chore: setup api route for chat streaming

Author: kevinkim-ogp

packages/backend/src/helpers/__tests__/get-client-ip.test.ts

@@ -0,0 +1,74 @@
+import type { Request } from 'express'
+import { describe, expect, it } from 'vitest'
+
+import { getClientIp } from '../get-client-ip'
+
+describe('getClientIp', () => {
+  it('should return Cloudflare IP when cf-connecting-ip header is present', () => {
+    const mockReq = {
+      headers: {
+        'cf-connecting-ip': '203.0.113.42',
+      },
+      socket: {
+        remoteAddress: '192.168.1.1',
+      },
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('203.0.113.42')
+  })
+
+  it('should return socket remote address when no CF header', () => {
+    const mockReq = {
+      headers: {},
+      socket: {
+        remoteAddress: '192.168.1.1',
+      },
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('192.168.1.1')
+  })
+
+  it('should trim and return first IP when multiple IPs in remote address', () => {
+    const mockReq = {
+      headers: {},
+      socket: {
+        remoteAddress: '192.168.1.1, 10.0.0.1, 172.16.0.1',
+      },
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('192.168.1.1')
+  })
+
+  it('should return "unknown" when no IP information is available', () => {
+    const mockReq = {
+      headers: {},
+      socket: {},
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('unknown')
+  })
+
+  it('should prioritize CF header over socket address', () => {
+    const mockReq = {
+      headers: {
+        'cf-connecting-ip': '203.0.113.1',
+      },
+      socket: {
+        remoteAddress: '192.168.1.100',
+      },
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('203.0.113.1')
+  })
+
+  it('should handle IPv6 addresses', () => {
+    const mockReq = {
+      headers: {},
+      socket: {
+        remoteAddress: '2001:db8::1',
+      },
+    } as unknown as Request
+
+    expect(getClientIp(mockReq)).toBe('2001:db8::1')
+  })
+})

packages/backend/src/helpers/authentication.ts

@@ -8,6 +8,7 @@ import {
   getLoggedInUser,
   parseAdminToken,
 } from '@/helpers/auth'
+import { getClientIp } from '@/helpers/get-client-ip'
 import { UnauthenticatedContext } from '@/types/express/context'
 
 export const setCurrentUserContext = async ({
@@ -64,11 +65,7 @@ const isAdminOperation = rule()(
 
 const rateLimitRule = createRateLimitRule({
   identifyContext: (ctx: UnauthenticatedContext) => {
-    // get ip address of request in this order: cf-connecting-ip -> remoteAddress
-    const userIp =
-      (ctx.req.headers['cf-connecting-ip'] as string) ||
-      ctx.req.socket.remoteAddress.split(',')[0].trim()
-    return userIp
+    return getClientIp(ctx.req)
   },
   // recommended flag: https://github.com/teamplanes/graphql-rate-limit#enablebatchrequestcache
   enableBatchRequestCache: true,

packages/backend/src/helpers/get-client-ip.ts

@@ -0,0 +1,23 @@
+import type { Request } from 'express'
+
+/**
+ * Get client IP address from request.
+ * Checks in this order:
+ * 1. Cloudflare header (cf-connecting-ip)
+ * 2. Socket remote address
+ *
+ * This is the same logic used in GraphQL authentication.
+ */
+export function getClientIp(req: Request): string {
+  const cfIp = req.headers['cf-connecting-ip'] as string
+  if (cfIp) {
+    return cfIp
+  }
+
+  const remoteAddress = req.socket.remoteAddress
+  if (remoteAddress) {
+    return remoteAddress.split(',')[0].trim()
+  }
+
+  return 'unknown'
+}

packages/backend/src/routes/api/__tests__/middleware/rate-limit.test.ts

@@ -0,0 +1,201 @@
+import type { NextFunction, Request, Response } from 'express'
+import { RateLimiterRes } from 'rate-limiter-flexible'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+import { rateLimitApi } from '../../middleware/rate-limit'
+
+const mocks = vi.hoisted(() => ({
+  rateLimiterRedis: {
+    consume: vi.fn(),
+  },
+  logger: {
+    warn: vi.fn(),
+    error: vi.fn(),
+  },
+  createRedisClient: vi.fn(),
+}))
+
+vi.mock('rate-limiter-flexible', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('rate-limiter-flexible')>()
+  return {
+    ...actual,
+    RateLimiterRedis: vi.fn(function () {
+      return mocks.rateLimiterRedis
+    }),
+  }
+})
+
+vi.mock('@/helpers/logger', () => ({
+  default: mocks.logger,
+}))
+
+vi.mock('@/config/redis', () => ({
+  createRedisClient: mocks.createRedisClient,
+  REDIS_DB_INDEX: {
+    RATE_LIMIT: 'rate-limit',
+  },
+}))
+
+describe('Rate Limiting Middleware', () => {
+  let mockReq: Partial<Request>
+  let mockRes: Partial<Response>
+  let mockNext: NextFunction
+
+  beforeEach(() => {
+    mockReq = {
+      headers: {},
+      socket: {
+        remoteAddress: '127.0.0.1',
+      } as any,
+      context: {
+        currentUser: {
+          id: 'test-user-id',
+          email: '[email protected]',
+        } as any,
+        isAdminOperation: false,
+      } as any,
+    }
+
+    mockRes = {
+      status: vi.fn().mockReturnThis(),
+      json: vi.fn(),
+    } as Partial<Response>
+
+    mockNext = vi.fn()
+
+    vi.clearAllMocks()
+  })
+
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  describe('rateLimitApi', () => {
+    it('should allow request when under rate limit', async () => {
+      mocks.rateLimiterRedis.consume.mockResolvedValueOnce({})
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.rateLimiterRedis.consume).toHaveBeenCalledWith(
+        'test-user-id',
+      )
+      expect(mockNext).toHaveBeenCalledOnce()
+      expect(mockRes.status).not.toHaveBeenCalled()
+    })
+
+    it('should use user ID for rate limiting when user is authenticated', async () => {
+      mocks.rateLimiterRedis.consume.mockResolvedValueOnce({})
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.rateLimiterRedis.consume).toHaveBeenCalledWith(
+        'test-user-id',
+      )
+      expect(mockNext).toHaveBeenCalledOnce()
+    })
+
+    it('should use IP address when user is not authenticated', async () => {
+      mockReq.context = {
+        currentUser: null,
+        isAdminOperation: false,
+      } as any
+      mockReq.socket = {
+        remoteAddress: '192.168.1.1',
+      } as any
+
+      mocks.rateLimiterRedis.consume.mockResolvedValueOnce({})
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.rateLimiterRedis.consume).toHaveBeenCalledWith('192.168.1.1')
+      expect(mockNext).toHaveBeenCalledOnce()
+    })
+
+    it('should use Cloudflare IP when available', async () => {
+      mockReq.context = {
+        currentUser: null,
+        isAdminOperation: false,
+      } as any
+      mockReq.headers = {
+        'cf-connecting-ip': '203.0.113.42',
+      }
+
+      mocks.rateLimiterRedis.consume.mockResolvedValueOnce({})
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.rateLimiterRedis.consume).toHaveBeenCalledWith(
+        '203.0.113.42',
+      )
+      expect(mockNext).toHaveBeenCalledOnce()
+    })
+
+    it('should return 429 when rate limit is exceeded', async () => {
+      const rateLimitError = Object.assign(new RateLimiterRes(), {
+        msBeforeNext: 5000,
+      })
+
+      mocks.rateLimiterRedis.consume.mockRejectedValueOnce(rateLimitError)
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mockRes.status).toHaveBeenCalledWith(429)
+      expect(mockRes.json).toHaveBeenCalledWith({
+        error: 'Too many requests',
+        message: 'Rate limit exceeded. Please try again later.',
+      })
+      expect(mockNext).not.toHaveBeenCalled()
+    })
+
+    it('should log rate limit violations', async () => {
+      const rateLimitError = Object.assign(new RateLimiterRes(), {
+        msBeforeNext: 3000,
+      })
+
+      mocks.rateLimiterRedis.consume.mockRejectedValueOnce(rateLimitError)
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.logger.warn).toHaveBeenCalledWith(
+        'API endpoint rate limited',
+        expect.objectContaining({
+          event: 'api-rate-limited',
+          userId: 'test-user-id',
+          remainingMs: 3000,
+        }),
+      )
+    })
+
+    it('should handle errors gracefully and continue', async () => {
+      const genericError = new Error('Redis connection failed')
+      mocks.rateLimiterRedis.consume.mockRejectedValueOnce(genericError)
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.logger.error).toHaveBeenCalledWith(
+        'Error in rate limiting middleware',
+        { error: genericError },
+      )
+      expect(mockNext).toHaveBeenCalledOnce()
+      expect(mockRes.status).not.toHaveBeenCalled()
+    })
+
+    it('should use IP fallback when no user is available', async () => {
+      mockReq.context = {
+        currentUser: null,
+        isAdminOperation: false,
+      } as any
+      mockReq.socket = {
+        remoteAddress: '10.0.0.1',
+      } as any
+      mockReq.headers = {}
+
+      mocks.rateLimiterRedis.consume.mockResolvedValueOnce({})
+
+      await rateLimitApi(mockReq as Request, mockRes as Response, mockNext)
+
+      expect(mocks.rateLimiterRedis.consume).toHaveBeenCalledWith('10.0.0.1')
+      expect(mockNext).toHaveBeenCalledOnce()
+    })
+  })
+})

packages/backend/src/routes/api/index.ts

@@ -0,0 +1,12 @@
+import { Router } from 'express'
+
+const router = Router()
+
+// Mount individual API routes
+
+// Future routes can be added here:
+// router.use('/users', usersRouter)
+// router.use('/analytics', analyticsRouter)
+// etc.
+
+export default router

packages/backend/src/routes/api/middleware/authentication.ts

@@ -0,0 +1,51 @@
+import type { NextFunction, Request, Response } from 'express'
+
+import { setCurrentUserContext as setGraphQLContext } from '@/helpers/authentication'
+import type Context from '@/types/express/context'
+
+/**
+ * Middleware to set the current user context on the request object.
+ * This reuses the same authentication logic as GraphQL mutations.
+ */
+export async function setCurrentUserContext(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) {
+  // Reuse the GraphQL context creation logic
+  const context = await setGraphQLContext({ req, res })
+
+  // Attach context to the request object
+  req.context = context as Context
+
+  next()
+}
+
+/**
+ * Middleware to ensure the user is authenticated before allowing the request to proceed.
+ * Returns 401 if the user is not authenticated.
+ */
+export function requireAuthentication(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) {
+  if (!req.context?.currentUser) {
+    res.status(401).json({ error: 'Not Authorised!' })
+    return
+  }
+
+  next()
+}
+
+/**
+ * Type guard to ensure the request has an authenticated context.
+ * Use this in route handlers to get type-safe access to currentUser.
+ */
+export function getAuthenticatedContext(req: Request): Context {
+  if (!req.context?.currentUser) {
+    throw new Error('User must be authenticated')
+  }
+
+  return req.context as Context
+}