post rate limiting

2022-06-29 22:19:50 +02:00 · 2022-06-29 22:19:50 +02:00 · 91f6205b90
commit 91f6205b90
parent f78de8ab3d
4 changed files with 44 additions and 11 deletions
--- a/server/package-lock.json
+++ b/server/package-lock.json
@ -13,6 +13,7 @@
        "cors": "^2.8.5",
        "dotenv": "^16.0.1",
        "express": "^4.18.1",
+        "express-rate-limit": "^6.4.0",
        "helmet": "^5.1.0",
        "sqlite3": "^5.0.8"
      },
@ -1609,6 +1610,17 @@
        "node": ">= 0.10.0"
      }
    },
+    "node_modules/express-rate-limit": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.4.0.tgz",
+      "integrity": "sha512-lxQRZI4gi3qAWTf0/Uqsyugsz57h8bd7QyllXBgJvd6DJKokzW7C5DTaNvwzvAQzwHGFaItybfYGhC8gpu0V2A==",
+      "engines": {
+        "node": ">= 12.9.0"
+      },
+      "peerDependencies": {
+        "express": "^4 || ^5"
+      }
+    },
    "node_modules/fast-safe-stringify": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz",
@ -5229,6 +5241,12 @@
        "vary": "~1.1.2"
      }
    },
+    "express-rate-limit": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.4.0.tgz",
+      "integrity": "sha512-lxQRZI4gi3qAWTf0/Uqsyugsz57h8bd7QyllXBgJvd6DJKokzW7C5DTaNvwzvAQzwHGFaItybfYGhC8gpu0V2A==",
+      "requires": {}
+    },
    "fast-safe-stringify": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz",
--- a/server/package.json
+++ b/server/package.json
@ -15,6 +15,7 @@
    "cors": "^2.8.5",
    "dotenv": "^16.0.1",
    "express": "^4.18.1",
+    "express-rate-limit": "^6.4.0",
    "helmet": "^5.1.0",
    "sqlite3": "^5.0.8"
  },
--- a/server/prisma/dev.db
+++ b/server/prisma/dev.db
--- a/server/server.ts
+++ b/server/server.ts
@ -1,9 +1,10 @@
 import "dotenv/config";
-import express, { Express, Request, Response } from "express";
+import express, { Express, Request } from "express";
 import cors from "cors";
 import { PrismaClient, EncryptedNote } from "@prisma/client";
 import { addDays } from "./util";
 import helmet from "helmet";
+import rateLimit from "express-rate-limit";

 // Initialize middleware clients
 const prisma = new PrismaClient();
@ -21,22 +22,35 @@ if (process.env.ENVIRONMENT == "dev") {
  );
 }

+// Apply rate limiting
+const postLimiter = rateLimit({
+  windowMs: 5000, // 1 day
+  // windowMs: 1000 * 60 * 60 * 24, // 1 day
+  max: 1, // Limit each IP to 50 requests per window
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
 // start the Express server
 app.listen(process.env.PORT, () => {
  console.log(`server started at http://localhost:${process.env.PORT}`);
 });

 // Post new encrypted note
-app.post("/note/", async (req: Request<{}, {}, EncryptedNote>, res) => {
-  const note = req.body;
-  const savedNote = await prisma.encryptedNote.create({
-    data: { ...note, expire_time: addDays(new Date(), 30) },
-  });
-  res.json({
-    view_url: `${process.env.FRONTEND_URL}/note/${savedNote.id}`,
-    expire_time: savedNote.expire_time,
-  });
-});
+app.post(
+  "/note/",
+  postLimiter,
+  async (req: Request<{}, {}, EncryptedNote>, res) => {
+    const note = req.body;
+    const savedNote = await prisma.encryptedNote.create({
+      data: { ...note, expire_time: addDays(new Date(), 30) },
+    });
+    res.json({
+      view_url: `${process.env.FRONTEND_URL}/note/${savedNote.id}`,
+      expire_time: savedNote.expire_time,
+    });
+  }
+);

 // Get encrypted note
 app.get("/note/:id", async (req, res) => {