summary refs log tree commit diff
path: root/src/api/middlewares/RateLimit.ts
diff options
context:
space:
mode:
authorMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-08-22 22:12:00 +1000
committerMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-08-22 22:12:00 +1000
commitafefa5d64bd6cde7d6efa3a9a5a3ec67a6ca29a8 (patch)
tree07779150eba77c27bf75bc0c7890f4a3f976716e /src/api/middlewares/RateLimit.ts
parentremoved char joiners as they are actually useful, added page break (diff)
parentMerge remote-tracking branch 'Puyodead1/patch/prettier-config' into staging (diff)
downloadserver-afefa5d64bd6cde7d6efa3a9a5a3ec67a6ca29a8.tar.xz
Merge remote-tracking branch 'upstream/staging' into fix/categoryNames
Diffstat (limited to '')
-rw-r--r--src/api/middlewares/RateLimit.ts (renamed from api/src/middlewares/RateLimit.ts)34
1 files changed, 23 insertions, 11 deletions
diff --git a/api/src/middlewares/RateLimit.ts b/src/api/middlewares/RateLimit.ts

index 1a38cfcf..47180b62 100644 --- a/api/src/middlewares/RateLimit.ts +++ b/src/api/middlewares/RateLimit.ts
@@ -1,4 +1,4 @@ -import { Config, listenEvent } from "@fosscord/util"; +import { Config, getRights, listenEvent, Rights } from "@fosscord/util"; import { NextFunction, Request, Response, Router } from "express"; import { getIpAdress } from "@fosscord/api"; import { API_PREFIX_TRAILING_SLASH } from "./Authentication"; @@ -9,6 +9,7 @@ import { API_PREFIX_TRAILING_SLASH } from "./Authentication"; /* ? bucket limit? Max actions/sec per bucket? +(ANSWER: a small fosscord instance might not need a complex rate limiting system) TODO: delay database requests to include multiple queries TODO: different for methods (GET/POST) @@ -27,7 +28,7 @@ type RateLimit = { expires_at: Date; }; -var Cache = new Map<string, RateLimit>(); +let Cache = new Map<string, RateLimit>(); const EventRateLimit = "RATELIMIT"; export default function rateLimit(opts: { @@ -44,21 +45,27 @@ export default function rateLimit(opts: { onlyIp?: boolean; }): any { return async (req: Request, res: Response, next: NextFunction): Promise<any> => { + // exempt user? if so, immediately short circuit + if (req.user_id) { + const rights = await getRights(req.user_id); + if (rights.has("BYPASS_RATE_LIMITS")) return; + } + const bucket_id = opts.bucket || req.originalUrl.replace(API_PREFIX_TRAILING_SLASH, ""); - var executor_id = getIpAdress(req); + let executor_id = getIpAdress(req); if (!opts.onlyIp && req.user_id) executor_id = req.user_id; - var max_hits = opts.count; + let max_hits = opts.count; if (opts.bot && req.user_bot) max_hits = opts.bot; if (opts.GET && ["GET", "OPTIONS", "HEAD"].includes(req.method)) max_hits = opts.GET; else if (opts.MODIFY && ["POST", "DELETE", "PATCH", "PUT"].includes(req.method)) max_hits = opts.MODIFY; - const offender = Cache.get(executor_id + bucket_id); + let offender = Cache.get(executor_id + bucket_id); if (offender) { - const reset = offender.expires_at.getTime(); - const resetAfterMs = reset - Date.now(); - const resetAfterSec = resetAfterMs / 1000; + let reset = offender.expires_at.getTime(); + let resetAfterMs = reset - Date.now(); + let resetAfterSec = Math.ceil(resetAfterMs / 1000); if (resetAfterMs <= 0) { offender.hits = 0; @@ -70,6 +77,11 @@ export default function rateLimit(opts: { if (offender.blocked) { const global = bucket_id === "global"; + // each block violation pushes the expiry one full window further + reset += opts.window * 1000; + offender.expires_at = new Date(offender.expires_at.getTime() + opts.window * 1000); + resetAfterMs = reset - Date.now(); + resetAfterSec = Math.ceil(resetAfterMs / 1000); console.log("blocked bucket: " + bucket_id, { resetAfterMs }); return ( @@ -151,9 +163,9 @@ export async function initRateLimits(app: Router) { app.use("/auth/register", rateLimit({ onlyIp: true, success: true, ...routes.auth.register })); } -async function hitRoute(opts: { executor_id: string; bucket_id: string; max_hits: number; window: number }) { +async function hitRoute(opts: { executor_id: string; bucket_id: string; max_hits: number; window: number; }) { const id = opts.executor_id + opts.bucket_id; - var limit = Cache.get(id); + let limit = Cache.get(id); if (!limit) { limit = { id: opts.bucket_id, @@ -171,7 +183,7 @@ async function hitRoute(opts: { executor_id: string; bucket_id: string; max_hits } /* - var ratelimit = await RateLimit.findOne({ id: opts.bucket_id, executor_id: opts.executor_id }); + let ratelimit = await RateLimit.findOne({ where: { id: opts.bucket_id, executor_id: opts.executor_id } }); if (!ratelimit) { ratelimit = new RateLimit({ id: opts.bucket_id,