feat: add rate limiting to newsletter endpoint + tests

Add IP-based rate limiting (3 requests per 10 min) to the newsletter
subscribe endpoint. Includes periodic cleanup to prevent memory leaks.

Add 15 tests covering: successful subscription, input validation,
Resend API errors, missing env vars, and rate limiting behavior.

Author: sionzee

src/contract/newsletter/index.ts

@@ -1,6 +1,36 @@
 import { z } from "zod";
 import { base } from "../shared/os.ts";
 
+// Simple in-memory rate limiter: max 3 requests per IP per 10 minutes
+const rateLimitMap = new Map<string, number[]>();
+const RATE_LIMIT_WINDOW_MS = 10 * 60 * 1000;
+const RATE_LIMIT_MAX = 3;
+
+function isRateLimited(ip: string): boolean {
+	const now = Date.now();
+	const timestamps = rateLimitMap.get(ip) ?? [];
+	const recent = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+
+	if (recent.length >= RATE_LIMIT_MAX) {
+		rateLimitMap.set(ip, recent);
+		return true;
+	}
+
+	recent.push(now);
+	rateLimitMap.set(ip, recent);
+	return false;
+}
+
+// Periodic cleanup to prevent memory leak
+setInterval(() => {
+	const now = Date.now();
+	for (const [ip, timestamps] of rateLimitMap) {
+		const recent = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+		if (recent.length === 0) rateLimitMap.delete(ip);
+		else rateLimitMap.set(ip, recent);
+	}
+}, 60 * 1000);
+
 export const subscribe = base
 	.input(
 		z.object({
@@ -17,7 +47,15 @@ export const subscribe = base
 			message: "Failed to subscribe",
 		},
 	})
-	.handler(async ({ input, errors }) => {
+	.handler(async ({ input, context, errors }) => {
+		// Rate limit by IP
+		const forwarded = (context.headers as Headers).get?.("x-forwarded-for");
+		const ip = forwarded?.split(",")[0]?.trim() || "unknown";
+
+		if (isRateLimited(ip)) {
+			throw errors.RATE_LIMITED({ data: { retryAfter: 600 } });
+		}
+
 		const apiKey = process.env.RESEND_API_KEY;
 		const segmentId = process.env.RESEND_SEGMENT_ID;