Feat/rate limiting (#950)

* feat: higher pool

* feat: rate limiting

Author: coodos

.env.example

@@ -5,6 +5,10 @@ NEO4J_PASSWORD=your-neo4j-password
 
 PUBLIC_EVAULT_SERVER_URI=http://localhost:4000
 
+# Rate limiting (requests per minute)
+RATE_LIMIT_PER_PLATFORM=250
+RATE_LIMIT_PER_IP=500
+
 REGISTRY_ENTROPY_KEY_JWK='{"kty":"EC","use":"sig","alg":"ES256","kid":"entropy-key-1","crv":"P-256","x":"your-x-value","y":"your-y-value","d":"your-d-value"}'
 ENCRYPTION_PASSWORD="your-encryption-password"
 W3ID="@your-w3id"

infrastructure/evault-core/src/core/db/db.service.ts

@@ -1289,20 +1289,13 @@ export class DbService {
                 : "AND m.id < $cursorId";
         }
 
-        // Get total count (without pagination)
+        // Run count + main query in a single session to reduce pool pressure
         const countQuery = `
             MATCH (m:MetaEnvelope)
             WHERE ${conditions.join(" AND ")}
             ${searchCondition}
             RETURN count(m) AS total
         `;
-        const countResult = await this.runQueryInternal(countQuery, params);
-        const totalCount =
-            countResult.records[0]?.get("total")?.toNumber?.() ??
-            countResult.records[0]?.get("total") ??
-            0;
-
-        // Build main query with pagination
         const orderDirection = isBackward ? "DESC" : "ASC";
         const mainQuery = `
             MATCH (m:MetaEnvelope)
@@ -1315,9 +1308,22 @@ export class DbService {
             MATCH (m)-[:LINKS_TO]->(e:Envelope)
             RETURN m.id AS id, m.ontology AS ontology, m.acl AS acl, collect(e) AS envelopes
         `;
-
         params.limitPlusOne = neo4j.int(limit + 1);
-        const result = await this.runQueryInternal(mainQuery, params);
+
+        const session = this.driver.session();
+        let countResult;
+        let result;
+        try {
+            countResult = await session.run(countQuery, params);
+            result = await session.run(mainQuery, params);
+        } finally {
+            await session.close();
+        }
+
+        const totalCount =
+            countResult.records[0]?.get("total")?.toNumber?.() ??
+            countResult.records[0]?.get("total") ??
+            0;
 
         // Process results
         let records = result.records;

infrastructure/evault-core/src/core/db/retry-neo4j.ts

@@ -23,7 +23,13 @@ export async function connectWithRetry(
             const driver = neo4j.driver(
                 uri,
                 neo4j.auth.basic(user, password),
-                { encrypted: "ENCRYPTION_OFF" }, // or { encrypted: false }
+                {
+                    encrypted: "ENCRYPTION_OFF",
+                    maxConnectionPoolSize: 300,
+                    connectionAcquisitionTimeout: 120_000,
+                    maxConnectionLifetime: 30 * 60 * 1000,
+                    connectionTimeout: 30_000,
+                },
             );
             await driver.getServerInfo();
             console.log("Connected to Neo4j!");

infrastructure/evault-core/src/core/http/global-rate-limiter.ts

@@ -0,0 +1,78 @@
+import { decodeJwt } from "jose";
+
+const WINDOW_MS = 60_000; // 1-minute window
+const MAX_REQUESTS_PER_PLATFORM =
+    Number(process.env.RATE_LIMIT_PER_PLATFORM) || 250;
+const MAX_REQUESTS_PER_IP = Number(process.env.RATE_LIMIT_PER_IP) || 500;
+
+interface RateRecord {
+    count: number;
+    windowStart: number;
+}
+
+const platformRecords = new Map<string, RateRecord>();
+const ipRecords = new Map<string, RateRecord>();
+
+function check(
+    map: Map<string, RateRecord>,
+    key: string,
+    limit: number,
+): { allowed: boolean; retryAfterSeconds: number } {
+    const now = Date.now();
+    let rec = map.get(key);
+
+    if (!rec || now - rec.windowStart > WINDOW_MS) {
+        rec = { count: 0, windowStart: now };
+        map.set(key, rec);
+    }
+
+    rec.count++;
+
+    if (rec.count > limit) {
+        const retryAfterSeconds = Math.ceil(
+            (rec.windowStart + WINDOW_MS - now) / 1000,
+        );
+        return { allowed: false, retryAfterSeconds };
+    }
+
+    return { allowed: true, retryAfterSeconds: 0 };
+}
+
+function extractPlatform(token: string): string | null {
+    try {
+        const payload = decodeJwt(token);
+        return (payload as any).platform ?? null;
+    } catch {
+        return null;
+    }
+}
+
+export function checkGlobalRateLimit(
+    token: string | null,
+    ip: string,
+): { allowed: boolean; retryAfterSeconds: number } {
+    if (token) {
+        const platform = extractPlatform(token);
+        if (platform) {
+            const result = check(
+                platformRecords,
+                platform,
+                MAX_REQUESTS_PER_PLATFORM,
+            );
+            if (!result.allowed) return result;
+        }
+    }
+
+    return check(ipRecords, ip, MAX_REQUESTS_PER_IP);
+}
+
+// Periodically clean up stale entries to prevent memory growth
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, rec] of platformRecords) {
+        if (now - rec.windowStart > WINDOW_MS) platformRecords.delete(key);
+    }
+    for (const [key, rec] of ipRecords) {
+        if (now - rec.windowStart > WINDOW_MS) ipRecords.delete(key);
+    }
+}, 60_000);

infrastructure/evault-core/src/index.ts

@@ -13,6 +13,7 @@ import { ProvisioningService } from "./services/ProvisioningService";
 import { VerificationService } from "./services/VerificationService";
 import { createHmacSignature } from "./utils/hmac";
 
+import { checkGlobalRateLimit } from "./core/http/global-rate-limiter";
 import fastifyCors from "@fastify/cors";
 import fastify, {
     type FastifyInstance,
@@ -176,6 +177,25 @@ const initializeEVault = async (
         credentials: true,
     });
 
+    // Global rate limiting by platform token identity (IP fallback)
+    fastifyServer.addHook("onRequest", async (request, reply) => {
+        const authHeader = request.headers.authorization;
+        const token = authHeader?.startsWith("Bearer ")
+            ? authHeader.substring(7)
+            : null;
+        const ip = request.ip;
+        const { allowed, retryAfterSeconds } = checkGlobalRateLimit(token, ip);
+        if (!allowed) {
+            reply
+                .code(429)
+                .header("Retry-After", String(retryAfterSeconds))
+                .send({
+                    error: "Too Many Requests",
+                    retryAfterSeconds,
+                });
+        }
+    });
+
     // Register HTTP routes with provisioning service if available
     await registerHttpRoutes(
         fastifyServer,