Implement Rate Limiting

[Josue19-08]

Pull Request: Implement Rate Limiting

Closes #175

🚦 Overview

This PR implements comprehensive rate limiting for course and user creation operations to protect against spam attacks as requested in issue #175.

📋 Changes Made

Core Features

• ✅ User Creation Rate Limiting: Max 5 user profiles per hour per address
• ✅ Course Creation Rate Limiting: Max 3 courses per hour per address
• ✅ Sliding Time Windows: Automatic reset every hour (3600 seconds)
• ✅ Independent Tracking: Each address has separate rate limit counters
• ✅ Flexible Configuration: Admins can adjust limits via contract functions

Files Modified

User Management Contract

• src/schema.rs - Added RateLimitConfig, RateLimitData structures and storage keys
• src/error.rs - Added RateLimitExceeded and RateLimitNotConfigured error types
• src/functions/utils/rate_limit_utils.rs - NEW Rate limiting validation logic
• src/functions/utils/mod.rs - NEW Utils module exports
• src/functions/mod.rs - Export utils module
• src/functions/create_user_profile.rs - Integrated rate limiting validation
• src/functions/admin_management.rs - Auto-initialize default rate limit config
• src/functions/delete_user.rs - Updated admin config structure in tests
• src/functions/utils/storage_utils.rs - Simplified for Soroban compatibility

Course Registry Contract

• src/schema.rs - Added CourseRateLimitConfig, CourseRateLimitData structures
• src/error.rs - Added CourseRateLimitExceeded and CourseRateLimitNotConfigured
• src/functions/course_rate_limit_utils.rs - NEW Course rate limiting utilities
• src/functions/mod.rs - Export course rate limit utils
• src/functions/create_course.rs - Integrated rate limiting validation
• src/functions/access_control.rs - Auto-initialize course rate limiting
• src/functions/edit_prerequisite.rs - Configured permissive limits for complex tests

🛡️ Security Features

Rate Limiting Logic

// Default configurations
const DEFAULT_RATE_LIMIT_WINDOW: u64 = 3600; // 1 hour
const DEFAULT_MAX_USER_CREATIONS_PER_WINDOW: u32 = 5;
const DEFAULT_MAX_COURSE_CREATIONS_PER_WINDOW: u32 = 3;

Automatic Window Management

• Window Reset: Automatically resets when time window expires
• Counter Tracking: Increments on each successful operation
• Spam Protection: Blocks requests when limit exceeded

Error Handling

• Error(Contract, #26) - User rate limit exceeded
• Error(Contract, #32) - Course rate limit exceeded
• Graceful fallback to default config if system not initialized

🧪 Testing

Compatibility

• ✅ All existing tests pass - No breaking changes
• ✅ Backward compatibility - Works with and without system initialization
• ✅ Test isolation - Complex tests use permissive rate limiting (100/hour)

Integration

• Rate limiting is automatically active on contract deployment
• No manual configuration required - uses sensible defaults
• Admin configurable - limits can be adjusted post-deployment

📊 Impact

Before

• ❌ No protection against spam attacks
• ❌ Unlimited course/user creation
• ❌ Potential for abuse and resource exhaustion

After

• ✅ Robust spam protection with configurable limits
• ✅ Automatic rate limiting on all creation operations
• ✅ Flexible administration with runtime configuration
• ✅ Zero breaking changes to existing functionality

🚀 Deployment

The rate limiting system is production-ready and will be automatically active upon deployment with these default settings:

• Users: 5 creations per hour per address
• Courses: 3 creations per hour per address
• Window: 1 hour sliding windows
• Storage: Persistent tracking per address

---

Ready for review and merge! 🎉