From dee421d3c8844aacb1b6706596fe2343184a867f Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Wed, 24 Jul 2024 16:24:49 +0800
Subject: [PATCH] add hour rate limiter middleware to the api router and allows
 max 600 requests per hour

---
 packages/api/src/server.ts           |  4 ++--
 packages/api/src/utils/rate_limit.ts | 22 +++++++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/packages/api/src/server.ts b/packages/api/src/server.ts
index 37df57fcc..d44c80e32 100755
--- a/packages/api/src/server.ts
+++ b/packages/api/src/server.ts
@@ -46,7 +46,7 @@ import { analytics } from './utils/analytics'
 import { corsConfig } from './utils/corsConfig'
 import { getClientFromUserAgent } from './utils/helpers'
 import { buildLogger, buildLoggerTransport, logger } from './utils/logger'
-import { apiLimiter, authLimiter } from './utils/rate_limit'
+import { apiHourLimiter, apiLimiter, authLimiter } from './utils/rate_limit'
 import { shortcutsRouter } from './routers/shortcuts_router'
 
 const PORT = process.env.PORT || 4000
@@ -68,7 +68,7 @@ export const createApp = (): Express => {
   app.set('trust proxy', env.server.trustProxy)
 
   // Apply the rate limiting middleware to API calls only
-  app.use('/api/', apiLimiter)
+  app.use('/api/', apiLimiter, apiHourLimiter)
 
   // set client info in the request context
   app.use(httpContext.middleware)
diff --git a/packages/api/src/utils/rate_limit.ts b/packages/api/src/utils/rate_limit.ts
index 4f6e8c11f..27675dc6e 100644
--- a/packages/api/src/utils/rate_limit.ts
+++ b/packages/api/src/utils/rate_limit.ts
@@ -27,7 +27,7 @@ const configs: Partial<Options> = {
 export const apiLimiter = rateLimit({
   ...configs,
   max: async (req) => {
-    // 100 RPM for an authenticated request, 15 for a non-authenticated request
+    // 60 RPM for authenticated request, 15 for non-authenticated request
     const token = getTokenByRequest(req)
     try {
       const claims = await getClaimsByToken(token)
@@ -43,6 +43,26 @@ export const apiLimiter = rateLimit({
   store: getStore('api-rate-limit'),
 })
 
+export const apiHourLimiter = rateLimit({
+  ...configs,
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: async (req) => {
+    // 600 for authenticated request, 150 for non-authenticated request
+    const token = getTokenByRequest(req)
+    try {
+      const claims = await getClaimsByToken(token)
+      return claims ? 600 : 150
+    } catch (e) {
+      console.log('non-authenticated request')
+      return 150
+    }
+  },
+  keyGenerator: (req) => {
+    return getTokenByRequest(req) || req.ip
+  },
+  store: getStore('api-hour-rate-limit'),
+})
+
 // 5 RPM for auth requests
 export const authLimiter = rateLimit({
   ...configs,