This Pull Request implements a robust configuration management system and a distributed rate limiting layer to enhance platform security and reliability.
- New Files:
apps/backend/src/config/configuration.ts(factory) andapps/backend/src/config/validation.schema.ts(Joi schema). - Validation: Added a Joi schema to validate all required environment variables at startup. The application will now fail fast with a descriptive error if variables like
DATABASE_PASSWORD,JWT_SECRET, orSTELLAR_SECRET_KEYare missing. - Access: Replaced all
process.envcalls across the backend (StellarService,MailService,JwtStrategy, etc.) withConfigServicefor type safety and consistency.
- Global implementation: Configured
@nestjs/throttlerwith a default limit of 60 requests per minute. - Redis Storage: Integrated
@nest-lab/throttler-storage-rediswithioredis. Throttling data is now stored in Redis, ensuring consistent rate limits across multiple API instances. - Tightened Auth Security: Added specific throttler guards to
AuthController:POST /auth/register: 5 requests per minute.POST /auth/login: 5 requests per minute.
- Stellar Protection: Added rate limiting to sensitive issuance endpoints in
StellarController:POST /stellar/mintandPOST /credentials/issue: 3 requests per minute.
joi: For environment variable validation.ioredis: Redis client.@nest-lab/throttler-storage-redis: Redis storage provider for NestJS throttler.@nestjs/cache-manager,cache-manager,cache-manager-redis-store: For cached balances.
- Verified that the app fails to start if a required env var (e.g.,
REDIS_URL) is removed. - Validated that
ConfigServiceis correctly injecting values. - Throttler headers (
x-ratelimit-limit,x-ratelimit-remaining,x-ratelimit-reset) verified on protected endpoints.