Update app.js

app.js

@@ -1,11 +1,12 @@
 import express from 'express';
 import cors from 'cors';
 import dotenv from 'dotenv';
+import rateLimit from 'express-rate-limit'; // <--- NEW
 
 // Import your modular apps here
 // Apps
-import trendCatRouter from "./apps/viralcat.js" // './apps/trend_cat.js';
-import drCatRouter from './apps/dr_cat.js'; // <--- ADD THIS LINE
+import trendCatRouter from "./apps/viralcat.js" 
+import drCatRouter from './apps/dr_cat.js'; 
 import auraMeasure from './apps/aura_measure.js';
 // Apps end 
 
@@ -15,48 +16,52 @@ dotenv.config();
 const app = express();
 const PORT = process.env.PORT || 7860;
 
+// ⚠️ CRITICAL ADVISOR NOTE: 
+// If you are hosting on Render, Railway, Heroku, DigitalOcean, etc., 
+// you MUST trust the proxy, otherwise the rate limiter will see the hosting 
+// platform's IP and block EVERYONE at the same time.
+app.set('trust proxy', 1);
+
 app.use(cors());
 app.use(express.json({ limit: '50mb' })); 
 
-// Mount the App-Specific Routes
-app.use('/api/viralcat', trendCatRouter);
-app.use('/api/drcat', drCatRouter); // <--- ADD THIS LINE
-app.use('/api/aurameasure', auraMeasure);
+// --- 🛡️ RATE LIMITERS ---
 
-// app.use('/api/drcat', drCatRouter); // Future app
-// app.use('/api/chefcat', chefCatRouter); // Future app
-
-/*
-// --- LEGACY/GENERIC ENDPOINTS (for fast testing without making a new router) ---
-app.post('/api/generate', async (req, res) => {
-    const { model, prompt, system_prompt, images } = req.body;
-    console.log(`[TRAFFIC] Generic generation request for ${model}`);
-    try {
-        const result = await generateCompletion({ model, prompt, system_prompt, images });
-        res.json(result);
-    } catch (err) {
-        res.status(500).json({ success: false, error: err.message });
-    }
+// 1. Burst Limiter (Per Minute): Stops rapid-fire spam / button mashing
+const burstLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute window
+    max: 8, // Max 5 requests per minute per IP
+    message: { 
+        success: false, 
+        error: "Whoa there, speedy! 🙀 Please wait a minute before scanning again." 
+    },
+    standardHeaders: true, 
+    legacyHeaders: false, 
 });
 
-app.post('/api/stream', async (req, res) => {
-    const { model, prompt, system_prompt, images } = req.body; 
-    console.log(`[TRAFFIC] Generic stream request for ${model}`);
-    
-    res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Transfer-Encoding', 'chunked');
-    res.setHeader('X-Accel-Buffering', 'no'); 
-    res.flushHeaders();
-
-    try {
-        await streamCompletion({ model, prompt, system_prompt, images, res });
-    } catch (err) {
-        res.write(`ERROR: ${err.message}`);
-        res.end();
-    }
+// 2. Daily Limiter (Cost Control): Stops API bankruptcy
+const dailyLimiter = rateLimit({
+    windowMs: 24 * 60 * 60 * 1000, // 24 hours
+    max: 30, // Max 15 requests per DAY per IP (Adjust this number based on your budget)
+    message: { 
+        success: false, 
+        error: "Daily scan limit reached! 🛑 Check back tomorrow or follow us on socials for updates." 
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
 });
-*/
+
+// Apply the limiters ONLY to your API routes. 
+// We don't apply it globally so your health check '/' doesn't get blocked.
+app.use('/api/', burstLimiter);
+app.use('/api/', dailyLimiter);
+
+// Mount the App-Specific Routes
+app.use('/api/viralcat', trendCatRouter);
+app.use('/api/drcat', drCatRouter); 
+app.use('/api/aurameasure', auraMeasure);
+
 
 app.get('/', async (req, res) => { res.json({ success: true, ecosystem: "Everyday Cats Backend" }); });
 
-app.listen(PORT, '0.0.0.0', () => console.log(`😻 Everyday Cats Ecosystem live on port ${PORT}`));
+app.listen(PORT, '0.0.0.0', () => console.log(`😻 Everyday Cats Ecosystem live on port ${PORT} with Rate Limits Active!`));