feat: implement configurable rate limiting with per-endpoint and per-user limits

[Sundriveauto]

Summary

Replaces the previous basic rate limiting (fixed-window express-rate-limit + hardcoded sliding window) with a comprehensive, configurable, multi-tier rate limiting system that protects against abuse and DoS attacks.

Changes

New file: backend/src/config/rateLimit.config.ts

• Centralized rate limit profile definitions per endpoint
• Endpoint-specific rules with priority-based matching:
  • auth/login (POST): 5 req/s burst, 20 req/min sustained
  • auth/register (POST): 3 req/s burst, 10 req/min sustained
  • /certificates, /enrollments, /courses: 120 req/s burst, 1000 req/min
  • /security: 10 req/s burst, 60 req/min
  • /generator: 5 req/s burst, 30 req/min
  • /contracts: 15 req/s burst, 100 req/min
• Role-based fallback profiles: unauthenticated (20/200), authenticated (80/600), admin (200/2000)
• Env-var override support via setRateLimitEnvOverrides()

Rewritten: backend/src/middleware/rateLimiter.ts

• Dual-tier rate limiting: burst (short window) + sustained (long window) checked together
• Per-user tracking: authenticated requests keyed by userId for accurate quota enforcement
• Per-IP tracking: anonymous requests keyed by IP address
• Standard RateLimit headers: RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset
• Detailed debug headers: X-RateLimit-Burst-*, X-RateLimit-Sustained-*
• Fail-open: if Redis is unavailable, requests proceed with a warning log
• Test mode bypass: skips rate limiting in NODE_ENV=test
• Abuse logging: WARN-level logs when limits are exceeded (user/IP, endpoint, remaining quota)
• Preserved legacy slidingWindowRateLimiter factory for route-specific overrides

Modified: backend/src/index.ts

• Replaced express-rate-limit + old apiRateLimiter with new rateLimiter middleware
• Rate limiting is conditionally applied via config.rateLimiting.enabled
• Wires env-var overrides for login/register limits

Modified: backend/src/config/env.config.ts

• Added rateLimiting config section with env-var-backed settings

Modified: backend/.env.example

• Added all RATE_LIMIT_* environment variables with documentation

Configuration via environment variables

Variable	Default	Description
RATE_LIMIT_ENABLED	true	Toggle rate limiting
RATE_LIMIT_BURST_MAX	20	Default burst limit (unauth)
RATE_LIMIT_SUSTAINED_MAX	200	Default sustained limit (unauth)
RATE_LIMIT_AUTH_BURST_MAX	80	Burst limit for authenticated users
RATE_LIMIT_AUTH_SUSTAINED_MAX	600	Sustained limit for authenticated users
RATE_LIMIT_ADMIN_BURST_MAX	200	Burst limit for admin users
RATE_LIMIT_ADMIN_SUSTAINED_MAX	2000	Sustained limit for admin users
RATE_LIMIT_LOGIN_BURST_MAX	5	Login endpoint burst limit
RATE_LIMIT_REGISTER_BURST_MAX	3	Registration endpoint burst limit

Testing

• Rate limiting applied globally with per-endpoint override rules
• Authenticated users tracked by userId, anonymous by IP
• Both burst and sustained limits must be satisfied
• Fail-open when Redis is unavailable
• Skipped entirely in test environment