fix: return json rate limit errors

Author: Ceyvion

apps/api/src/middleware/rateLimit.js

@@ -1,8 +1,10 @@
 import rateLimit from "express-rate-limit";
+import { fail } from "../utils/response.js";
 
 export const apiLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
   limit: 200,
   standardHeaders: "draft-7",
-  legacyHeaders: false
+  legacyHeaders: false,
+  handler: (req, res) => fail(res, "Too many requests", 429)
 });

apps/api/src/tests/rateLimit.test.js

@@ -0,0 +1,40 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { createApp } from "../app.js";
+
+async function withServer(run) {
+  const app = createApp();
+  const server = app.listen(0);
+
+  await new Promise((resolve, reject) => {
+    server.once("listening", resolve);
+    server.once("error", reject);
+  });
+
+  try {
+    const { port } = server.address();
+    await run(`http://127.0.0.1:${port}`);
+  } finally {
+    await new Promise((resolve, reject) => {
+      server.close((error) => (error ? reject(error) : resolve()));
+    });
+  }
+}
+
+test("API rate limiter returns JSON failure envelope", async () => {
+  await withServer(async (baseUrl) => {
+    let response;
+    for (let i = 0; i < 201; i += 1) {
+      response = await fetch(`${baseUrl}/api/users`);
+    }
+
+    const payload = await response.json();
+
+    assert.equal(response.status, 429);
+    assert.match(response.headers.get("content-type"), /application\/json/);
+    assert.deepEqual(payload, {
+      success: false,
+      message: "Too many requests",
+    });
+  });
+});