overleaf/services/web/app/coffee/Features/Security/RateLimiterMiddlewear.coffee

RateLimiter = require "../../infrastructure/RateLimiter"
logger = require "logger-sharelatex"
AuthenticationController = require('../Authentication/AuthenticationController')

module.exports = RateLimiterMiddlewear =
	###
	Do not allow more than opts.maxRequests from a single client in
	opts.timeInterval. Pass an array of opts.params to segment this based on
	parameters in the request URL, e.g.:

	    app.get "/project/:project_id", RateLimiterMiddlewear.rateLimit(endpointName: "open-editor", params: ["project_id"])

	will rate limit each project_id separately.

	Unique clients are identified by user_id if logged in, and IP address if not.
	###
	rateLimit: (opts) ->
		return (req, res, next) ->
			user_id = AuthenticationController.getLoggedInUserId(req) || req.ip
			params = (opts.params or []).map (p) -> req.params[p]
			params.push user_id
			if !opts.endpointName?
				throw new Error("no endpointName provided")
			options = {
				endpointName: opts.endpointName
				timeInterval: opts.timeInterval or 60
				subjectName:  params.join(":")
				throttle:     opts.maxRequests or 6
			}
			RateLimiter.addCount options, (error, canContinue)->
				return next(error) if error?
				if canContinue
					next()
				else
					logger.warn options, "rate limit exceeded"
					res.status(429) # Too many requests
					res.write("Rate limit reached, please try again later")
					res.end()
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`RateLimiter = require "../../infrastructure/RateLimiter"`
Log when rate limit is hit 2015-02-05 04:52:40 -05:00			`logger = require "logger-sharelatex"`
WIP: refactor 2016-09-05 10:58:31 -04:00			`AuthenticationController = require('../Authentication/AuthenticationController')`
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00
			`module.exports = RateLimiterMiddlewear =`
			`###`
			`Do not allow more than opts.maxRequests from a single client in`
			`opts.timeInterval. Pass an array of opts.params to segment this based on`
			`parameters in the request URL, e.g.:`
WIP: refactor 2016-09-05 10:58:31 -04:00
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`app.get "/project/:project_id", RateLimiterMiddlewear.rateLimit(endpointName: "open-editor", params: ["project_id"])`
WIP: refactor 2016-09-05 10:58:31 -04:00
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`will rate limit each project_id separately.`
WIP: refactor 2016-09-05 10:58:31 -04:00
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`Unique clients are identified by user_id if logged in, and IP address if not.`
			`###`
			`rateLimit: (opts) ->`
			`return (req, res, next) ->`
WIP: refactor 2016-09-05 10:58:31 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req) \|\| req.ip`
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`params = (opts.params or []).map (p) -> req.params[p]`
			`params.push user_id`
			`if !opts.endpointName?`
			`throw new Error("no endpointName provided")`
Log when rate limit is hit 2015-02-05 04:52:40 -05:00			`options = {`
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`endpointName: opts.endpointName`
			`timeInterval: opts.timeInterval or 60`
			`subjectName: params.join(":")`
			`throttle: opts.maxRequests or 6`
Log when rate limit is hit 2015-02-05 04:52:40 -05:00			`}`
			`RateLimiter.addCount options, (error, canContinue)->`
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`return next(error) if error?`
			`if canContinue`
			`next()`
			`else`
Log when rate limit is hit 2015-02-05 04:52:40 -05:00			`logger.warn options, "rate limit exceeded"`
Add in rate limit to opening projets 2015-02-04 10:05:26 -05:00			`res.status(429) # Too many requests`
			`res.write("Rate limit reached, please try again later")`
WIP: refactor 2016-09-05 10:58:31 -04:00			`res.end()`