Rate limit /api requests from each IP address

100 requests each 5 minutes.
2025-12-24 14:12:40 +00:00 · 2024-09-29 23:37:26 -04:00
parent 8ab6a8599d
commit 68895bdca2
4 changed files with 40 additions and 0 deletions
--- a/server/homebrew.api.js
+++ b/server/homebrew.api.js
@@ -9,6 +9,7 @@ const yaml = require('js-yaml');
 const asyncHandler = require('express-async-handler');
 const { nanoid } = require('nanoid');
 const { splitTextStyleAndMetadata } = require('../shared/helpers.js');
+const rateLimit = require('express-rate-limit');

 const { DEFAULT_BREW, DEFAULT_BREW_LOAD } = require('./brewDefaults.js');

@@ -24,6 +25,16 @@ const isStaticTheme = (renderer, themeName)=>{
 // 	});
 // };

+// Define rate limiter options
+const rateLimiter = rateLimit({
+	timeWindow : 5 * 60 * 1000, // 5 minutes window
+	max        : 100, // limit each IP to 100 requests per timeWindow
+	handler: (req, res, next) => {
+		console.log(`Rate limiting user ${req.account?.username}`);
+		throw { HBErrorCode: '55', status: 429, message: 'Too many requests from this IP, please try again after 5 minutes'};
+	}
+});
+
 const MAX_TITLE_LENGTH = 100;

 const api = {
@@ -473,6 +484,7 @@ const api = {
 	}
 };

+router.use('/api', rateLimiter);
 router.use('/api', require('./middleware/check-client-version.js'));
 router.post('/api', asyncHandler(api.newBrew));
 router.put('/api/:id', asyncHandler(api.getBrew('edit', true)), asyncHandler(api.updateBrew));