backend: implement rate limiting middleware for public profile endpoints

[ShantKhatri]

Summary

The public profile endpoints in apps/backend/src/routes/public.ts are currently unprotected against abuse. Add a Fastify-compatible rate limiter using @fastify/rate-limit to protect /api/public/:username and related routes.

Context

This is important for production readiness as the public card view page is unauthenticated and could be scraped at scale.

Tasks

• install @fastify/rate-limit in apps/backend.
• register the plugin in apps/backend/src/app.ts with global defaults (e.g. 100 req / 1 min per IP).
• override stricter limits for /api/public/:username (e.g. 30 req / 1 min).
• return RFC 7807-compliant error body { error: 'Too Many Requests', retryAfter: N } with 429 status.
• add integration tests in apps/backend/src/__tests__/public.test.ts to assert the 429 path.
• document the configuration options in apps/backend/README.md.

Acceptance Criteria

• rate limit applies to public endpoints without affecting authenticated routes.
• 429 response is returned with Retry-After header and structured body.
• tests pass with pnpm --filter @devcard/backend test.

Difficulty

medium — requires understanding of Fastify plugin registration, middleware order, and HTTP conventions.

[parthpatidar03]

Hi @ShantKhatri ,

I am a GSSoC contributor and would like to work on this issue. I have gone through the issue details and would be happy to contribute.

Could you please assign this issue to me?

Thank you!

[ShantKhatri]

Hi @ShantKhatri ,

I am a GSSoC contributor and would like to work on this issue. I have gone through the issue details and would be happy to contribute.

Could you please assign this issue to me?

Thank you!

You can work on this after completing the good-first one. Assigning this to you.