Merge branch 'main' into staging

Author: bauchdj

apps/server/src/context.ts

@@ -2,7 +2,6 @@ import { createRedisClient, type RedisClient } from "@nimbus/cache";
 import { createAuth, type Auth } from "@nimbus/auth/auth";
 import { createEnv, type Env } from "@nimbus/env/server";
 import { createDb, type DB } from "@nimbus/db";
-import type { PublicRouterVars } from "./hono";
 import type { Context } from "hono";
 import { Resend } from "resend";
 
@@ -69,7 +68,7 @@ export class ContextManager {
 		}
 	}
 
-	public async createContext(): Promise<PublicRouterVars> {
+	public async createContext() {
 		const env = this.env;
 
 		const [db, redisClient] = await Promise.all([this.initializeDatabase(env), this.initializeRedis(env)]);

apps/server/src/hono.ts

@@ -1,12 +1,14 @@
 import type { Provider } from "./providers/interface/provider";
+import { Hono, type Context, type Env as HonoEnv } from "hono";
 import type { Auth, SessionUser } from "@nimbus/auth/auth";
 import { getContext } from "hono/context-storage";
 import type { RedisClient } from "@nimbus/cache";
-import { Hono, type Env as HonoEnv } from "hono";
+import type { ContextManager } from "./context";
 import type { Env } from "@nimbus/env/server";
 import type { DB } from "@nimbus/db";
 
 export interface BaseRouterVars {
+	contextManager: ContextManager;
 	env: Env;
 }
 
@@ -36,6 +38,8 @@ export interface DriveProviderRouterEnv {
 	Variables: DriveProviderRouterVars;
 }
 
+export type PublicRouterContext = Context<PublicRouterEnv>;
+
 function createHono<T extends HonoEnv>() {
 	return new Hono<T>();
 }

apps/server/src/index.ts

@@ -8,7 +8,9 @@ import routes from "./routes";
 const app = createPublicRouter()
 	.use(contextStorage())
 	.use("*", async (c, next) => {
-		const env = ContextManager.getInstance().env;
+		const contextManager = ContextManager.getInstance();
+		const env = contextManager.env;
+		c.set("contextManager", contextManager);
 		c.set("env", env);
 		await next();
 	})
@@ -23,7 +25,7 @@ const app = createPublicRouter()
 	)
 	.use("*", async (c, next) => {
 		const env = c.var.env;
-		const { db, redisClient, auth } = await ContextManager.getInstance().createContext();
+		const { db, redisClient, auth } = await c.var.contextManager.createContext();
 		c.set("db", db);
 		c.set("redisClient", redisClient);
 		c.set("auth", auth);
@@ -33,7 +35,7 @@ const app = createPublicRouter()
 			// WARNING: make sure to add WRANGLER_DEV to .dev.vars for wrangler dev
 			// for local dev, always keep context open UNLESS wrangler dev, close context
 			if (env.IS_EDGE_RUNTIME && (env.NODE_ENV === "production" || env.WRANGLER_DEV)) {
-				await ContextManager.getInstance().close();
+				await c.var.contextManager.close();
 			}
 		}
 	})

apps/server/src/middleware/security.ts

@@ -1,4 +1,6 @@
-import { createRateLimiter, type CreateRateLimiterContext } from "@nimbus/cache/rate-limiters";
+import { createRateLimiter, type RateLimiterConfig } from "@nimbus/cache/rate-limiters";
+import { UpstashRateLimit, ValkeyRateLimit } from "@nimbus/cache";
+import type { PublicRouterContext } from "../hono";
 import type { RateLimiter } from "@nimbus/cache";
 import { sendError } from "../routes/utils";
 import type { Context, Next } from "hono";
@@ -10,16 +12,21 @@ import { webcrypto } from "node:crypto";
 interface SecurityOptions {
 	rateLimiting?: {
 		enabled: boolean;
-		rateLimiter: (c: Context) => RateLimiter;
+		// Returns a factory that accepts an identifier and returns a RateLimiter instance
+		rateLimiter: () => RateLimiter;
 	};
 	securityHeaders?: boolean;
 }
 
-export function buildSecurityMiddleware(ctx: CreateRateLimiterContext) {
+export function buildSecurityMiddleware(ctx: PublicRouterContext, config: RateLimiterConfig) {
 	return securityMiddleware({
 		rateLimiting: {
 			enabled: true,
-			rateLimiter: _c => createRateLimiter(ctx),
+			rateLimiter: createRateLimiter({
+				isEdgeRuntime: ctx.var.env.IS_EDGE_RUNTIME,
+				redisClient: ctx.var.redisClient,
+				config,
+			}),
 		},
 		securityHeaders: true,
 	});
@@ -46,7 +53,9 @@ const getClientIp = (c: Context): string => {
 		return realIp.trim();
 	}
 
-	return `unidentifiable-${webcrypto.randomUUID()}`;
+	return "unidentifiable";
+	// Gotta block for now, can't let unknown IP addresses through
+	// return `unidentifiable-${webcrypto.randomUUID()}`;
 };
 
 const securityMiddleware = (options: SecurityOptions = {}) => {
@@ -114,9 +123,10 @@ const securityMiddleware = (options: SecurityOptions = {}) => {
 			const identifier = user?.id || ip;
 
 			try {
-				const limiter = rateLimiting.rateLimiter(c);
-				if ("limit" in limiter) {
-					// Handle Upstash limit
+				const limiterFactory = rateLimiting.rateLimiter;
+				const limiter = limiterFactory();
+				if (limiter instanceof UpstashRateLimit) {
+					// Upstash
 					const result = await limiter.limit(identifier);
 					if (!result.success) {
 						const retryAfter = Math.ceil((result.reset - Date.now()) / 1000);
@@ -130,8 +140,8 @@ const securityMiddleware = (options: SecurityOptions = {}) => {
 							429
 						);
 					}
-				} else {
-					// Handle Valkey limit
+				} else if (limiter instanceof ValkeyRateLimit) {
+					// Valkey
 					await limiter.consume(identifier);
 				}
 			} catch (error: any) {

apps/server/src/routes/waitlist/index.ts

@@ -1,12 +1,22 @@
+import { createPublicRouter, type PublicRouterContext } from "../../hono";
 import { emailObjectSchema, type WaitlistCount } from "@nimbus/shared";
+import { buildSecurityMiddleware } from "../../middleware/security";
 import { sendError, sendSuccess } from "../utils";
 import { zValidator } from "@hono/zod-validator";
-import { createPublicRouter } from "../../hono";
 import { waitlist } from "@nimbus/db/schema";
 import { count } from "drizzle-orm";
 import { nanoid } from "nanoid";
 
+const rateLimiter = (c: PublicRouterContext) =>
+	buildSecurityMiddleware(c, {
+		points: 3,
+		duration: 120, // 2 minutes
+		blockDuration: 60, // 1 minute
+		keyPrefix: "rl:waitlist",
+	});
+
 const waitlistRouter = createPublicRouter()
+	.use("*", (c, next) => rateLimiter(c)(c, next))
 	.get("/count", async c => {
 		try {
 			const result = await c.var.db.select({ count: count() }).from(waitlist);

packages/cache/src/rate-limiters.ts

@@ -2,34 +2,35 @@ import { type RateLimiter, type RedisClient, UpstashRateLimit, ValkeyRateLimit }
 import { Redis as UpstashRedis } from "@upstash/redis/cloudflare";
 import { Redis as ValkeyRedis } from "iovalkey";
 
-interface RateLimiterConfig {
+export interface RateLimiterConfig {
 	points: number;
 	duration: number;
 	blockDuration?: number;
 	keyPrefix: string;
 }
 
-interface RateLimiterFactory<T extends RateLimiter> {
-	(identifier: string): T;
+export interface RateLimiterFactory<T extends RateLimiter> {
+	(): T;
 }
 
 export interface CreateRateLimiterContext {
 	isEdgeRuntime: boolean;
 	redisClient: RedisClient;
 	config: RateLimiterConfig;
-	identifier: string;
 }
 
 // Create Upstash rate limiter factory
 function createUpstashRateLimiter(
 	redisClient: UpstashRedis,
 	config: RateLimiterConfig
 ): RateLimiterFactory<UpstashRateLimit> {
-	return (identifier: string) =>
+	return () =>
 		new UpstashRateLimit({
 			redis: redisClient,
-			prefix: `${config.keyPrefix}${identifier}`,
-			limiter: UpstashRateLimit.slidingWindow(config.points, `${Math.ceil(config.duration / 60)} s`),
+			// Do not include the identifier in the prefix; it's passed to limit() per request
+			prefix: `${config.keyPrefix}`,
+			// config.duration is in seconds (to match Valkey). Upstash accepts duration strings like "10 s".
+			limiter: UpstashRateLimit.slidingWindow(config.points, `${config.duration} s`),
 			analytics: true,
 		});
 }
@@ -39,10 +40,11 @@ function createValkeyRateLimiter(
 	redisClient: ValkeyRedis,
 	config: RateLimiterConfig
 ): RateLimiterFactory<ValkeyRateLimit> {
-	return (identifier: string) =>
+	return () =>
 		new ValkeyRateLimit({
 			storeClient: redisClient,
-			keyPrefix: `${config.keyPrefix}${identifier}`,
+			// Keep prefix stable and pass identifier to consume()
+			keyPrefix: `${config.keyPrefix}`,
 			points: config.points,
 			duration: config.duration,
 			blockDuration: config.blockDuration,
@@ -51,10 +53,10 @@ function createValkeyRateLimiter(
 		});
 }
 
-export function createRateLimiter(ctx: CreateRateLimiterContext): RateLimiter {
+export function createRateLimiter(ctx: CreateRateLimiterContext): RateLimiterFactory<RateLimiter> {
 	if (ctx.isEdgeRuntime) {
-		return createUpstashRateLimiter(ctx.redisClient as UpstashRedis, ctx.config)(ctx.identifier);
+		return createUpstashRateLimiter(ctx.redisClient as UpstashRedis, ctx.config) as RateLimiterFactory<RateLimiter>;
 	} else {
-		return createValkeyRateLimiter(ctx.redisClient as ValkeyRedis, ctx.config)(ctx.identifier);
+		return createValkeyRateLimiter(ctx.redisClient as ValkeyRedis, ctx.config) as RateLimiterFactory<RateLimiter>;
 	}
 }