Skip-Aware Access Control

Design an Express application that uses rate limiting to enforce per-client quotas while skipping or re-counting requests based on outcomes.

Capabilities

Healthcheck bypass

• GET /health always returns 200 and never consumes any rate-limit quota, even when other routes are exhausted. @test

Login attempts count failures only

• POST /login allows 5 attempts per minute per client; only responses that finish with HTTP status 400 or higher consume attempts. After five failed responses, the sixth failed response returns 429. Successful responses do not reduce the remaining attempts. @test

Download failures ignored

• GET /reports/:id/download allows 3 successful downloads per minute per client; responses that finish with HTTP status 400 or higher do not reduce the remaining quota. The fourth successful download within the window returns 429. @test

MFA redirects treated as failures

• For POST /login, any response that finishes with status 302 and header x-mfa-required: true counts against the login attempt quota; the same redirect without that header does not consume attempts. @test

Implementation

@generates

API

import express from "express";

/**
 * Builds an Express application with rate limiting applied to /login and /reports/:id/download,
 * while keeping /health unthrottled.
 * @returns {import("express").Express}
 */
export function createApp(): import("express").Express;

Dependencies { .dependencies }

express-rate-limit { .dependency }

Rate limiting middleware that enforces quotas and adjusts counters after responses finish.

@satisfied-by

express { .dependency }

HTTP server framework for defining routes.

@satisfied-by