security: implement rate limiting middleware to prevent DoS attacks

Clic-stack · Clic-stack · commit f200fa680334 · 2026-03-28T14:35:41.000-06:00
diff --git a/email-api/package-lock.json b/email-api/package-lock.json
diff --git a/email-api/package.json b/email-api/package.json
@@ -12,6 +12,7 @@
     "bcrypt": "^6.0.0",
     "cors": "^2.8.5",
     "express": "^5.1.0",
+    "express-rate-limit": "^8.3.1",
     "helmet": "^8.1.0",
     "jsonwebtoken": "^9.0.3",
     "morgan": "^1.10.1",
diff --git a/email-api/src/app.js b/email-api/src/app.js
@@ -3,6 +3,7 @@ import cors from 'cors'
 import helmet from 'helmet'
 import morgan from 'morgan'
 import routes from './routes/index.js'
+import apiLimiter from './middlewares/rateLimiter.js'
 import { errorHandler } from './middlewares/errorHandler.js'
 import { env } from './config/env.js'
 
@@ -16,6 +17,9 @@ app.use(morgan('dev'))
 app.use(express.json())
 app.use(express.urlencoded({ extended: false }))
 
+// Se aplica límite de peticiones antes de las rutas
+app.use(apiLimiter)
+
 // Routes
 app.use('/', routes)
 
diff --git a/email-api/src/middlewares/rateLimiter.js b/email-api/src/middlewares/rateLimiter.js
@@ -0,0 +1,14 @@
+import rateLimit from 'express-rate-limit';
+
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutos
+  max: 100, // Límite de 100 peticiones por IP
+  message: {
+    status: 429,
+    message: 'Demasiadas peticiones. Por seguridad, intenta de nuevo en 15 minutos.'
+  },
+  standardHeaders: true, 
+  legacyHeaders: false,
+});
+
+export default apiLimiter;
