feat: Redis-backed tiered rate limiting for all sensitive routes

[anika00mangla]

---

Type of Change

• Bug fix
• New feature
• Refactor (no functional change)
• UI / Design change
• Tests only
• Documentation
• Infrastructure / DevOps
• Security

ISSUE NUMBER #256 RESOLVED

What Changed

• src/plugins/rate-limit.ts (new) — tiered rate limit plugin backed by existing Redis connection
• src/plugins/redis.ts — added plugin name for dependency ordering
• src/app.ts — replaced old in-memory global limit with new rateLimitPlugin
• src/routes/auth.ts — STRICT limits on all OAuth and auth routes
• src/routes/connect.ts — STRICT on OAuth callbacks, MODERATE on status/disconnect
• src/routes/profiles.ts, cards.ts, analytics.ts, follow.ts — MODERATE limits on all mutations
• src/routes/public.ts — RELAXED limits on public reads; fixed duplicate nested route registration bug
• tests/rate-limit.test.ts (new) — integration tests for all three tiers using ioredis-mock
• package.json — added ioredis-mock to devDependencies
• CONTRIBUTING.md — documented rate limit tiers and usage

---

How to Test

1. pnpm install then docker compose up -d && pnpm dev:backend
2. pnpm --filter @devcard/backend test
3. Hit an auth route 11+ times from the same IP — expect 302 for first 10, 429 with Retry-After after

---

Checklist

• My code follows the project's coding style (pnpm -r run lint passes).
• TypeScript compiles without errors (pnpm -r run typecheck).
• I have added or updated tests for the changes I made.
• All tests pass locally (pnpm -r run test).
• I have updated documentation where necessary.
• No new console.log or debug statements left in the code.
• Breaking changes are documented in this PR description.

---

Screenshots / Recordings

N/A — backend-only, no UI changes.

---

Additional Context

Rate limit state lives in Redis so counters persist across restarts. Authenticated routes key on user ID so users behind shared IPs are never incorrectly throttled.

Labels to add: security, backend, enhancement, area: backend, difficulty: advanced

[anika00mangla]

@Harxhit PLZ REVIEW AND MERGE IT AND PLZ ALSO PUT ALL THE REQUIRED LABELS TOO FOR GSSOC !! THANK YOU !!🙏

[anika00mangla]

@Harxhit plz merge this pull request !! and plz add all the required labels for gssoc : security, backend, enhancement, area: backend, difficulty: advanced

[anika00mangla]

@Harxhit ??????? ITS BEEN QUITE SOME DAYS SINCE I RAISED THIS PLEASE REVIEW IT

[github-actions]

CI Results — ❌ Some checks failed

🖥️ Backend (❌ failure)

Check	Status
Lint	❌ failure
Test	❌ failure
Typecheck	❌ failure

📱 Mobile (⏭️ skipped)

Check	Status
Lint	⚪ unknown
Test	⚪ unknown

🌐 Web (⏭️ skipped)

Check	Status
Check	⚪ unknown
Build	⚪ unknown

---

🕐 Last updated: Tue, 02 Jun 2026 19:41:25 GMT

[Harxhit]

Thank you for the contribution.

After reviewing this PR, I'm going to close it. The implementation currently does not meet the project's quality standards and contains multiple issues, including compilation errors, incorrect imports, API misuse, missing error handling, lint , typcheck and code paths that do not appear to have been tested locally.

Please ensure future submissions are fully validated with the project's build, lint, and test commands before opening a PR. Once these issues are addressed and the implementation has been thoroughly reviewed, you're welcome to submit a new pull request.

Thank you for your time and effort.