Implement Rate Limiter and Cloudfront Caching for API (#75)

* add cloudformation for table definition

* fix IAM permission

* build rate limiter logic

* implement rate limiting on specific routes

* remove log statement

* mock rate limiter implementation

* bypass rate limiter in unit tests

* use more sensible rate limiting

* fix linting issues

* consolidate stages to fix concurrency

* use cloudfront to cache events route

* cache subpaths too

* be more transparent about caching behavior to editors

* change fetching behavior

* fix cache behavior

* enable custom domains on cloudfront

* map the custom domain to cloudfront instead of the api gateway

* fix domain behavior

* fix domain

* fix acm-cache-status header

Author: devksingh4

.github/workflows/deploy-dev.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Run unit testing
         run: make test_unit
 
-  deploy-dev:
+  deploy-test-dev:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -47,7 +47,7 @@ jobs:
       group: ${{ github.event.repository.name }}-dev-env
       cancel-in-progress: false
     environment: "AWS DEV"
-    name: Deploy to DEV
+    name: Deploy to DEV and Run Tests
     needs:
       - test-unit
     steps:
@@ -90,38 +90,6 @@ jobs:
           HUSKY: "0"
           VITE_RUN_ENVIRONMENT: dev
 
-  test-dev:
-    runs-on: ubuntu-latest
-    name: Run Live Tests
-    needs:
-      - deploy-dev
-    concurrency:
-      group: ${{ github.event.repository.name }}-dev-env
-      cancel-in-progress: false
-    steps:
-      - uses: actions/checkout@v4
-        env:
-          HUSKY: "0"
-          cache: 'yarn'
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22.x
-
-      - name: Restore Yarn Cache
-        uses: actions/cache@v4
-        with:
-          path: node_modules
-          key: yarn-modules-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-dev
-          restore-keys: |
-            yarn-modules-${{ runner.os }}-
-
-      - name: Set up Python 3.11 for testing
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.11
-
       - name: Run health check
         run: make dev_health_check
 

.github/workflows/deploy-prod.yml

@@ -24,7 +24,8 @@ jobs:
           python-version: 3.11
       - name: Run unit testing
         run: make test_unit
-  deploy-dev:
+
+  deploy-test-dev:
     runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.event.repository.name }}-dev
@@ -33,7 +34,7 @@ jobs:
       id-token: write
       contents: read
     environment: "AWS DEV"
-    name: Deploy to DEV
+    name: Deploy to DEV and Run Tests
     needs:
       - test-unit
     steps:
@@ -62,26 +63,6 @@ jobs:
           HUSKY: "0"
           VITE_RUN_ENVIRONMENT: dev
 
-  test-dev:
-    runs-on: ubuntu-latest
-    name: Run Live Tests
-    needs:
-      - deploy-dev
-    concurrency:
-      group: ${{ github.event.repository.name }}-dev
-      cancel-in-progress: false
-    steps:
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22.x
-      - uses: actions/checkout@v4
-        env:
-          HUSKY: "0"
-      - name: Set up Python 3.11 for testing
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.11
       - name: Run live testing
         run: make test_live_integration
         env:
@@ -94,15 +75,15 @@ jobs:
 
   deploy-prod:
     runs-on: ubuntu-latest
-    name: Deploy to Prod
+    name: Deploy to Prod and Run Health Check
     concurrency:
       group: ${{ github.event.repository.name }}-prod
       cancel-in-progress: false
     permissions:
       id-token: write
       contents: read
     needs:
-      - test-dev
+      - deploy-test-dev
     environment: "AWS PROD"
     steps:
       - name: Set up Node for testing
@@ -129,22 +110,5 @@ jobs:
         env:
           HUSKY: "0"
           VITE_RUN_ENVIRONMENT: prod
-
-  health-check-prod:
-    runs-on: ubuntu-latest
-    name: Confirm services healthy
-    needs:
-      - deploy-prod
-    concurrency:
-      group: ${{ github.event.repository.name }}-prod
-      cancel-in-progress: false
-    steps:
-      - name: Set up Node for testing
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22.x
-      - uses: actions/checkout@v4
-        env:
-          HUSKY: "0"
       - name: Call the health check script
         run: make prod_health_check

cloudformation/custom-domain.yml

@@ -16,6 +16,8 @@ Parameters:
     AllowedValues: [ 'dev', 'prod' ]
   RecordName:
     Type: String
+  CloudfrontDomain:
+    Type: String
 
 Conditions:
   IsDev: !Equals [!Ref RunEnvironment, 'dev']
@@ -44,7 +46,7 @@ Resources:
     Properties:
       HostedZoneId: !Ref GWHostedZoneId
       Name: !Sub "${RecordName}.${GWBaseDomainName}"
-      Type: A
-      AliasTarget:
-        DNSName: !GetAtt CustomDomainName.RegionalDomainName
-        HostedZoneId: !GetAtt CustomDomainName.RegionalHostedZoneId
+      Type: CNAME
+      TTL: 300
+      ResourceRecords:
+        - !Ref CloudfrontDomain

cloudformation/iam.yml

@@ -93,6 +93,14 @@ Resources:
                   - expireAt
                   - "*"
 
+          - Sid: DynamoDBRateLimitTableAccess
+            Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+              - dynamodb:UpdateItem
+            Resource:
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-rate-limiter
+
           - Sid: DynamoDBIndexAccess
             Effect: Allow
             Action:

cloudformation/main.yml

@@ -119,6 +119,7 @@ Resources:
         GWApiId: !Ref AppApiGateway
         GWHostedZoneId:
           !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
+        CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]
 
   LinkryDomainProxy:
     Type: AWS::Serverless::Application
@@ -138,6 +139,7 @@ Resources:
         GWApiId: !Ref AppApiGateway
         GWHostedZoneId:
           !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
+        CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]
 
   CoreUrlProd:
     Type: AWS::Serverless::Application
@@ -158,6 +160,7 @@ Resources:
         GWApiId: !Ref AppApiGateway
         GWHostedZoneId:
           !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
+        CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]
 
   AppApiLambdaFunction:
     Type: AWS::Serverless::Function
@@ -306,6 +309,30 @@ Resources:
         - AttributeName: userEmail
           KeyType: HASH
 
+  RateLimiterTable:
+    Type: "AWS::DynamoDB::Table"
+    DeletionPolicy: "Delete"
+    UpdateReplacePolicy: "Delete"
+    Properties:
+      BillingMode: "PAY_PER_REQUEST"
+      TableName: infra-core-api-rate-limiter
+      DeletionProtectionEnabled: true
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: false
+      AttributeDefinitions:
+        - AttributeName: PK
+          AttributeType: S
+        - AttributeName: SK
+          AttributeType: S
+      KeySchema:
+        - AttributeName: PK
+          KeyType: HASH
+        - AttributeName: SK
+          KeyType: RANGE
+      TimeToLiveSpecification:
+        AttributeName: ttl
+        Enabled: true
+
   EventRecordsTable:
     Type: "AWS::DynamoDB::Table"
     DeletionPolicy: "Retain"
@@ -562,6 +589,20 @@ Resources:
             - ApiGwConfig
             - !Ref RunEnvironment
             - UiDomainName
+          - !Join
+            - ""
+            - - "go."
+              - !FindInMap
+                - ApiGwConfig
+                - !Ref RunEnvironment
+                - EnvDomainName
+          - !Join
+            - ""
+            - - "ical."
+              - !FindInMap
+                - ApiGwConfig
+                - !Ref RunEnvironment
+                - EnvDomainName
 
         DefaultCacheBehavior:
           TargetOriginId: S3WebsiteOrigin
@@ -578,6 +619,50 @@ Resources:
               Forward: none
           CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # caching-optimized
         CacheBehaviors:
+          - PathPattern: "/api/v1/events"
+            TargetOriginId: ApiGatewayOrigin
+            ViewerProtocolPolicy: redirect-to-https
+            AllowedMethods:
+              - GET
+              - HEAD
+              - OPTIONS
+              - PUT
+              - POST
+              - DELETE
+              - PATCH
+            CachedMethods:
+              - GET
+              - HEAD
+            ForwardedValues:
+              QueryString: true
+              QueryStringCacheKeys:
+                - host
+                - ts
+                - upcomingOnly
+              Cookies:
+                Forward: none
+          - PathPattern: "/api/v1/events/*"
+            TargetOriginId: ApiGatewayOrigin
+            ViewerProtocolPolicy: redirect-to-https
+            AllowedMethods:
+              - GET
+              - HEAD
+              - OPTIONS
+              - PUT
+              - POST
+              - DELETE
+              - PATCH
+            CachedMethods:
+              - GET
+              - HEAD
+            ForwardedValues:
+              QueryString: true
+              QueryStringCacheKeys:
+                - host
+                - ts
+                - upcomingOnly
+              Cookies:
+                Forward: none
           - PathPattern: "/api/*"
             TargetOriginId: ApiGatewayOrigin
             ViewerProtocolPolicy: redirect-to-https

src/api/functions/rateLimit.ts

@@ -0,0 +1,66 @@
+import {
+  ConditionalCheckFailedException,
+  UpdateItemCommand,
+} from "@aws-sdk/client-dynamodb";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { genericConfig } from "common/config.js";
+
+interface RateLimitParams {
+  ddbClient: DynamoDBClient;
+  rateLimitIdentifier: string;
+  duration: number;
+  limit: number;
+  userIdentifier: string;
+}
+
+export async function isAtLimit({
+  ddbClient,
+  rateLimitIdentifier,
+  duration,
+  limit,
+  userIdentifier,
+}: RateLimitParams): Promise<{
+  limited: boolean;
+  resetTime: number;
+  used: number;
+}> {
+  const nowInSeconds = Math.floor(Date.now() / 1000);
+  const timeWindow = Math.floor(nowInSeconds / duration) * duration;
+  const PK = `rate-limit:${rateLimitIdentifier}:${userIdentifier}:${timeWindow}`;
+
+  try {
+    const result = await ddbClient.send(
+      new UpdateItemCommand({
+        TableName: genericConfig.RateLimiterDynamoTableName,
+        Key: {
+          PK: { S: PK },
+          SK: { S: "counter" },
+        },
+        UpdateExpression: "ADD #rateLimitCount :inc SET #ttl = :ttl",
+        ConditionExpression:
+          "attribute_not_exists(#rateLimitCount) OR #rateLimitCount <= :limit",
+        ExpressionAttributeValues: {
+          ":inc": { N: "1" },
+          ":limit": { N: limit.toString() },
+          ":ttl": { N: (timeWindow + duration).toString() },
+        },
+        ExpressionAttributeNames: {
+          "#rateLimitCount": "rateLimitCount",
+          "#ttl": "ttl",
+        },
+        ReturnValues: "UPDATED_NEW",
+        ReturnValuesOnConditionCheckFailure: "ALL_OLD",
+      }),
+    );
+    return {
+      limited: false,
+      used: parseInt(result.Attributes?.rateLimitCount.N || "1", 10),
+      resetTime: timeWindow + duration,
+    };
+  } catch (error) {
+    if (error instanceof ConditionalCheckFailedException) {
+      return { limited: true, resetTime: timeWindow + duration, used: limit };
+    }
+    throw error;
+  }
+}

src/api/functions/sts.ts

@@ -2,7 +2,6 @@ import { AssumeRoleCommand } from "@aws-sdk/client-sts";
 import { STSClient } from "@aws-sdk/client-sts";
 import { genericConfig } from "common/config.js";
 import { InternalServerError } from "common/errors/index.js";
-import { duration } from "moment";
 
 export async function getRoleCredentials(
   roleArn: string,