feat(rate-limiting-stub): In-Memory Rate-Limiter pro IP (Stub für /api/auth/*) [tsc:fail]

.phase19-state.json

@@ -1,5 +1,8 @@
 {
   "completed_features": [],
-  "current_feature": "invitation-flow",
-  "started_at": "2026-05-23T07:42:47.919364"
+  "current_feature": "rate-limiting-stub",
+  "started_at": "2026-05-23T07:42:47.919364",
+  "attempted_features": [
+    "invitation-flow"
+  ]
 }

GENERATION_LOG.md

@@ -2273,3 +2273,22 @@ src/index.ts(27,25): error TS2769: No overload matches this call.
   Overload 2 of 3, '(plugin: FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
     Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
       Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTy
+- `07:44:43` **INFO**   Committed feature invitation-flow
+- `07:44:44` **INFO**   Pushed: rc=0
+
+## Phase-3 Feature: rate-limiting-stub (2026-05-23 07:44:44)
+
+- `07:44:44` **INFO** Description: In-Memory Rate-Limiter pro IP (Stub für /api/auth/*)
+- `07:44:44` **INFO**   Generating apps/api/src/services/rate-limit.ts (RateLimiter class. Map<ip, {count, resetAt}>. Methode check(ip, limit,…)
+- `07:44:52` **INFO**     wrote 886 chars in 8.2s (attempt 1)
+- `07:44:52` **INFO**   Generating apps/api/src/routes/auth.ts (ERWEITERT — behalte alles. Füge preHandler-check für POST /login: rate…)
+- `07:45:31` **INFO**     wrote 4291 chars in 39.0s (attempt 1)
+- `07:45:31` **INFO** Running tsc --noEmit on api…
+- `07:45:33` **WARN**   tsc errors:
+src/index.ts(27,25): error TS2769: No overload matches this call.
+  Overload 1 of 3, '(plugin: FastifyPluginCallback<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
+    Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginCallback<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
+      Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTypeProvider>, opts: { ...; }, done: (err?: Error | undefined) => void): void'.
+  Overload 2 of 3, '(plugin: FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>, opts?: FastifyRegisterOptions<...> | undefined): FastifyInstance<...> & PromiseLike<...>', gave the following error.
+    Argument of type 'Promise<FastifyMultipartPlugin>' is not assignable to parameter of type 'FastifyPluginAsync<{ limits: { fileSize: number; }; }, RawServerDefault, FastifyTypeProvider, FastifyBaseLogger>'.
+      Type 'Promise<FastifyMultipartPlugin>' provides no match for the signature '(instance: FastifyInstance<RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, FastifyBaseLogger, FastifyTy

apps/api/src/routes/auth.ts

@@ -5,13 +5,22 @@ import { users, passwordResetTokens } from "../db/schema"
 import { eq, and, gt } from "drizzle-orm"
 import { LoginRequestSchema } from "@emberclone/shared"
 import { z } from "zod"
-const ForgotPasswordRequestSchema = z.object({ email: z.string().email() })
-const ResetPasswordRequestSchema = z.object({ token: z.string().min(1), newPassword: z.string().min(8) })
 import { emailService } from "../services/email"
 import { randomBytes } from "crypto"
+import { rateLimiter } from "../services/rateLimiter"
+
+const ForgotPasswordRequestSchema = z.object({ email: z.string().email() })
+const ResetPasswordRequestSchema = z.object({ token: z.string().min(1), newPassword: z.string().min(8) })
 
 export default async function authRoutes(fastify: FastifyInstance) {
-  fastify.post("/login", async (request, reply) => {
+  fastify.post("/login", {
+    preHandler: async (request, reply) => {
+      const allowed = await rateLimiter.check(request.ip, 10, 60_000)
+      if (!allowed) {
+        return reply.code(429).send({ message: "Too many requests" })
+      }
+    }
+  }, async (request, reply) => {
     const body = LoginRequestSchema.parse(request.body)
 
     const [user] = await db
@@ -119,9 +128,6 @@ export default async function authRoutes(fastify: FastifyInstance) {
         )
       )
 
-    const validReset = resets.find(async (r) => await argon2.verify(r.tokenHash, body.token))
-    
-    // Since find is synchronous, we need to handle the async verification carefully
     let matchedReset = null
     for (const r of resets) {
       if (await argon2.verify(r.tokenHash, body.token)) {

apps/api/src/services/rate-limit.ts

@@ -0,0 +1,43 @@
+export class RateLimiter {
+  private store = new Map<string, { count: number; resetAt: number }>();
+
+  check(ip: string, limit: number, windowMs: number): { allowed: boolean; remaining: number } {
+    const now = Date.now();
+    const record = this.store.get(ip);
+
+    if (!record || now > record.resetAt) {
+      this.store.set(ip, {
+        count: 1,
+        resetAt: now + windowMs,
+      });
+      return {
+        allowed: true,
+        remaining: limit - 1,
+      };
+    }
+
+    if (record.count >= limit) {
+      return {
+        allowed: false,
+        remaining: 0,
+      };
+    }
+
+    const newCount = record.count + 1;
+    this.store.set(ip, {
+      count: newCount,
+      resetAt: record.resetAt,
+    });
+
+    return {
+      allowed: true,
+      remaining: limit - newCount,
+    };
+  }
+
+  clear() {
+    this.store.clear();
+  }
+}
+
+export const rateLimiter = new RateLimiter();