Summary
Add Redis-backed rate limiting on public API endpoints to protect against abuse — extend the in-memory event cap (#7) with IP and API-key based limits at the edge.
Background
Issue #7 caps score-impacting events per wallet per month. There is no protection against:
- Challenge endpoint spam (
POST /api/auth/challenge)
- Brute-force signature attempts
- Platform API key abuse on
/api/events/report
Vercel serverless makes in-memory rate limits ineffective across instances.
Proposed implementation
Provider: Upstash Redis (Vercel Marketplace integration)
Middleware: Server/src/middleware/rate-limit.middleware.ts
| Route |
Limit |
POST /api/auth/challenge |
10/min per IP |
POST /api/auth/*/signed |
5/min per IP |
POST /api/events/report |
100/min per API key |
GET /api/user/*/score |
60/min per lender key |
Response: HTTP 429 with Retry-After header
Env: UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN
Acceptance criteria
Related
Out of scope
- Vercel WAF rules (complementary)
- Per-wallet global rate limits
Summary
Add Redis-backed rate limiting on public API endpoints to protect against abuse — extend the in-memory event cap (#7) with IP and API-key based limits at the edge.
Background
Issue #7 caps score-impacting events per wallet per month. There is no protection against:
POST /api/auth/challenge)/api/events/reportVercel serverless makes in-memory rate limits ineffective across instances.
Proposed implementation
Provider: Upstash Redis (Vercel Marketplace integration)
Middleware:
Server/src/middleware/rate-limit.middleware.tsPOST /api/auth/challengePOST /api/auth/*/signedPOST /api/events/reportGET /api/user/*/scoreResponse: HTTP 429 with
Retry-AfterheaderEnv:
UPSTASH_REDIS_REST_URL,UPSTASH_REDIS_REST_TOKENAcceptance criteria
.env.example/healthendpointsRelated
Out of scope