Merge pull request #165 from portableDD/feat/rate-limit-and-suspicious-activity

feat: add rate limiting and suspicious activity detection (#103, #102)

Author: mijinummi

apps/api-service/src/transection/rate-limit.service.spec.ts

@@ -0,0 +1,77 @@
+import { HttpException, HttpStatus } from '@nestjs/common';
+import { RateLimitService } from './rate-limit.service';
+
+describe('RateLimitService', () => {
+  let service: RateLimitService;
+
+  beforeEach(() => {
+    service = new RateLimitService({ maxPerMinute: 3, maxPerHour: 10 });
+  });
+
+  describe('check()', () => {
+    it('allows transactions below per-minute limit', () => {
+      service.record('M1');
+      service.record('M1');
+      const status = service.check('M1');
+      expect(status.allowed).toBe(true);
+      expect(status.transactionsLastMinute).toBe(2);
+    });
+
+    it('throws 429 when per-minute limit is reached', () => {
+      service.record('M1');
+      service.record('M1');
+      service.record('M1');
+      expect(() => service.check('M1')).toThrow(HttpException);
+      try {
+        service.check('M1');
+      } catch (e: any) {
+        expect(e.getStatus()).toBe(HttpStatus.TOO_MANY_REQUESTS);
+        expect(e.getResponse().retryAfterSeconds).toBeGreaterThan(0);
+      }
+    });
+
+    it('throws 429 when per-hour limit is reached', () => {
+      // Fill the hour bucket without triggering per-minute limit.
+      // Use a fresh service with maxPerMinute=100, maxPerHour=5
+      const svc = new RateLimitService({ maxPerMinute: 100, maxPerHour: 5 });
+      for (let i = 0; i < 5; i++) svc.record('M2');
+      expect(() => svc.check('M2')).toThrow(HttpException);
+    });
+
+    it('does not bleed limits between merchants', () => {
+      service.record('M1');
+      service.record('M1');
+      service.record('M1');
+      // M2 should still be fine
+      expect(() => service.check('M2')).not.toThrow();
+    });
+  });
+
+  describe('getStatus()', () => {
+    it('returns current counts without throwing', () => {
+      service.record('M3');
+      service.record('M3');
+      const status = service.getStatus('M3');
+      expect(status.transactionsLastMinute).toBe(2);
+      expect(status.transactionsLastHour).toBe(2);
+      expect(status.limitPerMinute).toBe(3);
+      expect(status.limitPerHour).toBe(10);
+    });
+
+    it('returns allowed=false when limits are reached, without throwing', () => {
+      for (let i = 0; i < 3; i++) service.record('M4');
+      const status = service.getStatus('M4');
+      expect(status.allowed).toBe(false);
+    });
+  });
+
+  describe('record()', () => {
+    it('increments counts', () => {
+      service.record('M5');
+      service.record('M5');
+      service.record('M5');
+      const status = service.getStatus('M5');
+      expect(status.transactionsLastMinute).toBe(3);
+    });
+  });
+});

apps/api-service/src/transection/rate-limit.service.ts

@@ -0,0 +1,130 @@
+import { Injectable, HttpException, HttpStatus, Logger } from '@nestjs/common';
+
+export interface RateLimitConfig {
+  maxPerMinute: number;
+  maxPerHour: number;
+}
+
+export interface RateLimitStatus {
+  allowed: boolean;
+  merchantId: string;
+  transactionsLastMinute: number;
+  transactionsLastHour: number;
+  limitPerMinute: number;
+  limitPerHour: number;
+  retryAfterSeconds?: number;
+}
+
+const DEFAULT_CONFIG: RateLimitConfig = {
+  maxPerMinute: 10,
+  maxPerHour: 100,
+};
+
+@Injectable()
+export class RateLimitService {
+  private readonly logger = new Logger(RateLimitService.name);
+  private readonly timestamps = new Map<string, number[]>();
+  private readonly config: RateLimitConfig;
+
+  constructor(config: Partial<RateLimitConfig> = {}) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+  }
+
+  /**
+   * Check if a merchant is within rate limits.
+   * Throws 429 if limits are exceeded.
+   */
+  check(merchantId: string): RateLimitStatus {
+    const now = Date.now();
+    const oneMinuteAgo = now - 60_000;
+    const oneHourAgo = now - 3_600_000;
+
+    const all = this.timestamps.get(merchantId) ?? [];
+    // Prune timestamps older than 1 hour
+    const recent = all.filter((t) => t > oneHourAgo);
+    this.timestamps.set(merchantId, recent);
+
+    const lastMinute = recent.filter((t) => t > oneMinuteAgo).length;
+    const lastHour = recent.length;
+
+    const status: RateLimitStatus = {
+      allowed: true,
+      merchantId,
+      transactionsLastMinute: lastMinute,
+      transactionsLastHour: lastHour,
+      limitPerMinute: this.config.maxPerMinute,
+      limitPerHour: this.config.maxPerHour,
+    };
+
+    if (lastMinute >= this.config.maxPerMinute) {
+      const oldestInWindow = recent.filter((t) => t > oneMinuteAgo)[0];
+      status.allowed = false;
+      status.retryAfterSeconds = Math.ceil((oldestInWindow + 60_000 - now) / 1000);
+      this.logger.warn(
+        `Rate limit (per-minute) exceeded for merchant ${merchantId}: ${lastMinute} tx in last 60s`,
+      );
+      throw new HttpException(
+        {
+          statusCode: HttpStatus.TOO_MANY_REQUESTS,
+          error: 'Too Many Requests',
+          message: `Rate limit exceeded: ${lastMinute}/${this.config.maxPerMinute} transactions in the last minute.`,
+          retryAfterSeconds: status.retryAfterSeconds,
+        },
+        HttpStatus.TOO_MANY_REQUESTS,
+      );
+    }
+
+    if (lastHour >= this.config.maxPerHour) {
+      const oldestInWindow = recent[0];
+      status.allowed = false;
+      status.retryAfterSeconds = Math.ceil((oldestInWindow + 3_600_000 - now) / 1000);
+      this.logger.warn(
+        `Rate limit (per-hour) exceeded for merchant ${merchantId}: ${lastHour} tx in last 60min`,
+      );
+      throw new HttpException(
+        {
+          statusCode: HttpStatus.TOO_MANY_REQUESTS,
+          error: 'Too Many Requests',
+          message: `Rate limit exceeded: ${lastHour}/${this.config.maxPerHour} transactions in the last hour.`,
+          retryAfterSeconds: status.retryAfterSeconds,
+        },
+        HttpStatus.TOO_MANY_REQUESTS,
+      );
+    }
+
+    return status;
+  }
+
+  /**
+   * Record a transaction timestamp for a merchant after it has been saved.
+   */
+  record(merchantId: string): void {
+    const all = this.timestamps.get(merchantId) ?? [];
+    all.push(Date.now());
+    this.timestamps.set(merchantId, all);
+  }
+
+  /**
+   * Returns current rate-limit status without enforcing the limit.
+   */
+  getStatus(merchantId: string): RateLimitStatus {
+    const now = Date.now();
+    const oneMinuteAgo = now - 60_000;
+    const oneHourAgo = now - 3_600_000;
+
+    const all = this.timestamps.get(merchantId) ?? [];
+    const recent = all.filter((t) => t > oneHourAgo);
+
+    const lastMinute = recent.filter((t) => t > oneMinuteAgo).length;
+    const lastHour = recent.length;
+
+    return {
+      allowed: lastMinute < this.config.maxPerMinute && lastHour < this.config.maxPerHour,
+      merchantId,
+      transactionsLastMinute: lastMinute,
+      transactionsLastHour: lastHour,
+      limitPerMinute: this.config.maxPerMinute,
+      limitPerHour: this.config.maxPerHour,
+    };
+  }
+}

apps/api-service/src/transection/suspicious-activity.service.spec.ts

@@ -0,0 +1,132 @@
+import { SuspiciousActivityService, SuspiciousActivityType, AlertSeverity } from './suspicious-activity.service';
+import { Transaction, TxStatus, TxType } from './transaction.entity';
+
+function makeTx(overrides: Partial<Transaction> = {}): Transaction {
+  return Object.assign(new Transaction(), {
+    id: crypto.randomUUID(),
+    txHash: `0x${Math.random().toString(16).slice(2)}`,
+    merchantId: 'merchant_1',
+    chainId: 1,
+    status: TxStatus.SUCCESS,
+    type: TxType.TRANSFER,
+    gasUsed: 21000,
+    timestamp: new Date(),
+    ...overrides,
+  });
+}
+
+describe('SuspiciousActivityService', () => {
+  let service: SuspiciousActivityService;
+
+  beforeEach(() => {
+    service = new SuspiciousActivityService();
+  });
+
+  describe('analyze() — no detection below threshold', () => {
+    it('returns detected=false when fewer than 5 transactions', () => {
+      for (let i = 0; i < 4; i++) {
+        const result = service.analyze(makeTx());
+        expect(result.detected).toBe(false);
+      }
+    });
+
+    it('returns detected=false for normal traffic', () => {
+      for (let i = 0; i < 10; i++) {
+        const tx = makeTx({ timestamp: new Date(Date.now() - i * 5000) });
+        service.analyze(tx);
+      }
+      const result = service.analyze(makeTx());
+      expect(result.detected).toBe(false);
+    });
+  });
+
+  describe('High failure rate detection', () => {
+    it('detects HIGH_FAILURE_RATE when > 70% of last 10 transactions fail', () => {
+      // Seed 10 transactions with 8 failures
+      const txs = [
+        ...Array(8).fill(null).map(() => makeTx({ status: TxStatus.FAILURE })),
+        ...Array(2).fill(null).map(() => makeTx({ status: TxStatus.SUCCESS })),
+      ];
+      let lastResult: any;
+      for (const tx of txs) {
+        lastResult = service.analyze(tx);
+      }
+      expect(lastResult.detected).toBe(true);
+      expect(lastResult.type).toBe(SuspiciousActivityType.HIGH_FAILURE_RATE);
+      expect([AlertSeverity.LOW, AlertSeverity.MEDIUM, AlertSeverity.HIGH]).toContain(lastResult.severity);
+      expect(lastResult.detectedAt).toBeDefined();
+      expect(lastResult.metadata.failureRate).toBeGreaterThanOrEqual(70);
+    });
+
+    it('does not flag when failure rate is below 70%', () => {
+      const txs = [
+        ...Array(6).fill(null).map(() => makeTx({ status: TxStatus.SUCCESS })),
+        ...Array(4).fill(null).map(() => makeTx({ status: TxStatus.FAILURE })),
+      ];
+      let lastResult: any;
+      for (const tx of txs) {
+        lastResult = service.analyze(tx);
+      }
+      // 40% failure — should NOT trigger high failure rate
+      if (lastResult.detected) {
+        expect(lastResult.type).not.toBe(SuspiciousActivityType.HIGH_FAILURE_RATE);
+      }
+    });
+  });
+
+  describe('Gas spike detection', () => {
+    it('detects GAS_SPIKE when latest tx uses > 4x rolling average', () => {
+      // 9 normal transactions
+      for (let i = 0; i < 9; i++) {
+        service.analyze(makeTx({ gasUsed: 21000 }));
+      }
+      // Spike transaction
+      const result = service.analyze(makeTx({ gasUsed: 210000 })); // 10x
+      expect(result.detected).toBe(true);
+      expect(result.type).toBe(SuspiciousActivityType.GAS_SPIKE);
+      expect(result.severity).toBe(AlertSeverity.HIGH); // 10x => HIGH
+      expect(result.metadata?.spikeMultiplier).toBeGreaterThanOrEqual(4);
+    });
+
+    it('does not flag a normal gas amount', () => {
+      for (let i = 0; i < 9; i++) {
+        service.analyze(makeTx({ gasUsed: 21000 }));
+      }
+      const result = service.analyze(makeTx({ gasUsed: 25000 })); // ~1.2x — normal
+      if (result.detected) {
+        expect(result.type).not.toBe(SuspiciousActivityType.GAS_SPIKE);
+      }
+    });
+  });
+
+  describe('Burst detection', () => {
+    it('detects BURST_TRANSACTIONS when >= 5 tx occur within 10 seconds', () => {
+      const now = Date.now();
+      const txs = Array(6).fill(null).map((_, i) =>
+        makeTx({ timestamp: new Date(now - i * 1000) }), // 1s apart within 10s
+      );
+      let lastResult: any;
+      for (const tx of txs) {
+        lastResult = service.analyze(tx);
+      }
+      expect(lastResult.detected).toBe(true);
+      expect(lastResult.type).toBe(SuspiciousActivityType.BURST_TRANSACTIONS);
+      expect(lastResult.metadata?.burstCount).toBeGreaterThanOrEqual(5);
+    });
+
+    it('does not flag transactions spread over time', () => {
+      const now = Date.now();
+      // Spread 10 transactions over 2 minutes — never > 5 in 10s
+      const txs = Array(10).fill(null).map((_, i) =>
+        makeTx({ timestamp: new Date(now - i * 15000) }),
+      );
+      let lastResult: any;
+      for (const tx of txs) {
+        lastResult = service.analyze(tx);
+      }
+      if (lastResult.detected) {
+        expect(lastResult.type).not.toBe(SuspiciousActivityType.BURST_TRANSACTIONS);
+      }
+    });
+  });
+});