add rate limits to routes

Signed-off-by: Jason Sherman <[email protected]>
usingtechnology · Aug 15, 2024 · df6ba31 · df6ba31
1 parent 6691938
commit df6ba31
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/app/src/forms/form/encryptionKey/routes.js b/app/src/forms/form/encryptionKey/routes.js
@@ -2,6 +2,8 @@ const routes = require('express').Router();
 const { currentUser, hasFormPermissions } = require('../../auth/middleware/userAccess');
 const validateParameter = require('../../common/middleware/validateParameter');
 const { featureFlags } = require('../../../components/featureFlags');
+const apiAccess = require('../auth/middleware/apiAccess');
+const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const P = require('../../common/constants').Permissions;
 
 const controller = require('./controller');
@@ -12,27 +14,27 @@ routes.use(currentUser);
 routes.param('formId', validateParameter.validateFormId);
 routes.param('formEncryptionKeyId', validateParameter.validateFormEncryptionKeyId);
 
-routes.get('/encryptionKey/algorithms', async (req, res, next) => {
+routes.get('/encryptionKey/algorithms', rateLimiter, apiAccess, async (req, res, next) => {
   await controller.listEncryptionAlgorithms(req, res, next);
 });
 
-routes.get('/:formId/encryptionKey', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.get('/:formId/encryptionKey', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.listEncryptionKeys(req, res, next);
 });
 
-routes.post('/:formId/encryptionKey', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.post('/:formId/encryptionKey', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.createEncryptionKey(req, res, next);
 });
 
-routes.get('/:formId/encryptionKey/:formEncryptionKeyId', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.get('/:formId/encryptionKey/:formEncryptionKeyId', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.readEncryptionKey(req, res, next);
 });
 
-routes.put('/:formId/encryptionKey/:formEncryptionKeyId', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.put('/:formId/encryptionKey/:formEncryptionKeyId', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.updateEncryptionKey(req, res, next);
 });
 
-routes.delete('/:formId/encryptionKey/:formEncryptionKeyId', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.delete('/:formId/encryptionKey/:formEncryptionKeyId', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.deleteEncryptionKey(req, res, next);
 });
 

diff --git a/app/src/forms/form/eventStreamConfig/routes.js b/app/src/forms/form/eventStreamConfig/routes.js
@@ -2,6 +2,8 @@ const routes = require('express').Router();
 const { currentUser, hasFormPermissions } = require('../../auth/middleware/userAccess');
 const validateParameter = require('../../common/middleware/validateParameter');
 const { featureFlags } = require('../../../components/featureFlags');
+const apiAccess = require('../auth/middleware/apiAccess');
+const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const P = require('../../common/constants').Permissions;
 
 const controller = require('./controller');
@@ -11,19 +13,19 @@ routes.use(currentUser);
 
 routes.param('formId', validateParameter.validateFormId);
 
-routes.get('/:formId/eventStreamConfig', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.get('/:formId/eventStreamConfig', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.readEventStreamConfig(req, res, next);
 });
 
-routes.post('/:formId/eventStreamConfig', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.post('/:formId/eventStreamConfig', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.createEventStreamConfig(req, res, next);
 });
 
-routes.put('/:formId/eventStreamConfig', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.put('/:formId/eventStreamConfig', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.updateEventStreamConfig(req, res, next);
 });
 
-routes.delete('/:formId/eventStreamConfig', hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
+routes.delete('/:formId/eventStreamConfig', rateLimiter, apiAccess, hasFormPermissions([P.FORM_READ, P.FORM_UPDATE]), async (req, res, next) => {
   await controller.deleteEventStreamConfig(req, res, next);
 });