post rate limiting

server/package-lock.json

@@ -13,6 +13,7 @@
         "cors": "^2.8.5",
         "dotenv": "^16.0.1",
         "express": "^4.18.1",
+        "express-rate-limit": "^6.4.0",
         "helmet": "^5.1.0",
         "sqlite3": "^5.0.8"
       },
@@ -1609,6 +1610,17 @@
         "node": ">= 0.10.0"
       }
     },
+    "node_modules/express-rate-limit": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.4.0.tgz",
+      "integrity": "sha512-lxQRZI4gi3qAWTf0/Uqsyugsz57h8bd7QyllXBgJvd6DJKokzW7C5DTaNvwzvAQzwHGFaItybfYGhC8gpu0V2A==",
+      "engines": {
+        "node": ">= 12.9.0"
+      },
+      "peerDependencies": {
+        "express": "^4 || ^5"
+      }
+    },
     "node_modules/fast-safe-stringify": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz",
@@ -5229,6 +5241,12 @@
         "vary": "~1.1.2"
       }
     },
+    "express-rate-limit": {
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.4.0.tgz",
+      "integrity": "sha512-lxQRZI4gi3qAWTf0/Uqsyugsz57h8bd7QyllXBgJvd6DJKokzW7C5DTaNvwzvAQzwHGFaItybfYGhC8gpu0V2A==",
+      "requires": {}
+    },
     "fast-safe-stringify": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.1.1.tgz",

server/package.json

@@ -15,6 +15,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-rate-limit": "^6.4.0",
     "helmet": "^5.1.0",
     "sqlite3": "^5.0.8"
   },

server/server.ts

@@ -1,9 +1,10 @@
 import "dotenv/config";
-import express, { Express, Request, Response } from "express";
+import express, { Express, Request } from "express";
 import cors from "cors";
 import { PrismaClient, EncryptedNote } from "@prisma/client";
 import { addDays } from "./util";
 import helmet from "helmet";
+import rateLimit from "express-rate-limit";
 
 // Initialize middleware clients
 const prisma = new PrismaClient();
@@ -21,22 +22,35 @@ if (process.env.ENVIRONMENT == "dev") {
   );
 }
 
+// Apply rate limiting
+const postLimiter = rateLimit({
+  windowMs: 5000, // 1 day
+  // windowMs: 1000 * 60 * 60 * 24, // 1 day
+  max: 1, // Limit each IP to 50 requests per window
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
 // start the Express server
 app.listen(process.env.PORT, () => {
   console.log(`server started at http://localhost:${process.env.PORT}`);
 });
 
 // Post new encrypted note
-app.post("/note/", async (req: Request<{}, {}, EncryptedNote>, res) => {
+app.post(
-  const note = req.body;
+  "/note/",
-  const savedNote = await prisma.encryptedNote.create({
+  postLimiter,
-    data: { ...note, expire_time: addDays(new Date(), 30) },
+  async (req: Request<{}, {}, EncryptedNote>, res) => {
-  });
+    const note = req.body;
-  res.json({
+    const savedNote = await prisma.encryptedNote.create({
-    view_url: `${process.env.FRONTEND_URL}/note/${savedNote.id}`,
+      data: { ...note, expire_time: addDays(new Date(), 30) },
-    expire_time: savedNote.expire_time,
+    });
-  });
+    res.json({
-});
+      view_url: `${process.env.FRONTEND_URL}/note/${savedNote.id}`,
+      expire_time: savedNote.expire_time,
+    });
+  }
+);
 
 // Get encrypted note
 app.get("/note/:id", async (req, res) => {