Add per-route limits to the rate limiter

Author: davidmz

app/routes.js

@@ -53,13 +53,7 @@ export function createRouter() {
   // unauthenticated routes
   PasswordsRoute(publicRouter);
 
-  // Fix for ctx._matchedRoute
-  // koa-router puts most generic instead of most specific route to the ctx._matchedRoute
-  // See https://github.com/ZijianHe/koa-router/issues/246
-  publicRouter.use((ctx, next) => {
-    ctx.state.matchedRoute = ctx.matched.find((layer) => layer.methods.includes(ctx.method)).path;
-    return next();
-  });
+  publicRouter.use(fixMatchedRouteMiddleware);
 
   // [at least optionally] authenticated routes
   publicRouter.use(withJWT);
@@ -100,6 +94,7 @@ export function createRouter() {
 
   {
     const adminRouter = new Router();
+    adminRouter.use(fixMatchedRouteMiddleware);
     adminRouter.use(withJWT);
     adminRouter.use(rateLimiterMiddleware);
     adminRouter.use(withAuthToken);
@@ -112,3 +107,11 @@ export function createRouter() {
 
   return router;
 }
+
+// Fix for ctx._matchedRoute
+// koa-router puts most generic instead of most specific route to the ctx._matchedRoute
+// See https://github.com/ZijianHe/koa-router/issues/246
+function fixMatchedRouteMiddleware(ctx, next) {
+  ctx.state.matchedRoute = ctx.matched.find((layer) => layer.methods.includes(ctx.method)).path;
+  return next();
+}

app/support/rateLimiter.ts

@@ -69,6 +69,7 @@ export async function rateLimiterMiddleware(ctx: Context, next: Next) {
   const authTokenType = ctx.state.authJWTPayload?.type || 'anonymous';
   const requestId = ctx.state.id;
   const requestMethod = ctx.request.method;
+  const matchedAPIRoute = ctx.state.matchedRoute.replace(/^\/v[^/]+/, '/vN');
   const rateLimitConfig = ctx.config.rateLimit;
 
   let realClientId, maskedClientId, rateLimiterConfigByAuthType;
@@ -107,8 +108,11 @@ export async function rateLimiterMiddleware(ctx: Context, next: Next) {
 
       throw new TooManyRequestsException('Slow down');
     } else {
+      const route = `${requestMethod === 'HEAD' ? 'GET' : requestMethod} ${matchedAPIRoute}`;
+
       const { duration, maxRequests } = rateLimiterConfigByAuthType;
-      const maxRequestsForMethod = maxRequests[requestMethod] || maxRequests.all;
+      const maxRequestsForMethod =
+        maxRequests[route] ?? maxRequests[requestMethod] ?? maxRequests.all;
       const clientIdWithMethod = `${realClientId}${requestMethod}`;
 
       const limit = await rateLimiter.get({

config/default.js

@@ -478,6 +478,7 @@ config.rateLimit = {
     maxRequests: {
       all: 10, // all methods
       GET: 100, // optional
+      'GET /vN/attachments/:attId/:type': 1000,
     },
   },
   authenticated: {
@@ -486,6 +487,7 @@ config.rateLimit = {
       all: 30,
       GET: 200,
       POST: 60,
+      'GET /vN/attachments/:attId/:type': 1000,
     },
   },
   maskingKeyRotationInterval: 'P7D', // ISO 8601 duration

test/unit/support/rateLimiter.ts

@@ -9,6 +9,7 @@ import { rateLimiterMiddleware, durationToSeconds } from '../../../app/support/r
 const MAX_ANONYMOUS_REQUESTS = 3;
 const MAX_AUTHENTICATED_REQUESTS = 5;
 const MAX_AUTHENTICATED_POST_REQUESTS = MAX_AUTHENTICATED_REQUESTS - 1;
+const MAX_ROUTE_REQUESTS = 10;
 const DURATION = 'PT5S';
 const BLOCK_DURATION = 'PT5S';
 const BLOCK_MULTIPLIER = 2;
@@ -17,6 +18,7 @@ const baseContext = {
   ip: '127.0.0.1',
   state: {
     authJWTPayload: {},
+    matchedRoute: '/v1/posts',
   },
   config: {
     rateLimit: {
@@ -26,13 +28,15 @@ const baseContext = {
         duration: DURATION,
         maxRequests: {
           all: MAX_ANONYMOUS_REQUESTS,
+          'GET /vN/attachments': MAX_ROUTE_REQUESTS,
         },
       },
       authenticated: {
         duration: DURATION,
         maxRequests: {
           all: MAX_AUTHENTICATED_REQUESTS,
           POST: MAX_AUTHENTICATED_POST_REQUESTS,
+          'GET /vN/attachments': MAX_ROUTE_REQUESTS,
         },
       },
       blockDuration: BLOCK_DURATION,
@@ -123,6 +127,20 @@ describe('Rate limiter', () => {
     return expect(Promise.all(requests), 'to be fulfilled');
   });
 
+  it('should block if a specific route limit is exceeded', async () => {
+    const ctx = merge({}, baseContext, {
+      config: { rateLimit: { enabled: true } },
+      state: { matchedRoute: '/v1/attachments' },
+    });
+
+    for (let i = 0; i < MAX_ROUTE_REQUESTS; i++) {
+      // eslint-disable-next-line no-await-in-loop
+      await expect(() => rateLimiterMiddleware(ctx, next), 'to be fulfilled');
+    }
+
+    await expect(() => rateLimiterMiddleware(ctx, next), 'to be rejected with', 'Slow down');
+  });
+
   it('should block for a configurable amount of time', async () => {
     const ctx = merge({}, baseContext, {
       config: { rateLimit: { enabled: true } },