rate limit

nichtsam · Dec 3, 2024 · 20b1eb2 · 20b1eb2
1 parent ece6756
commit 20b1eb2
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -66,6 +66,7 @@
     "drizzle-orm": "0.36.3",
     "drizzle-zod": "0.5.1",
     "express": "4.21.1",
+    "express-rate-limit": "7.4.1",
     "get-port": "7.1.0",
     "gray-matter": "4.0.3",
     "helmet": "8.0.0",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/server.js b/server.js
@@ -5,6 +5,7 @@ import chalk from 'chalk'
 import closeWithGrace from 'close-with-grace'
 import compression from 'compression'
 import express from 'express'
+import { rateLimit } from 'express-rate-limit'
 import getPort, { portNumbers } from 'get-port'
 import helmet from 'helmet'
 import morgan from 'morgan'
@@ -56,6 +57,35 @@ app.use(
 	}),
 )
 
+const rateLimitConfig = {
+	skip: () => MODE !== 'production',
+	windowMs: 60 * 1000,
+	max: 1000,
+	standardHeaders: true,
+	legacyHeaders: false,
+	keyGenerator: (req) => {
+		return req.get('fly-client-ip') ?? `${req.ip}`
+	},
+}
+
+const strongestRateLimit = rateLimit({ ...rateLimitConfig, max: 10 })
+const strongRateLimit = rateLimit({ ...rateLimitConfig, max: 100 })
+const generalRateLimit = rateLimit(rateLimitConfig)
+
+app.use((req, res, next) => {
+	const criticalActions = ['/auth', '/onboarding']
+
+	if (req.method !== 'GET' && req.method !== 'HEAD') {
+		if (criticalActions.some((p) => req.path.startsWith(p))) {
+			return strongestRateLimit(req, res, next)
+		}
+
+		return strongRateLimit(req, res, next)
+	}
+
+	return generalRateLimit(req, res, next)
+})
+
 app.use((_, res, next) => {
 	res.locals.cspNonce = crypto.randomBytes(16).toString('hex')
 	next()