feat: data-backed rate limits, concurrency limiter, copy button fix (BUG-025, BUG-022)

src/index.ts

@@ -13,6 +13,7 @@ import { emailChangeRouter } from "./routes/email-change.js";
 import { authMiddleware } from "./middleware/auth.js";
 import { usageMiddleware } from "./middleware/usage.js";
 import { getUsageStats } from "./middleware/usage.js";
+import { pdfRateLimitMiddleware, getConcurrencyStats } from "./middleware/pdfRateLimit.js";
 import { initBrowser, closeBrowser } from "./services/browser.js";
 import { loadKeys, getAllKeys } from "./services/keys.js";
 import { verifyToken } from "./services/verification.js";
@@ -59,10 +60,10 @@ app.use(express.text({ limit: "2mb", type: "text/*" }));
 // Trust nginx proxy
 app.set("trust proxy", 1);
 
-// Rate limiting
+// Global rate limiting - reduced from 10,000 to reasonable limit
 const limiter = rateLimit({
   windowMs: 60_000,
-  max: 10000,
+  max: 100,
   standardHeaders: true,
   legacyHeaders: false,
 });
@@ -76,7 +77,7 @@ app.use("/v1/billing", billingRouter);
 app.use("/v1/email-change", emailChangeRouter);
 
 // Authenticated routes
-app.use("/v1/convert", authMiddleware, usageMiddleware, convertRouter);
+app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
 app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter);
 
 // Admin: usage stats
@@ -84,6 +85,11 @@ app.get("/v1/usage", authMiddleware, (_req, res) => {
   res.json(getUsageStats());
 });
 
+// Admin: concurrency stats
+app.get("/v1/concurrency", authMiddleware, (_req, res) => {
+  res.json(getConcurrencyStats());
+});
+
 // Email verification endpoint
 app.get("/verify", (req, res) => {
   const token = req.query.token as string;