+}, 5 * 60_000);
+
+export function rateLimitMiddleware(options: RateLimitOptions = {}) {
+	const { max = 100, windowMs = 60_000, keyFn } = options;
+
+	return async (c: Context, next: Next) => {
+		const key = keyFn
+			? keyFn(c)
+			: c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+				c.req.header('x-real-ip') ||
+				'unknown';
+
+		const now = Date.now();
+		let entry = store.get(key);
+
+		if (!entry || entry.resetAt <= now) {
+			entry = { count: 0, resetAt: now + windowMs };
+			store.set(key, entry);
+		}
+
+		entry.count++;
+
+		c.header('X-RateLimit-Limit', String(max));
+		c.header('X-RateLimit-Remaining', String(Math.max(0, max - entry.count)));
+		c.header('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+
+		if (entry.count > max) {
+			return c.json({ error: 'Too many requests' }, 429);
+		}
+
+		await next();
+	};
+}