From 29b744f08dd96f41d4d5d0a652f736421aececfc Mon Sep 17 00:00:00 2001
From: "Dennis (via Claude+Gemma)" <dennis.paradzinski@it.financeflow.de>
Date: Sat, 23 May 2026 07:45:33 +0200
Subject: [PATCH] =?UTF-8?q?feat(rate-limiting-stub):=20In-Memory=20Rate-Li?=
 =?UTF-8?q?miter=20pro=20IP=20(Stub=20f=C3=BCr=20/api/auth/*)=20[tsc:fail]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .phase19-state.json                 |  7 +++--
 GENERATION_LOG.md                   | 19 +++++++++++++
 apps/api/src/routes/auth.ts         | 18 ++++++++----
 apps/api/src/services/rate-limit.ts | 43 +++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+), 8 deletions(-)
 create mode 100644 apps/api/src/services/rate-limit.ts

diff --git a/.phase19-state.json b/.phase19-state.json
index 8379901..3c324bd 100644
--- a/.phase19-state.json
+++ b/.phase19-state.json
@@ -1,5 +1,8 @@
 {
   "completed_features": [],
-  "current_feature": "invitation-flow",
-  "started_at": "2026-05-23T07:42:47.919364"
+  "current_feature": "rate-limiting-stub",
+  "started_at": "2026-05-23T07:42:47.919364",
+  "attempted_features": [
+    "invitation-flow"
+  ]
 }
\ No newline at end of file
diff --git a/GENERATION_LOG.md b/GENERATION_LOG.md
index 477e8e1..4f30381 100644
--- a/GENERATION_LOG.md
+++ b/GENERATION_LOG.md
@@ -2273,3 +2273,22 @@ src/index.ts(27,25): error TS2769: No overload matches this call.
   Overload 2 of 3, '(plugin: FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
     Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
       Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTy
+- `07:44:43` **INFO**   Committed feature invitation-flow
+- `07:44:44` **INFO**   Pushed: rc=0
+
+## Phase-3 Feature: rate-limiting-stub (2026-05-23 07:44:44)
+
+- `07:44:44` **INFO** Description: In-Memory Rate-Limiter pro IP (Stub für /api/auth/*)
+- `07:44:44` **INFO**   Generating apps/api/src/services/rate-limit.ts (RateLimiter class. Map<ip, {count, resetAt}>. Methode check(ip, limit,…)
+- `07:44:52` **INFO**     wrote 886 chars in 8.2s (attempt 1)
+- `07:44:52` **INFO**   Generating apps/api/src/routes/auth.ts (ERWEITERT — behalte alles. Füge preHandler-check für POST /login: rate…)
+- `07:45:31` **INFO**     wrote 4291 chars in 39.0s (attempt 1)
+- `07:45:31` **INFO** Running tsc --noEmit on api…
+- `07:45:33` **WARN**   tsc errors:
+src/index.ts(27,25): error TS2769: No overload matches this call.
+  Overload 1 of 3, '(plugin: FastifyPluginCallback<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
+    Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginCallback<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
+      Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTypeProvider>, opts: { ...; }, done: (err?: Error | undefined) => void): void'.
+  Overload 2 of 3, '(plugin: FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
+    Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
+      Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTy
diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts
index 69da168..0213015 100644
--- a/apps/api/src/routes/auth.ts
+++ b/apps/api/src/routes/auth.ts
@@ -5,13 +5,22 @@ import { users, passwordResetTokens } from "../db/schema"
 import { eq, and, gt } from "drizzle-orm"
 import { LoginRequestSchema } from "@emberclone/shared"
 import { z } from "zod"
-const ForgotPasswordRequestSchema = z.object({ email: z.string().email() })
-const ResetPasswordRequestSchema = z.object({ token: z.string().min(1), newPassword: z.string().min(8) })
 import { emailService } from "../services/email"
 import { randomBytes } from "crypto"
+import { rateLimiter } from "../services/rateLimiter"
+
+const ForgotPasswordRequestSchema = z.object({ email: z.string().email() })
+const ResetPasswordRequestSchema = z.object({ token: z.string().min(1), newPassword: z.string().min(8) })
 
 export default async function authRoutes(fastify: FastifyInstance) {
-  fastify.post("/login", async (request, reply) => {
+  fastify.post("/login", {
+    preHandler: async (request, reply) => {
+      const allowed = await rateLimiter.check(request.ip, 10, 60_000)
+      if (!allowed) {
+        return reply.code(429).send({ message: "Too many requests" })
+      }
+    }
+  }, async (request, reply) => {
     const body = LoginRequestSchema.parse(request.body)
 
     const [user] = await db
@@ -119,9 +128,6 @@ export default async function authRoutes(fastify: FastifyInstance) {
         )
       )
 
-    const validReset = resets.find(async (r) => await argon2.verify(r.tokenHash, body.token))
-    
-    // Since find is synchronous, we need to handle the async verification carefully
     let matchedReset = null
     for (const r of resets) {
       if (await argon2.verify(r.tokenHash, body.token)) {
diff --git a/apps/api/src/services/rate-limit.ts b/apps/api/src/services/rate-limit.ts
new file mode 100644
index 0000000..aaf22ce
--- /dev/null
+++ b/apps/api/src/services/rate-limit.ts
@@ -0,0 +1,43 @@
+export class RateLimiter {
+  private store = new Map<string, { count: number; resetAt: number }>();
+
+  check(ip: string, limit: number, windowMs: number): { allowed: boolean; remaining: number } {
+    const now = Date.now();
+    const record = this.store.get(ip);
+
+    if (!record || now > record.resetAt) {
+      this.store.set(ip, {
+        count: 1,
+        resetAt: now + windowMs,
+      });
+      return {
+        allowed: true,
+        remaining: limit - 1,
+      };
+    }
+
+    if (record.count >= limit) {
+      return {
+        allowed: false,
+        remaining: 0,
+      };
+    }
+
+    const newCount = record.count + 1;
+    this.store.set(ip, {
+      count: newCount,
+      resetAt: record.resetAt,
+    });
+
+    return {
+      allowed: true,
+      remaining: limit - newCount,
+    };
+  }
+
+  clear() {
+    this.store.clear();
+  }
+}
+
+export const rateLimiter = new RateLimiter();
\ No newline at end of file