Add Tiered API Rate Limiting Based on User Subscription Level

[llinsss]

Problem

All users have same rate limits regardless of subscription tier. Need tiered rate limiting to support free, premium, and enterprise users.

Proposed Solution

Implement Redis-based rate limiting with different tiers and usage tracking.

Technical Implementation

New Files:

• backend/services/TieredRateLimitService.js - Tiered rate limiting
• backend/middleware/tieredRateLimit.js - Middleware
• backend/models/ApiUsage.js - Usage tracking model
• backend/controllers/apiUsageController.js - Usage endpoints
• backend/routes/apiUsage.js - Usage routes
• backend/migrations/20260327000025_create_api_usage.js - Migration
• backend/workers/usageAggregation.js - Usage aggregation worker
• backend/tests/tieredRateLimit.test.js - Test suite

Modify:

• backend/config/rateLimiting.js - Add tier configuration
• backend/models/User.js - Add subscription_tier field
• backend/middleware/userRateLimit.js - Use tiered limits
• backend/services/RateLimitService.js - Add tier support

Rate Limit Tiers

const RATE_LIMIT_TIERS = {
  FREE: {
    requestsPerMinute: 60,
    requestsPerHour: 1000,
    requestsPerDay: 10000,
    burstCapacity: 100
  },
  PREMIUM: {
    requestsPerMinute: 300,
    requestsPerHour: 10000,
    requestsPerDay: 100000,
    burstCapacity: 500
  },
  ENTERPRISE: {
    requestsPerMinute: 1000,
    requestsPerHour: 50000,
    requestsPerDay: 1000000,
    burstCapacity: 2000
  }
};

Response Headers

X-RateLimit-Tier: premium
X-RateLimit-Limit: 300
X-RateLimit-Remaining: 245
X-RateLimit-Reset: 1706284860
X-RateLimit-Burst-Capacity: 500
X-RateLimit-Burst-Remaining: 450

Acceptance Criteria

• Redis-based rate limiting
• Three tiers: Free, Premium, Enterprise
• Per-minute, per-hour, per-day limits
• Burst capacity support
• Usage tracking and analytics
• Rate limit headers in responses
• Upgrade prompts when limit reached
• Test coverage > 85%

Priority

Medium - Important for monetization

---