backend/src/middleware/rateLimit.js

const rateLimit = require('express-rate-limit');

const createRateLimit = (windowMs, max, message) => {
  return rateLimit({
    windowMs,
    max,
    message: { error: message },
    standardHeaders: true,
    legacyHeaders: false,
  });
};

// General rate limit
const generalRateLimit = createRateLimit(
  parseInt(process.env.RATE_LIMIT_WINDOW_MS) || 15 * 60 * 1000, // 15 minutes
  parseInt(process.env.RATE_LIMIT_MAX_REQUESTS) || 100,
  'Too many requests from this IP, please try again later.'
);

// Auth rate limit (more restrictive)
const authRateLimit = createRateLimit(
  15 * 60 * 1000, // 15 minutes
  5, // 5 attempts
  'Too many authentication attempts, please try again later.'
);

// Chat rate limit
const chatRateLimit = createRateLimit(
  60 * 1000, // 1 minute
  20, // 20 messages per minute
  'Too many messages sent, please slow down.'
);

module.exports = {
  general: generalRateLimit,
  auth: authRateLimit,
  chat: chatRateLimit
};