Add rate limiting to routes

paustint · paustint · commit 4f56ed4bc96d · 2024-08-29T21:21:48.000-05:00
diff --git a/apps/api/src/app/controllers/image.controller.ts b/apps/api/src/app/controllers/image.controller.ts
@@ -21,7 +21,7 @@ const getUploadSignature = createRoute(routeDefinition.getUploadSignature.valida
     const apiKey = cloudinary.config().api_key;
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     const apiSecret = cloudinary.config().api_secret!;
-    const context = `caption=${userId.replace('|', '\\|')}|environment=${ENV.JETSTREAM_SERVER_URL}`;
+    const context = `caption=${userId.replaceAll('|', '\\|')}|environment=${ENV.JETSTREAM_SERVER_URL}`;
 
     const signature = cloudinary.utils.api_sign_request({ timestamp, upload_preset: 'jetstream-issues', context }, apiSecret);
 
diff --git a/apps/api/src/app/routes/route.middleware.ts b/apps/api/src/app/routes/route.middleware.ts
@@ -6,12 +6,34 @@ import { ensureBoolean } from '@jetstream/shared/utils';
 import { ApplicationCookie } from '@jetstream/types';
 import { addDays, getUnixTime } from 'date-fns';
 import * as express from 'express';
+import { rateLimit } from 'express-rate-limit';
 import pino from 'pino';
 import { v4 as uuid } from 'uuid';
 import * as salesforceOrgsDb from '../db/salesforce-org.db';
 import { clerkClient, incomingMessageToClerkRequest } from '../services/auth.service';
 import { AuthenticationError, NotFoundError, UserFacingError } from '../utils/error-handler';
 
+export const rateLimitStandardMiddleware = rateLimit({
+  windowMs: 1 * 60 * 1000, // 1 minute
+  limit: 900, // limit each IP to 1000 requests per minute (15/RPS)
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+export const rateLimitMediumMiddleware = rateLimit({
+  windowMs: 10 * 60 * 1000, // 10 minutes
+  limit: 1000, // limit each IP to 1000 requests per 10 minutes
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+export const rateLimitStrictMiddleware = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  limit: 100, // limit each IP to 100 requests per hour
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 export function addContextMiddleware(req: express.Request, res: express.Response, next: express.NextFunction) {
   res.locals.requestId = res.locals.requestId || uuid();
   const clientReqId = req.header(HTTP.HEADERS.X_CLIENT_REQUEST_ID);
diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
@@ -17,6 +17,9 @@ import {
   addContextMiddleware,
   blockBotByUserAgentMiddleware,
   notFoundMiddleware,
+  rateLimitMediumMiddleware,
+  rateLimitStandardMiddleware,
+  rateLimitStrictMiddleware,
   setApplicationCookieMiddleware,
 } from './app/routes/route.middleware';
 import { blockBotHandler, healthCheck, uncaughtErrorHandler } from './app/utils/response.handlers';
@@ -235,11 +238,11 @@ if (ENV.NODE_ENV === 'production' && cluster.isPrimary) {
   app.use(json({ limit: '20mb', verify: rawBodySaver, type: ['json', 'application/csp-report'] }));
   app.use(urlencoded({ extended: true }));
 
-  app.use('/healthz', healthCheck);
-  app.use('/api', apiRoutes);
-  app.use('/static', staticAuthenticatedRoutes); // these are routes that return files or redirect (e.x. NOT JSON)
-  app.use('/oauth', oauthRoutes); // NOTE: there are also static files with same path
-  app.use('/webhook', webhookRoutes);
+  app.use('/healthz', rateLimitStandardMiddleware, healthCheck);
+  app.use('/api', rateLimitStandardMiddleware, apiRoutes);
+  app.use('/static', rateLimitMediumMiddleware, staticAuthenticatedRoutes); // these are routes that return files or redirect (e.x. NOT JSON)
+  app.use('/oauth', rateLimitStrictMiddleware, oauthRoutes); // NOTE: there are also static files with same path
+  app.use('/webhook', rateLimitMediumMiddleware, webhookRoutes);
 
   if (ENV.ENVIRONMENT !== 'production' || ENV.IS_CI) {
     app.use('/test', testRoutes);
diff --git a/package.json b/package.json
@@ -275,6 +275,7 @@
     "express": "^4.19.2",
     "express-http-proxy": "^1.6.2",
     "express-promise-router": "^4.1.1",
+    "express-rate-limit": "^7.4.0",
     "fast-xml-parser": "^4.4.0",
     "fastify": "^3.29.4",
     "file-saver": "^2.0.5",
diff --git a/yarn.lock b/yarn.lock
@@ -15448,6 +15448,11 @@ express-promise-router@^4.1.1:
     lodash.flattendeep "^4.0.0"
     methods "^1.0.0"
 
+express-rate-limit@^7.4.0:
+  version "7.4.0"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.4.0.tgz#5db412b8de83fa07ddb40f610c585ac8c1dab988"
+  integrity sha512-v1204w3cXu5gCDmAvgvzI6qjzZzoMWKnyVDk3ACgfswTQLYiGen+r8w0VnXnGMmzEN/g8fwIQ4JrFFd4ZP6ssg==
+
 express@^4.17.3:
   version "4.18.1"
   resolved "https://registry.yarnpkg.com/express/-/express-4.18.1.tgz#7797de8b9c72c857b9cd0e14a5eea80666267caf"
