modules/site: add rate limiting for redirect DB lookups

aster-void · claude · aster-void · commit a2a663924c27 · 2025-12-24T00:51:12.000+09:00
Prevent DoS attacks on legacy URL redirect DB lookups: - Global 1 request per second limit - Returns 429 Too Many Requests when exceeded 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -1,5 +1,5 @@
 import type { Handle } from "@sveltejs/kit";
-import { redirect } from "@sveltejs/kit";
+import { error, redirect } from "@sveltejs/kit";
 import { sequence } from "@sveltejs/kit/hooks";
 import { svelteKitHandler } from "better-auth/svelte-kit";
 import { like } from "drizzle-orm";
@@ -12,6 +12,9 @@ const handleAuth: Handle = async ({ event, resolve }) => {
   return await svelteKitHandler({ event, resolve, auth, building });
 };
 
+// Global rate limiter for DB lookup redirects (1 request per second)
+let lastDbLookup = 0;
+
 const handleRedirect: Handle = async ({ event, resolve }) => {
   const path = event.url.pathname;
 
@@ -33,6 +36,14 @@ const handleRedirect: Handle = async ({ event, resolve }) => {
     if (/^\d{4}-\d{2}-\d{2}-/.test(oldSlug)) {
       return resolve(event);
     }
+
+    // Global rate limit: 1 DB lookup per second
+    const now = Date.now();
+    if (now - lastDbLookup < 1000) {
+      error(429, "Too many requests");
+    }
+    lastDbLookup = now;
+
     // DB lookup: find article where slug ends with the old slug pattern
     const found = await db
       .select({ slug: article.slug })
