feat(24-01): refactor rateLimit to factory pattern with createRateLimit

- Add createRateLimit(maxAttempts, windowMs) factory function
- Rewrite rateLimit export to delegate to factory (backward compatible)
- Keep shared store, getClientIp, cleanup, and _resetForTesting unchanged
- Add createRateLimit factory test suite with 5 test cases
- All existing rateLimit middleware tests still pass

tests/middleware/rateLimit.test.ts

@@ -2,6 +2,7 @@ import { beforeEach, describe, expect, it } from "bun:test";
 import { Hono } from "hono";
 import {
 	_resetForTesting,
+	createRateLimit,
 	rateLimit,
 } from "../../src/server/middleware/rateLimit";
 
@@ -19,6 +20,13 @@ function makeRequest(app: Hono, path: string, ip = "127.0.0.1") {
 	});
 }
 
+function makeGetRequest(app: Hono, path: string, ip = "127.0.0.1") {
+	return app.request(path, {
+		method: "GET",
+		headers: { "x-forwarded-for": ip },
+	});
+}
+
 describe("rateLimit middleware", () => {
 	beforeEach(() => {
 		_resetForTesting();
@@ -83,3 +91,90 @@ describe("rateLimit middleware", () => {
 		expect(allowedSetup.status).toBe(200);
 	});
 });
+
+describe("createRateLimit factory", () => {
+	beforeEach(() => {
+		_resetForTesting();
+	});
+
+	it("blocks on 4th request when limit is 3", async () => {
+		const limit3 = createRateLimit(3, 60_000);
+		const app = new Hono();
+		app.get("/items", limit3, (c) => c.json({ ok: true }));
+
+		for (let i = 0; i < 3; i++) {
+			const res = await makeGetRequest(app, "/items");
+			expect(res.status).toBe(200);
+		}
+		const res = await makeGetRequest(app, "/items");
+		expect(res.status).toBe(429);
+	});
+
+	it("allows exactly 10 requests then blocks on 11th", async () => {
+		const limit10 = createRateLimit(10, 60_000);
+		const app = new Hono();
+		app.get("/catalog", limit10, (c) => c.json({ ok: true }));
+
+		for (let i = 0; i < 10; i++) {
+			const res = await makeGetRequest(app, "/catalog");
+			expect(res.status).toBe(200);
+		}
+		const res = await makeGetRequest(app, "/catalog");
+		expect(res.status).toBe(429);
+	});
+
+	it("tracks different IPs independently", async () => {
+		const limit3 = createRateLimit(3, 60_000);
+		const app = new Hono();
+		app.get("/items", limit3, (c) => c.json({ ok: true }));
+
+		for (let i = 0; i < 3; i++) {
+			await makeGetRequest(app, "/items", "192.168.1.1");
+		}
+		const blocked = await makeGetRequest(app, "/items", "192.168.1.1");
+		expect(blocked.status).toBe(429);
+
+		// Different IP should still be allowed
+		const allowed = await makeGetRequest(app, "/items", "192.168.1.2");
+		expect(allowed.status).toBe(200);
+	});
+
+	it("includes Retry-After header on 429 response", async () => {
+		const limit2 = createRateLimit(2, 60_000);
+		const app = new Hono();
+		app.get("/tags", limit2, (c) => c.json({ ok: true }));
+
+		await makeGetRequest(app, "/tags");
+		await makeGetRequest(app, "/tags");
+		const res = await makeGetRequest(app, "/tags");
+
+		expect(res.status).toBe(429);
+		const retryAfter = res.headers.get("Retry-After");
+		expect(retryAfter).toBeTruthy();
+		expect(Number(retryAfter)).toBeGreaterThan(0);
+	});
+
+	it("two instances with different limits operate independently", async () => {
+		const limit3 = createRateLimit(3, 60_000);
+		const limit5 = createRateLimit(5, 60_000);
+
+		const app = new Hono();
+		app.get("/browse", limit3, (c) => c.json({ ok: true }));
+		app.get("/detail", limit5, (c) => c.json({ ok: true }));
+
+		// Exhaust browse limit (3)
+		for (let i = 0; i < 3; i++) {
+			await makeGetRequest(app, "/browse");
+		}
+		const blockedBrowse = await makeGetRequest(app, "/browse");
+		expect(blockedBrowse.status).toBe(429);
+
+		// Detail endpoint still has its own limit (5) and should work
+		for (let i = 0; i < 5; i++) {
+			const res = await makeGetRequest(app, "/detail");
+			expect(res.status).toBe(200);
+		}
+		const blockedDetail = await makeGetRequest(app, "/detail");
+		expect(blockedDetail.status).toBe(429);
+	});
+});