From 613137ff99442885c5fe679b2cc1172adfc5a283 Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Thu, 10 Jul 2025 21:22:54 +0000
Subject: feat: Add API ratelimits

---
 packages/trpc/routers/users.ts | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'packages/trpc/routers/users.ts')

diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index 58093b42..ebe7d96f 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -31,6 +31,7 @@ import {
   adminProcedure,
   authedProcedure,
   Context,
+  createRateLimitMiddleware,
   publicProcedure,
   router,
 } from "../index";
@@ -124,6 +125,13 @@ export async function createUser(
 
 export const usersAppRouter = router({
   create: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "users.create",
+        windowMs: 60 * 1000,
+        maxRequests: 3,
+      }),
+    )
     .input(zSignUpSchema)
     .output(
       z.object({
@@ -541,6 +549,13 @@ export const usersAppRouter = router({
         .where(eq(userSettings.userId, ctx.user.id));
     }),
   verifyEmail: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "users.verifyEmail",
+        windowMs: 5 * 60 * 1000,
+        maxRequests: 10,
+      }),
+    ) // 10 requests per 5 minutes
     .input(
       z.object({
         email: z.string().email(),
@@ -572,6 +587,13 @@ export const usersAppRouter = router({
       return { success: true };
     }),
   resendVerificationEmail: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "users.resendVerificationEmail",
+        windowMs: 5 * 60 * 1000,
+        maxRequests: 3,
+      }),
+    ) // 3 requests per 5 minutes
     .input(
       z.object({
         email: z.string().email(),
-- 
cgit v1.2.3-70-g09d2