feat: ratelimits for a bunch of routes (small)

Author: diced

src/lib/ratelimits.ts

@@ -0,0 +1,3 @@
+export const secondlyRatelimit = (seconds: number) => ({
+  config: { rateLimit: { max: 1, timeWindow: `${seconds} seconds`, allowList: [] } },
+});

src/server/index.ts

@@ -109,7 +109,7 @@ async function main() {
         max: config.ratelimit.max,
         timeWindow: config.ratelimit.window ?? undefined,
         keyGenerator: (req) => {
-          return req.user?.id;
+          return `${req.user?.id ?? req.ip}-${req.url}-${req.method}`;
         },
         allowList: async (req, key) => {
           if (config.ratelimit.adminBypass && isAdministrator(req.user?.role)) return true;
@@ -118,6 +118,11 @@ async function main() {
 
           return false;
         },
+        onExceeded(req, key) {
+          logger
+            .c('ratelimit')
+            .warn(`rate limit exceeded for user ${req.user?.username ?? req.ip ?? 'unknown'}`, { key });
+        },
       });
     } catch (e) {
       if (process.env.DEBUG) console.error(e);

src/server/routes/api/auth/invites/index.ts

@@ -7,6 +7,7 @@ import { parseExpiry } from '@/lib/uploader/parseHeaders';
 import { administratorMiddleware } from '@/server/middleware/administrator';
 import { userMiddleware } from '@/server/middleware/user';
 import fastifyPlugin from 'fastify-plugin';
+import { secondlyRatelimit } from '@/lib/ratelimits';
 
 export type ApiAuthInvitesResponse = Invite | Invite[];
 
@@ -20,50 +21,47 @@ const logger = log('api').c('auth').c('invites');
 export const PATH = '/api/auth/invites';
 export default fastifyPlugin(
   (server, _, done) => {
-    server.route<{
-      Body: Body;
-    }>({
-      url: PATH,
-      method: ['GET', 'POST'],
-      preHandler: [userMiddleware, administratorMiddleware],
-      handler: async (req, res) => {
-        if (req.method === 'POST') {
-          const { expiresAt, maxUses } = req.body;
+    server.post<{ Body: Body }>(
+      PATH,
+      { preHandler: [userMiddleware, administratorMiddleware], ...secondlyRatelimit(1) },
+      async (req, res) => {
+        const { expiresAt, maxUses } = req.body;
 
-          if (!expiresAt) return res.badRequest('expiresAt is required');
-          let expires = null;
+        if (!expiresAt) return res.badRequest('expiresAt is required');
+        let expires = null;
 
-          if (expiresAt !== 'never') expires = parseExpiry(expiresAt);
+        if (expiresAt !== 'never') expires = parseExpiry(expiresAt);
 
-          const invite = await prisma.invite.create({
-            data: {
-              code: randomCharacters(config.invites.length),
-              expiresAt: expires,
-              maxUses: maxUses ?? null,
-              inviterId: req.user.id,
-            },
-            include: {
-              inviter: inviteInviterSelect,
-            },
-          });
-
-          logger.info(`${req.user.username} created an invite`, {
-            maxUses,
-            expiresAt,
-            code: invite.code,
-          });
-
-          return res.send(invite);
-        }
-
-        const invites = await prisma.invite.findMany({
+        const invite = await prisma.invite.create({
+          data: {
+            code: randomCharacters(config.invites.length),
+            expiresAt: expires,
+            maxUses: maxUses ?? null,
+            inviterId: req.user.id,
+          },
           include: {
             inviter: inviteInviterSelect,
           },
         });
 
-        return res.send(invites);
+        logger.info(`${req.user.username} created an invite`, {
+          maxUses,
+          expiresAt,
+          code: invite.code,
+        });
+
+        return res.send(invite);
       },
+    );
+
+    server.get(PATH, { preHandler: [userMiddleware, administratorMiddleware] }, async (req, res) => {
+      const invites = await prisma.invite.findMany({
+        include: {
+          inviter: inviteInviterSelect,
+        },
+      });
+
+      return res.send(invites);
     });
 
     done();

src/server/routes/api/auth/login.ts

@@ -22,77 +22,71 @@ const logger = log('api').c('auth').c('login');
 export const PATH = '/api/auth/login';
 export default fastifyPlugin(
   (server, _, done) => {
-    server.route<{
-      Body: Body;
-    }>({
-      url: PATH,
-      method: ['POST'],
-      handler: async (req, res) => {
-        const session = await getSession(req, res);
+    server.post<{ Body: Body }>(PATH, async (req, res) => {
+      const session = await getSession(req, res);
 
-        session.id = null;
-        session.sessionId = null;
+      session.id = null;
+      session.sessionId = null;
 
-        const { username, password, code } = req.body;
+      const { username, password, code } = req.body;
 
-        if (!username) return res.badRequest('Username is required');
-        if (!password) return res.badRequest('Password is required');
+      if (!username) return res.badRequest('Username is required');
+      if (!password) return res.badRequest('Password is required');
 
-        const user = await prisma.user.findUnique({
-          where: {
-            username,
-          },
-          select: {
-            ...userSelect,
-            password: true,
-            token: true,
-          },
+      const user = await prisma.user.findUnique({
+        where: {
+          username,
+        },
+        select: {
+          ...userSelect,
+          password: true,
+          token: true,
+        },
+      });
+      if (!user) return res.badRequest('Invalid username');
+
+      if (!user.password) return res.badRequest('User does not have a password, login through a provider');
+      const valid = await verifyPassword(password, user.password);
+      if (!valid) {
+        logger.warn('invalid login attempt', {
+          username,
+          ip: req.ip ?? 'unknown',
+          ua: req.headers['user-agent'],
         });
-        if (!user) return res.badRequest('Invalid username');
+        return res.badRequest('Invalid password');
+      }
 
-        if (!user.password) return res.badRequest('User does not have a password, login through a provider');
-        const valid = await verifyPassword(password, user.password);
+      if (user.totpSecret && code) {
+        const valid = verifyTotpCode(code, user.totpSecret);
         if (!valid) {
-          logger.warn('invalid login attempt', {
+          logger.warn('invalid totp code', {
             username,
             ip: req.ip ?? 'unknown',
             ua: req.headers['user-agent'],
           });
-          return res.badRequest('Invalid password');
-        }
 
-        if (user.totpSecret && code) {
-          const valid = verifyTotpCode(code, user.totpSecret);
-          if (!valid) {
-            logger.warn('invalid totp code', {
-              username,
-              ip: req.ip ?? 'unknown',
-              ua: req.headers['user-agent'],
-            });
-
-            return res.badRequest('Invalid code');
-          }
+          return res.badRequest('Invalid code');
         }
+      }
 
-        if (user.totpSecret && !code)
-          return res.send({
-            totp: true,
-          });
+      if (user.totpSecret && !code)
+        return res.send({
+          totp: true,
+        });
 
-        await saveSession(session, user, false);
+      await saveSession(session, user, false);
 
-        delete (user as any).password;
+      delete (user as any).password;
 
-        logger.info('user logged in successfully', {
-          username,
-          ip: req.ip ?? 'unknown',
-          ua: req.headers['user-agent'],
-        });
+      logger.info('user logged in successfully', {
+        username,
+        ip: req.ip ?? 'unknown',
+        ua: req.headers['user-agent'],
+      });
 
-        return res.send({
-          user,
-        });
-      },
+      return res.send({
+        user,
+      });
     });
 
     done();

src/server/routes/api/auth/register.ts

@@ -2,10 +2,11 @@ import { config } from '@/lib/config';
 import { createToken, hashPassword } from '@/lib/crypto';
 import { prisma } from '@/lib/db';
 import { User, userSelect } from '@/lib/db/models/user';
+import { log } from '@/lib/logger';
+import { secondlyRatelimit } from '@/lib/ratelimits';
 import { getSession, saveSession } from '@/server/session';
 import fastifyPlugin from 'fastify-plugin';
 import { ApiLoginResponse } from './login';
-import { log } from '@/lib/logger';
 
 export type ApiAuthRegisterResponse = ApiLoginResponse;
 
@@ -20,85 +21,78 @@ const logger = log('api').c('auth').c('register');
 export const PATH = '/api/auth/register';
 export default fastifyPlugin(
   (server, _, done) => {
-    server.route<{
-      Body: Body;
-    }>({
-      url: PATH,
-      method: ['POST'],
-      handler: async (req, res) => {
-        const session = await getSession(req, res);
+    server.post<{ Body: Body }>(PATH, { ...secondlyRatelimit(5) }, async (req, res) => {
+      const session = await getSession(req, res);
 
-        const { username, password, code } = req.body;
+      const { username, password, code } = req.body;
 
-        if (code && !config.invites.enabled) return res.badRequest("Invites aren't enabled");
-        if (!code && !config.features.userRegistration)
-          return res.badRequest('User registration is disabled');
+      if (code && !config.invites.enabled) return res.badRequest("Invites aren't enabled");
+      if (!code && !config.features.userRegistration) return res.badRequest('User registration is disabled');
 
-        if (!username) return res.badRequest('Username is required');
-        if (!password) return res.badRequest('Password is required');
+      if (!username) return res.badRequest('Username is required');
+      if (!password) return res.badRequest('Password is required');
+
+      const oUser = await prisma.user.findUnique({
+        where: {
+          username,
+        },
+      });
+      if (oUser) return res.badRequest('Username is taken');
 
-        const oUser = await prisma.user.findUnique({
+      if (code) {
+        const invite = await prisma.invite.findFirst({
           where: {
-            username,
+            OR: [{ id: code }, { code }],
           },
         });
-        if (oUser) return res.badRequest('Username is taken');
-
-        if (code) {
-          const invite = await prisma.invite.findFirst({
-            where: {
-              OR: [{ id: code }, { code }],
-            },
-          });
-
-          if (!invite) return res.badRequest('Invalid invite code');
-          if (invite.expiresAt && new Date(invite.expiresAt) < new Date())
-            return res.badRequest('Invalid invite code');
-          if (invite.maxUses && invite.uses >= invite.maxUses) return res.badRequest('Invalid invite code');
-
-          await prisma.invite.update({
-            where: {
-              id: invite.id,
-            },
-            data: {
-              uses: invite.uses + 1,
-            },
-          });
-
-          logger.info('invite used', {
-            user: username,
-            invite: invite.id,
-          });
-        }
-
-        const user = await prisma.user.create({
-          data: {
-            username,
-            password: await hashPassword(password),
-            role: 'USER',
-            token: createToken(),
+
+        if (!invite) return res.badRequest('Invalid invite code');
+        if (invite.expiresAt && new Date(invite.expiresAt) < new Date())
+          return res.badRequest('Invalid invite code');
+        if (invite.maxUses && invite.uses >= invite.maxUses) return res.badRequest('Invalid invite code');
+
+        await prisma.invite.update({
+          where: {
+            id: invite.id,
           },
-          select: {
-            ...userSelect,
-            password: true,
-            token: true,
+          data: {
+            uses: invite.uses + 1,
           },
         });
 
-        await saveSession(session, <User>user);
-
-        delete (user as any).password;
-
-        logger.info('user registered successfully', {
-          username,
-          ip: req.ip ?? 'unknown',
-          ua: req.headers['user-agent'],
+        logger.info('invite used', {
+          user: username,
+          invite: invite.id,
         });
+      }
 
-        return res.send({
-          user,
-        });
-      },
+      const user = await prisma.user.create({
+        data: {
+          username,
+          password: await hashPassword(password),
+          role: 'USER',
+          token: createToken(),
+        },
+        select: {
+          ...userSelect,
+          password: true,
+          token: true,
+        },
+      });
+
+      await saveSession(session, <User>user);
+
+      delete (user as any).password;
+
+      logger.info('user registered successfully', {
+        username,
+        ip: req.ip ?? 'unknown',
+        ua: req.headers['user-agent'],
+      });
+
+      return res.send({
+        user,
+      });
     });
 
     done();