fix(backend): Enforce Payment Creation Rate Limit in Controller (#140)

[Adacancode]

Overview

Ensures payment creation rate limiting is enforced in the createPayment controller path.
When a merchant exceeds the configured limit, the API now returns 429 Too Many Requests and includes a Retry-After header derived from a shared rate-limit window config.

Closes #140

Changes

Controller

• [MODIFY] payment.controller.ts
  • Enforces rate-limit gate in createPayment via await PaymentService.checkRateLimit(merchantId).
  • Returns 429 when exceeded.
  • Sets Retry-After header using PaymentService.getRateLimitWindowSeconds().

Service

• [MODIFY] payment.service.ts
  • Added PaymentService.getRateLimitWindowSeconds().
  • Updated checkRateLimit to use configurable window duration (default 60 seconds).
  • Continues using configurable PAYMENT_RATE_LIMIT_PER_MINUTE (default 5).

Tests

• [MODIFY] payment.controller.test.ts
  • Mocks getRateLimitWindowSeconds.
  • Verifies Retry-After is set and 429 is returned when rate limit is exceeded.
• [MODIFY] payment.service.test.ts
  • Added tests for getRateLimitWindowSeconds default and env-configured values.

Config

• [MODIFY] .env.example
  • Added:
    • PAYMENT_RATE_LIMIT_WINDOW_SECONDS=60
  • Existing:
    • PAYMENT_RATE_LIMIT_PER_MINUTE=5

How to Run Tests

From fluxapay_backend:

npm test -- src/controllers/__tests__/payment.controller.test.ts src/services/__tests__/payment.service.test.ts

Verification Results

Requirement	Status
createPayment calls checkRateLimit	Done
Exceeded limit returns 429	Done
Retry-After header is returned	Done
Limit configurable via PAYMENT_RATE_LIMIT_PER_MINUTE	Done
Window configurable (header + query window)	Done
Controller/service tests pass	Done

Verification Evidence

Test run result:

• PASS src/controllers/__tests__/payment.controller.test.ts
• PASS src/services/__tests__/payment.service.test.ts
• Test Suites: 2 passed, 2 total
• Tests: 9 passed, 9 total