Preventing misuse or overuse of public-facing API endpoints.

[myanzik]

To prevent potential abuse, misuse, or overuse of public-facing API endpoints, it's important to implement rate limiting. Rate limiting can help mitigate the risk of denial-of-service (DoS) attacks, excessive load, or brute-force attacks by restricting the number of API requests a user or client can make in a given time frame.

This issue proposes the implementation of rate limiting using the @nestjs/throttler package to control the frequency of API requests at both the user level (authenticated users) and the IP level (for anonymous users or general traffic).

Acceptance Criteria:

1. Implement rate limiting using the @nestjs/throttler package to limit requests on public-facing API endpoints.
2. Rate limit should be applied at both the user level (for authenticated users) and the IP level (for anonymous users).
3. Global rate limiting should be configured to allow no more than 100 requests per minute across the entire application.
4. Provide the ability to customize rate limits for specific routes or controllers, allowing for more stringent limits on critical endpoints.
5. When the rate limit is exceeded, return an HTTP status code 429 (Too Many Requests) along with a custom error message that informs the user about the limit being exceeded.
6. The error response should include information about the retry time or the time until the user can send another request.
7. Unit and integration tests must be written to validate:
   • Proper enforcement of rate limits.
   • Correct error handling when limits are exceeded.
   • Differentiation of limits for authenticated users and anonymous IPs.
8. Ensure that the rate limiting configuration is easily adjustable through environment variables or application settings.