Production hardening: CSP, rate limit, env validation, health gating, Render blueprint, DEPLOYMENT.md

lib/rate-limit.ts

@@ -0,0 +1,55 @@
+/**
+ * Tiny in-memory rate limiter. Token-bucket per key (typically client IP).
+ *
+ * Suitable for a single-instance deployment behind Render's load balancer.
+ * State resets on process restart, which is fine for this use case (the
+ * worst that happens is a malicious client gets to retry sooner).
+ *
+ * For multi-instance deployments use Redis or Render's edge rate-limit.
+ */
+
+interface Bucket {
+  tokens: number;
+  refilledAt: number;
+}
+
+const BUCKETS = new Map<string, Bucket>();
+
+export interface RateLimitOptions {
+  /** Max requests per window. */
+  capacity: number;
+  /** Window length in milliseconds (tokens fully refill each window). */
+  windowMs: number;
+}
+
+export function rateLimit(key: string, opts: RateLimitOptions): { allowed: boolean; remaining: number; resetMs: number } {
+  const now = Date.now();
+  const bucket = BUCKETS.get(key);
+  if (!bucket || now - bucket.refilledAt >= opts.windowMs) {
+    BUCKETS.set(key, { tokens: opts.capacity - 1, refilledAt: now });
+    return { allowed: true, remaining: opts.capacity - 1, resetMs: opts.windowMs };
+  }
+  if (bucket.tokens > 0) {
+    bucket.tokens--;
+    return {
+      allowed: true,
+      remaining: bucket.tokens,
+      resetMs: opts.windowMs - (now - bucket.refilledAt),
+    };
+  }
+  return {
+    allowed: false,
+    remaining: 0,
+    resetMs: opts.windowMs - (now - bucket.refilledAt),
+  };
+}
+
+/**
+ * Best-effort client-IP extraction from a Next.js Request. Trusts the
+ * left-most x-forwarded-for entry (set by Render's load balancer).
+ */
+export function clientIp(req: Request): string {
+  const xff = req.headers.get("x-forwarded-for");
+  if (xff) return xff.split(",")[0].trim();
+  return req.headers.get("x-real-ip") ?? "unknown";
+}