Rate-limit webhook registration and management endpoints

[greatest0fallt1me]

Description

The webhook routes in src/webhooks/webhook.routes.ts — POST / (register, line 21), GET /:developerId (line 72), and DELETE /:developerId (line 87) — have no rate limiting and validate developerId manually from the path with no authentication. The per-user REST limiter (createConfiguredRestRateLimitMiddleware, src/middleware/restRateLimit.ts:88) is applied to /api/billing (src/routes/index.ts:33) but not to webhook management. This allows unauthenticated callers to spam register/delete cycles against arbitrary developer ids. This issue adds rate limiting to the webhook management surface.

Requirements and context

• Apply rate limiting to POST/GET/DELETE on the webhook router in src/webhooks/webhook.routes.ts, reusing the existing createRestRateLimitMiddleware/createConfiguredRestRateLimitMiddleware from src/middleware/restRateLimit.ts rather than introducing a new limiter.
• Because these routes are currently unauthenticated, the limiter will key on client IP via getRestRateLimitKey (src/middleware/restRateLimit.ts:57-64); ensure that path is exercised and that Retry-After is emitted on 429 (the middleware already sets it at src/middleware/restRateLimit.ts:79).
• Reuse the configured window/max from config.restRateLimit (REST_RATE_LIMIT_WINDOW_MS / REST_RATE_LIMIT_MAX_REQUESTS, documented in README.md); consider a tighter dedicated limit for registration via new optional env vars validated in src/config/env.ts.
• Non-functional: must not interfere with the signed inbound delivery route POST /deliver/:developerId (src/webhooks/webhook.routes.ts:104) whose middleware chain (captureRawBody → verifyWebhookSignature → express.json) must remain intact and ordered.
• This is a security-hardening change: include a note in docs/webhooks.md.

Acceptance criteria

• POST, GET, and DELETE webhook management routes return 429 with Retry-After once the window limit is exceeded.
• Limiting keys on client IP for these unauthenticated routes.
• The signed POST /deliver/:developerId pipeline and its raw-body handling are unchanged.
• Limits are configurable via env and validated in src/config/env.ts.
• docs/webhooks.md documents the new limits.
• Integration tests assert the 429/Retry-After behavior on register and delete.

Suggested execution

1. Fork the repo and create a branch

git checkout -b security/webhook-rate-limit

2. Implement changes — add the limiter middleware in src/webhooks/webhook.routes.ts; add config in src/config/env.ts/src/config/index.ts if introducing dedicated limits.
3. Write/extend tests — extend tests/integration/webhooks.test.ts.
4. Test and commit

npm run lint
npm run typecheck
npm run test:integration -- webhooks

Example commit message

feat(security): rate-limit webhook registration and management endpoints

Guidelines

Maintain the repo's 90%+ coverage target (README.md). Add JSDoc to the new middleware wiring and document limits in docs/webhooks.md. Timeframe: 96 hours.

[estyemma]

Please assign me this issue

[samsolo247]

Hi Maintainer,

I’m a smart contract and full-stack developer and would love to contribute to this issue. I’m an experienced contributor with hands-on expertise in Rust, Soroban, Cairo, and TypeScript.

I’m passionate about building secure, scalable blockchain solutions, with a strong emphasis on writing clean and maintainable code. Based on the scope of this issue, I’m confident I can deliver a complete solution within 24 hours of assignment.

I’d greatly appreciate the opportunity to contribute and help move this forward.