feat: add rate limiting functionality to waitlist router

Author: tobiasz-gleba

apps/api/package.json

@@ -22,12 +22,14 @@
   },
   "dependencies": {
     "@asyncstatus/email": "workspace:*",
+    "@hono-rate-limiter/cloudflare": "0.2.2",
     "@hono/zod-validator": "0.4.3",
     "@libsql/client": "0.15.2",
     "better-auth": "1.2.5",
     "dayjs": "1.11.13",
     "drizzle-orm": "0.41.0",
     "hono": "4.7.6",
+    "hono-rate-limiter": "0.4.2",
     "resend": "4.2.0"
   },
   "devDependencies": {

apps/api/src/index.ts

@@ -14,6 +14,7 @@ import { invitationRouter } from "./routers/invitation";
 import { memberRouter } from "./routers/organization/member";
 import { organizationRouter } from "./routers/organization/organization";
 import { waitlistRouter } from "./routers/waitlist";
+import { createRateLimiter } from "./lib/rate-limiter";
 
 const app = new Hono<HonoEnv>()
   .use(
@@ -36,6 +37,11 @@ const app = new Hono<HonoEnv>()
     c.set("resend", resend);
     const auth = createAuth(c.env, db, resend);
     c.set("auth", auth);
+    const waitlistRateLimiter = createRateLimiter(c.env, {
+      windowMs: 60 * 60 * 1000, // 60 minutes
+      limit: 10, // Limit each IP to 100 requests per `window` (here, per 15 minutes).
+    });
+    c.set("auth", auth);
     const session = await auth.api.getSession({ headers: c.req.raw.headers });
     if (!session) {
       c.set("session", null);

apps/api/src/lib/env.ts

@@ -4,6 +4,7 @@ import type { Resend } from "resend";
 import type { Db } from "../db";
 import * as schema from "../db/schema";
 import type { Auth } from "./auth";
+import type { RateLimiter } from "./rate-limiter";
 
 export type Bindings = {
   TURSO_URL: string;
@@ -18,13 +19,15 @@ export type Bindings = {
   RESEND_API_KEY: string;
   WEB_APP_URL: string;
   PRIVATE_BUCKET: R2Bucket;
+  RATE_LIMITER: KVNamespace;
 };
 
 export type Variables = {
   auth: Auth;
   db: Db;
   resend: Resend;
   session: Auth["$Infer"]["Session"] | null;
+  waitlistRateLimiter: RateLimiter;
 };
 
 export type HonoEnv = {

apps/api/src/lib/rate-limiter.ts

@@ -0,0 +1,15 @@
+import type { HonoEnv } from "./env";
+import { WorkersKVStore } from "@hono-rate-limiter/cloudflare";
+import { rateLimiter } from "hono-rate-limiter";
+
+export function createRateLimiter(env: HonoEnv["Bindings"], options: {windowMs: number; limit: number}) {
+  return rateLimiter<HonoEnv>({
+    windowMs: options.windowMs, // 15 minutes
+    limit: options.limit, // Limit each IP to 100 requests per `window` (here, per 15 minutes).
+    standardHeaders: "draft-6", // draft-6: `RateLimit-*` headers; draft-7: combined `RateLimit` header
+    keyGenerator: (c) => c.req.header("cf-connecting-ip") ?? "", // Method to generate custom identifiers for clients.
+    store: new WorkersKVStore({ namespace: env.RATE_LIMITER }), // Here CACHE is your WorkersKV Binding.
+  })
+};
+
+export type RateLimiter = ReturnType<typeof createRateLimiter>;

apps/api/src/routers/waitlist.ts

@@ -11,6 +11,7 @@ import { zCreateWaitlistUser } from "../schema/waitlist";
 export const waitlistRouter = new Hono<HonoEnv>().post(
   "/",
   zValidator("json", zCreateWaitlistUser),
+  async (c, next) => {c.var.waitlistRateLimiter(c, next)},
   async (c) => {
     const { firstName, lastName, email } = c.req.valid("json");
     const existingUser = await c.var.db.query.user.findFirst({