chore: More rate limited endpoints

2022-10-02 19:27:21 -04:00
parent a7683dda57
commit 55e622e22f
3 changed files with 87 additions and 68 deletions
--- a/server/routes/api/team.ts
+++ b/server/routes/api/team.ts
@@ -1,6 +1,8 @@
 import Router from "koa-router";
+import { RateLimiterStrategy } from "@server/RateLimiter";
 import teamUpdater from "@server/commands/teamUpdater";
 import auth from "@server/middlewares/authentication";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { Team, TeamDomain } from "@server/models";
 import { authorize } from "@server/policies";
 import { presentTeam, presentPolicies } from "@server/presenters";
@@ -8,35 +10,12 @@ import { assertUuid } from "@server/validation";

 const router = new Router();

-router.post("team.update", auth(), async (ctx) => {
-  const {
-    name,
-    avatarUrl,
-    subdomain,
-    sharing,
-    guestSignin,
-    documentEmbeds,
-    memberCollectionCreate,
-    collaborativeEditing,
-    defaultCollectionId,
-    defaultUserRole,
-    inviteRequired,
-    allowedDomains,
-    preferences,
-  } = ctx.body;
-
-  const { user } = ctx.state;
-  const team = await Team.findByPk(user.teamId, {
-    include: [{ model: TeamDomain }],
-  });
-  authorize(user, "update", team);
-
-  if (defaultCollectionId !== undefined && defaultCollectionId !== null) {
-    assertUuid(defaultCollectionId, "defaultCollectionId must be uuid");
-  }
-
-  const updatedTeam = await teamUpdater({
-    params: {
+router.post(
+  "team.update",
+  auth(),
+  rateLimiter(RateLimiterStrategy.TenPerHour),
+  async (ctx) => {
+    const {
      name,
      avatarUrl,
      subdomain,
@@ -50,16 +29,44 @@ router.post("team.update", auth(), async (ctx) => {
      inviteRequired,
      allowedDomains,
      preferences,
-    },
-    user,
-    team,
-    ip: ctx.request.ip,
-  });
+    } = ctx.body;

-  ctx.body = {
-    data: presentTeam(updatedTeam),
-    policies: presentPolicies(user, [updatedTeam]),
-  };
-});
+    const { user } = ctx.state;
+    const team = await Team.findByPk(user.teamId, {
+      include: [{ model: TeamDomain }],
+    });
+    authorize(user, "update", team);
+
+    if (defaultCollectionId !== undefined && defaultCollectionId !== null) {
+      assertUuid(defaultCollectionId, "defaultCollectionId must be uuid");
+    }
+
+    const updatedTeam = await teamUpdater({
+      params: {
+        name,
+        avatarUrl,
+        subdomain,
+        sharing,
+        guestSignin,
+        documentEmbeds,
+        memberCollectionCreate,
+        collaborativeEditing,
+        defaultCollectionId,
+        defaultUserRole,
+        inviteRequired,
+        allowedDomains,
+        preferences,
+      },
+      user,
+      team,
+      ip: ctx.request.ip,
+    });
+
+    ctx.body = {
+      data: presentTeam(updatedTeam),
+      policies: presentPolicies(user, [updatedTeam]),
+    };
+  }
+);

 export default router;