Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BladimirGS/judicial-backend/llms.txt

Use this file to discover all available pages before exploring further.

Judicial Backend uses express-rate-limit to cap the number of requests a single IP address can make within a rolling time window. Two distinct limiters are defined — a stricter one for authentication routes where brute-force attacks are most dangerous, and a general one for all other API routes. Both limiters are configured entirely through environment variables so thresholds can be adjusted per environment without code changes.

Limiter Definitions

Both limiters are created in src/core/middlewares/rate-limit.middleware.ts and share the same windowMs value while differing in their max ceiling: 
import rateLimit from 'express-rate-limit';
import { envs } from '../../config/envs';

const minutes = envs.RATE_LIMIT_WINDOW_MS / 1000 / 60;

export const apiLimiter = rateLimit({
    windowMs: envs.RATE_LIMIT_WINDOW_MS,
    max: envs.RATE_LIMIT_MAX,
    standardHeaders: true,
    legacyHeaders: false,
    message: {
        success: false,
        message: `Demasiadas solicitudes. Intenta de nuevo en ${minutes} minutos.`,
    },
});

export const authLimiter = rateLimit({
    windowMs: envs.RATE_LIMIT_WINDOW_MS,
    max: envs.RATE_LIMIT_AUTH_MAX,
    standardHeaders: true,
    legacyHeaders: false,
    message: {
        success: false,
        message: `Demasiados intentos de autenticación. Intenta de nuevo en ${minutes} minutos.`,
    },
});

apiLimiter

Applied to all protected resource routes. Allows up to 100 requests per 15-minute window per IP by default. Suitable for normal browsing, search queries, and report generation.

authLimiter

Applied exclusively to authentication routes. Allows up to 20 requests per 15-minute window per IP by default. The lower threshold limits the blast radius of credential stuffing or brute-force login attempts. Both limiters set standardHeaders: true (the RateLimit-* headers defined by the IETF draft standard) and legacyHeaders: false (suppresses the older X-RateLimit-* headers).

Route Registration

Limiters are attached per route group in src/routes/index.ts. They are inserted as middleware before the route handler and, where applicable, before the protect authentication check: 
import { Router } from 'express';
import { apiLimiter, authLimiter } from '../core/middlewares/rate-limit.middleware';
import { protect } from '../modules/auth/middlewares/protect.middleware';

const router = Router();

router.use('/auth',        authLimiter,                   authRoutes);
router.use('/apelaciones', apiLimiter, protect,           apelacionRoutes);
router.use('/busquedas',   apiLimiter, protect,           BusquedaRoutes);
router.use('/estadisticas',apiLimiter, protect,           estadisticaRoutes);
This means the rate limit check runs before any token verification on protected routes. An IP that has exceeded its limit receives 429 without consuming authentication infrastructure.

Response When Limit Is Exceeded

When a client exceeds the configured threshold, express-rate-limit short-circuits the request and responds with HTTP 429 Too Many Requests: 
{
  "success": false,
  "message": "Demasiadas solicitudes. Intenta de nuevo en 15 minutos."
}
For auth routes the message is: 
{
  "success": false,
  "message": "Demasiados intentos de autenticación. Intenta de nuevo en 15 minutos."
}
The response also includes standard rate-limit headers so clients can implement back-off logic:
HeaderDescription
RateLimit-LimitThe maximum number of requests allowed per window.
RateLimit-RemainingRequests remaining in the current window.
RateLimit-ResetTimestamp (seconds) when the window resets.

Configuration via Environment Variables

All thresholds are read from environment variables at startup. Set them in your .env file: 
# Rate Limiting
RATE_LIMIT_WINDOW_MS=900000       # 15 min in milliseconds
RATE_LIMIT_MAX=100                # Max requests for API routes
RATE_LIMIT_AUTH_MAX=20            # Max requests for /auth routes
RATE_LIMIT_WINDOW_MS
number
default:"900000"
The duration of the rolling rate-limit window in milliseconds. The default 900000 equals 15 minutes. Both apiLimiter and authLimiter use this same value.
RATE_LIMIT_MAX
number
default:"100"
Maximum number of requests allowed within one window for API routes (/apelaciones, /busquedas, /estadisticas). Requests beyond this threshold receive 429.
RATE_LIMIT_AUTH_MAX
number
default:"20"
Maximum number of requests allowed within one window for authentication routes (/auth). This value should be kept low enough to deter brute-force attacks while still permitting normal login workflows.
Reducing RATE_LIMIT_AUTH_MAX too aggressively (for example, to 3 or 5) may lock out legitimate users who experience brief network retries, token refresh cycles, or parallel requests from multiple browser tabs. Test your chosen threshold against real usage patterns — particularly token refresh behavior — before deploying to production. If users are locked out, they must wait for the full window to expire.

Changing Limits Per Environment

A common pattern is to use a higher limit in development to avoid interrupting local testing, and tighten it in production: 
# .env.development
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=500
RATE_LIMIT_AUTH_MAX=100

# .env.production
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=100
RATE_LIMIT_AUTH_MAX=20
Since minutes is computed from RATE_LIMIT_WINDOW_MS at startup, the user-facing error message automatically reflects the correct window duration without any additional code changes.

Build docs developers (and LLMs) love

Get started for freeTalk to us