feat: implement comprehensive email system with rate limiting and extensive test suite

- Add robust email service with rate limiting and configuration management - Implement shared rate limiter utility for consistent API protection - Create comprehensive test suite for core processing pipeline - Add API tests for dashboard metrics and authentication routes - Fix date range picker infinite loop issue - Improve session lookup in refresh sessions API - Refactor session API routing with better code organization - Update processing pipeline status monitoring - Clean up leftover files and improve code formatting
2026-01-16 19:32:08 +01:00 · 2025-07-05 13:42:47 +02:00
parent 19628233ea
commit a0ac60cf04
36 changed files with 10714 additions and 5292 deletions
--- a/app/api/forgot-password/route.ts
+++ b/app/api/forgot-password/route.ts
@ -1,57 +1,25 @@
 import crypto from "node:crypto";
 import { type NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/prisma";
+import { extractClientIP, InMemoryRateLimiter } from "../../../lib/rateLimiter";
 import { sendEmail } from "../../../lib/sendEmail";
 import { forgotPasswordSchema, validateInput } from "../../../lib/validation";

-// In-memory rate limiting with automatic cleanup
-const resetAttempts = new Map<string, { count: number; resetTime: number }>();
-const CLEANUP_INTERVAL = 5 * 60 * 1000;
-const MAX_ENTRIES = 10000;
-
-setInterval(() => {
-  const now = Date.now();
-  resetAttempts.forEach((attempts, ip) => {
-    if (now > attempts.resetTime) {
-      resetAttempts.delete(ip);
-    }
-  });
-}, CLEANUP_INTERVAL);
-
-function checkRateLimit(ip: string): boolean {
-  const now = Date.now();
-  // Prevent unbounded growth
-  if (resetAttempts.size > MAX_ENTRIES) {
-    const entries = Array.from(resetAttempts.entries());
-    entries.sort((a, b) => a[1].resetTime - b[1].resetTime);
-    entries.slice(0, Math.floor(MAX_ENTRIES / 2)).forEach(([ip]) => {
-      resetAttempts.delete(ip);
-    });
-  }
-  const attempts = resetAttempts.get(ip);
-
-  if (!attempts || now > attempts.resetTime) {
-    resetAttempts.set(ip, { count: 1, resetTime: now + 15 * 60 * 1000 }); // 15 minute window
-    return true;
-  }
-
-  if (attempts.count >= 5) {
-    // Max 5 reset requests per 15 minutes per IP
-    return false;
-  }
-
-  attempts.count++;
-  return true;
-}
+// Rate limiting for password reset endpoint
+const passwordResetLimiter = new InMemoryRateLimiter({
+  maxAttempts: 5,
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  maxEntries: 10000,
+  cleanupIntervalMs: 5 * 60 * 1000, // 5 minutes
+});

 export async function POST(request: NextRequest) {
  try {
-    // Rate limiting check
-    const ip =
-      request.headers.get("x-forwarded-for") ||
-      request.headers.get("x-real-ip") ||
-      "unknown";
-    if (!checkRateLimit(ip)) {
+    // Rate limiting check using shared utility
+    const ip = extractClientIP(request);
+    const rateLimitResult = passwordResetLimiter.checkRateLimit(ip);
+
+    if (!rateLimitResult.allowed) {
      return NextResponse.json(
        {
          success: false,