API rate limiter

[ChukwuemekaP1]

Summary

Implement rate limiting to protect the API against abuse and brute-force attacks. This adds both global and authentication-specific rate limiters with appropriate HTTP 429 responses.

Changes Made

• Added express-rate-limit dependency for rate limiting functionality
• Created global rate limiter: 100 requests per 15 minutes per IP (applied app-wide)
• Created stricter auth rate limiter: 10 requests per 15 minutes (applied to /api/auth routes)
• Configured HTTP 429 responses with Retry-After header for rate limit violations
• Added sample auth routes (/api/auth/login, /api/auth/register) for testing

Technical Details

Limiter | Max Requests | Window | Applied To -- | -- | -- | -- Global | 100 | 15 minutes | All routes (*) Auth | 10 | 15 minutes | /api/auth/*

Response Format (429 Too Many Requests)

json
{
  "message": "Too many requests, please try again later.",
  "retryAfter": 1740940800
}

Headers included:

• Retry-After - Unix timestamp when the rate limit resets
• RateLimit-Limit - Maximum requests allowed
• RateLimit-Remaining - Remaining requests in current window
• RateLimit-Reset - Seconds until limit resets

Testing

• ✅ All existing tests pass
• ✅ Linting passes without errors
• ✅ Verified 429 response with Retry-After header via curl

Files Modified

• package.json - Added express-rate-limit dependency
• src/app.js - Added rate limiter configuration and auth routes

Security Considerations

• Uses in-memory store (suitable for single-instance deployments)
• For production multi-instance deployments, consider using a Redis store
• Rate limits are per-IP address (may need adjustment for users behind NAT)

close #4

[ayshadogo]

@ChukwuemekaP1 Please fix this thing by tomorrow morning
This issue has been due for long