Skip to content

Pull Request: Infrastructure Hardening: Metrics, Queues & Rate Limiting (#243-246)#285

Merged
JerryIdoko merged 2 commits intoVesting-Vault:mainfrom
JamesEjembi:feature/infra-hardening-metrics-queues-security
Apr 24, 2026
Merged

Pull Request: Infrastructure Hardening: Metrics, Queues & Rate Limiting (#243-246)#285
JerryIdoko merged 2 commits intoVesting-Vault:mainfrom
JamesEjembi:feature/infra-hardening-metrics-queues-security

Conversation

@JamesEjembi
Copy link
Copy Markdown
Contributor

📝 Description
This PR transitions the Vesting-Vault API from a basic backend into a production-grade, observable, and resilient architecture. We have addressed critical bottlenecks by offloading heavy tasks to workers and protected the API from potential abuse.

🎯 Key Changes by Module

  1. Observability: Prometheus Integration (Expose Prometheus Metrics for Internal Dashboard #243)
    Metrics Endpoint: Integrated @willsoto/nestjs-prometheus to expose /metrics.

Standard Collectors: Now tracking Node.js heap usage, API response latency, and database connection pool health.

Custom Counters: Added custom metrics for total_ledger_blocks_indexed and vesting_schedules_created.

  1. Performance: BullMQ Worker Threads (Migrate Heavy Computations to BullMQ Worker Threads #244)
    Asynchronous Jobs: Heavy computations (PDF report generation and CSV exports) are now offloaded from the main event loop.

Architecture: Implemented a Producer/Consumer pattern using Redis as the broker. This ensures the main API remains responsive even during high-volume report requests.

  1. Security: Redis-Backed Rate Limiting (Implement Redis-Backed Rate Limiting (Global & Per-IP) #245, Implement Redis-Backed Rate Limiting (Global & Per-IP) #246)
    Throttler Module: Implemented ThrottlerModule with a Redis storage provider to maintain rate limits across multiple API instances.

Tiered Limits: * Public API: 100 requests / 60 seconds.

Auth/Sensitive: 5 requests / 60 seconds.

Storage: Leveraged existing Redis infrastructure to ensure state persistence and high-speed limit checks.

💻 Implementation Snippet: Rate Limiting Config
TypeScript
// src/app.module.ts
ThrottlerModule.forRootAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: (config: ConfigService) => ({
storage: new ThrottlerStorageRedisService(config.get('REDIS_URL')),
throttlers: [
{ name: 'short', ttl: 1000, limit: 3 },
{ name: 'medium', ttl: 60000, limit: 100 },
],
}),
});
✅ Acceptance Criteria Checklist
[x] Metrics: /metrics is accessible and returning valid Prometheus format data.

[x] Queues: PDF generation logs show execution within the Worker context, not the App context.

[x] Security: Repeated fast requests to /auth/login result in a 429 Too Many Requests response.

[x] Persistence: Rate limits and queues are successfully utilizing the Redis cluster.

🚀 How to Verify
Check Metrics: Run curl http://localhost:3000/metrics and verify block-indexing counters.

Test PDF Queue: Request a vesting report and check the bull-board (if enabled) or logs to see the background process finish.

Stress Test Limits: Use ab or locust to hit the login endpoint and verify the 429 status code triggers as expected.

🔗 Linked Issues
Closes #243,
Closes #244,
Closes #245,
Closes #246

@JerryIdoko JerryIdoko merged commit 18797d8 into Vesting-Vault:main Apr 24, 2026
5 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants