From 7a2cc85002df309a6ae74be01e84185822933eec Mon Sep 17 00:00:00 2001
From: Kenneth Chew <79120643+kthchew@users.noreply.github.com>
Date: Fri, 2 Feb 2024 20:52:38 -0500
Subject: [PATCH] Add rate limiting to auth-related endpoints

---
 Backend/package-lock.json | 15 +++++++++++++++
 Backend/package.json      |  1 +
 Backend/server.js         | 10 ++++++++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/Backend/package-lock.json b/Backend/package-lock.json
index 8bb0e29..3a30d12 100644
--- a/Backend/package-lock.json
+++ b/Backend/package-lock.json
@@ -12,6 +12,7 @@
         "cors": "^2.8.5",
         "dotenv": "^16.4.1",
         "express": "^4.18.2",
+        "express-rate-limit": "^7.1.5",
         "mongodb": "^6.3.0"
       },
       "devDependencies": {
@@ -828,6 +829,20 @@
         "node": ">= 0.10.0"
       }
     },
+    "node_modules/express-rate-limit": {
+      "version": "7.1.5",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.1.5.tgz",
+      "integrity": "sha512-/iVogxu7ueadrepw1bS0X0kaRC/U0afwiYRSLg68Ts+p4Dc85Q5QKsOnPS/QUjPMHvOJQtBDrZgvkOzf8ejUYw==",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": "4 || 5 || ^5.0.0-beta.1"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
diff --git a/Backend/package.json b/Backend/package.json
index f6fa406..6bdb7ea 100644
--- a/Backend/package.json
+++ b/Backend/package.json
@@ -12,6 +12,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.4.1",
     "express": "^4.18.2",
+    "express-rate-limit": "^7.1.5",
     "mongodb": "^6.3.0"
   },
   "devDependencies": {
diff --git a/Backend/server.js b/Backend/server.js
index a8d12c7..642881c 100644
--- a/Backend/server.js
+++ b/Backend/server.js
@@ -3,6 +3,12 @@ const cors = require('cors');
 const axios = require('axios');
 const {connectToServer, getDb} = require('./db/conn.js')
 
+const RateLimit = require('express-rate-limit');
+const limiter = RateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 100,
+});
+
 const app = express();
 app.use(cors());
 
@@ -114,7 +120,7 @@ app.get('/getSubmission', async (req, res) => {
 })
 
 
-app.get('/logout', async (req, res) => {
+app.get('/logout', limiter, async (req, res) => {
   const user_id = req.query.user_id;
   
   let db = getDb();
@@ -123,7 +129,7 @@ app.get('/logout', async (req, res) => {
   res.status(200).json({ message: "Logged out!" });
 })
 
-app.get('/login', async (req, res) => {
+app.get('/login', limiter, async (req, res) => {
   const user_id = req.query.user_id;
   
   let db = getDb();