implement rate limiting on specific routes

Author: devksingh4

src/api/index.ts

@@ -1,6 +1,6 @@
 /* eslint import/no-nodejs-modules: ["error", {"allow": ["crypto"]}] */
 import { randomUUID } from "crypto";
-import fastify, { FastifyInstance } from "fastify";
+import fastify, { FastifyInstance, FastifyRequest } from "fastify";
 import FastifyAuthProvider from "@fastify/auth";
 import fastifyAuthPlugin from "./plugins/auth.js";
 import protectedRoute from "./routes/protected.js";
@@ -72,10 +72,6 @@ async function init() {
   await app.register(fastifyZodValidationPlugin);
   await app.register(FastifyAuthProvider);
   await app.register(errorHandlerPlugin);
-  await app.register(rateLimiterPlugin, {
-    limit: 50,
-    duration: 20,
-  });
   if (!process.env.RunEnvironment) {
     process.env.RunEnvironment = "dev";
   }

src/api/plugins/rateLimiter.ts

@@ -8,8 +8,9 @@ import { genericConfig } from "common/config.js";
 import { FastifyPluginAsync, FastifyRequest, FastifyReply } from "fastify";
 
 interface RateLimiterOptions {
-  limit?: number;
+  limit?: number | ((request: FastifyRequest) => number);
   duration?: number;
+  rateLimitIdentifier?: string;
 }
 
 interface RateLimitParams {
@@ -76,26 +77,32 @@ const rateLimiterPlugin: FastifyPluginAsync<RateLimiterOptions> = async (
   fastify,
   options,
 ) => {
-  const { limit = 10, duration = 60 } = options;
-
+  const {
+    limit = 10,
+    duration = 60,
+    rateLimitIdentifier = "api-request",
+  } = options;
   fastify.addHook(
-    "onRequest",
+    "preHandler",
     async (request: FastifyRequest, reply: FastifyReply) => {
       const userIdentifier = request.ip;
-      const rateLimitIdentifier = "api-request";
-
+      console.log(request.username);
+      let computedLimit = limit;
+      if (typeof computedLimit === "function") {
+        computedLimit = computedLimit(request);
+      }
       const { limited, resetTime, used } = await isAtLimit({
         ddbClient: fastify.dynamoClient,
         rateLimitIdentifier,
         duration,
-        limit,
+        limit: computedLimit,
         userIdentifier,
       });
-      reply.header("X-RateLimit-Limit", limit.toString());
+      reply.header("X-RateLimit-Limit", computedLimit.toString());
       reply.header("X-RateLimit-Reset", resetTime?.toString() || "0");
       reply.header(
         "X-RateLimit-Remaining",
-        limited ? 0 : used ? limit - used : limit - 1,
+        limited ? 0 : used ? computedLimit - used : computedLimit - 1,
       );
       if (limited) {
         const retryAfter = resetTime

src/api/routes/events.ts

@@ -23,6 +23,7 @@ import {
 import { randomUUID } from "crypto";
 import moment from "moment-timezone";
 import { IUpdateDiscord, updateDiscord } from "../functions/discord.js";
+import rateLimiter from "api/plugins/rateLimiter.js";
 
 // POST
 
@@ -88,6 +89,16 @@ type EventsGetQueryParams = {
 };
 
 const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: (request) => {
+      if (request.method === "GET") {
+        return 30;
+      }
+      return 15;
+    },
+    duration: 60,
+    rateLimitIdentifier: "events",
+  });
   fastify.post<{ Body: EventPostRequest }>(
     "/:id?",
     {

src/api/routes/ics.ts

@@ -16,6 +16,7 @@ import moment from "moment";
 import { getVtimezoneComponent } from "@touch4it/ical-timezones";
 import { OrganizationList } from "../../common/orgs.js";
 import { EventRepeatOptions } from "./events.js";
+import rateLimiter from "api/plugins/rateLimiter.js";
 
 const repeatingIcalMap: Record<EventRepeatOptions, ICalEventJSONRepeatingData> =
   {
@@ -34,6 +35,11 @@ function generateHostName(host: string) {
 }
 
 const icalPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: 10,
+    duration: 30,
+    rateLimitIdentifier: "ical",
+  });
   fastify.get("/:host?", async (request, reply) => {
     const host = (request.params as Record<string, string>).host;
     let queryParams: QueryCommandInput = {

src/api/routes/membership.ts

@@ -11,11 +11,17 @@ import { genericConfig, roleArns } from "common/config.js";
 import { getRoleCredentials } from "api/functions/sts.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import rateLimiter from "api/plugins/rateLimiter.js";
 
 const NONMEMBER_CACHE_SECONDS = 1800; // 30 minutes
 const MEMBER_CACHE_SECONDS = 43200; // 12 hours
 
 const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: 20,
+    duration: 30,
+    rateLimitIdentifier: "membership",
+  });
   const getAuthorizedClients = async () => {
     if (roleArns.Entra) {
       fastify.log.info(

src/api/routes/mobileWallet.ts

@@ -13,6 +13,7 @@ import {
 import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
 import { genericConfig } from "../../common/config.js";
 import { zodToJsonSchema } from "zod-to-json-schema";
+import rateLimiter from "api/plugins/rateLimiter.js";
 
 const queuedResponseJsonSchema = zodToJsonSchema(
   z.object({
@@ -21,6 +22,11 @@ const queuedResponseJsonSchema = zodToJsonSchema(
 );
 
 const mobileWalletRoute: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: 5,
+    duration: 30,
+    rateLimitIdentifier: "mobileWallet",
+  });
   fastify.post<{ Querystring: { email: string } }>(
     "/membership",
     {

src/api/routes/organizations.ts

@@ -1,13 +1,19 @@
 import { FastifyPluginAsync } from "fastify";
 import { OrganizationList } from "../../common/orgs.js";
 import fastifyCaching from "@fastify/caching";
+import rateLimiter from "api/plugins/rateLimiter.js";
 
 const organizationsPlugin: FastifyPluginAsync = async (fastify, _options) => {
   fastify.register(fastifyCaching, {
     privacy: fastifyCaching.privacy.PUBLIC,
     serverExpiresIn: 60 * 60 * 4,
     expiresIn: 60 * 60 * 4,
   });
+  fastify.register(rateLimiter, {
+    limit: 60,
+    duration: 60,
+    rateLimitIdentifier: "organizations",
+  });
   fastify.get("/", {}, async (request, reply) => {
     reply.send(OrganizationList);
   });