chore: initial commit for main

apps/api/src/index.ts

@@ -1,6 +1,8 @@
 import Fastify from 'fastify';
 import cors from '@fastify/cors';
 import cookie from '@fastify/cookie';
+import helmet from '@fastify/helmet';
+import rateLimit from '@fastify/rate-limit';
 import dbPlugin from './plugins/db.js';
 import authPlugin from './plugins/auth.js';
 import authRoutes from './routes/auth/index.js';
@@ -19,12 +21,21 @@ const app = Fastify({
   },
 });
 
-// Plugins
+// Security plugins
+await app.register(helmet, {
+  contentSecurityPolicy: process.env.NODE_ENV === 'production' ? undefined : false,
+});
+
 await app.register(cors, {
   origin: process.env.CORS_ORIGIN || 'http://localhost:5173',
   credentials: true,
 });
 
+await app.register(rateLimit, {
+  max: Number(process.env.RATE_LIMIT_MAX) || 100,
+  timeWindow: Number(process.env.RATE_LIMIT_WINDOW_MS) || 60_000,
+});
+
 await app.register(cookie);
 await app.register(dbPlugin);
 await app.register(authPlugin);
@@ -47,10 +58,20 @@ app.setErrorHandler((error: Error & { validation?: unknown; statusCode?: number;
     });
   }
 
+  // Rate limit errors
+  if (error.statusCode === 429) {
+    return reply.code(429).send({
+      error: 'Too Many Requests',
+      message: 'Rate limit exceeded, please try again later',
+    });
+  }
+
   app.log.error(error);
-  return reply.code(500).send({
+  return reply.code(error.statusCode ?? 500).send({
     error: 'Internal Server Error',
-    message: 'An unexpected error occurred',
+    message: process.env.NODE_ENV === 'production'
+      ? 'An unexpected error occurred'
+      : error.message,
   });
 });