From fa03f9c08d02a62fd6b17f9c1d6ce6048b444ab2 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 30 Aug 2023 20:28:22 -0400
Subject: [PATCH] Add additional rate limits on documents API endpoints

---
 server/routes/api/documents/documents.ts |  5 +++++
 server/utils/RateLimiter.ts              | 15 +++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/server/routes/api/documents/documents.ts b/server/routes/api/documents/documents.ts
index 25f152e84..be62abd0b 100644
--- a/server/routes/api/documents/documents.ts
+++ b/server/routes/api/documents/documents.ts
@@ -669,6 +669,7 @@ router.post(
   "documents.search_titles",
   auth(),
   pagination(),
+  rateLimiter(RateLimiterStrategy.OneHundredPerMinute),
   validate(T.DocumentsSearchSchema),
   async (ctx: APIContext<T.DocumentsSearchReq>) => {
     const {
@@ -722,6 +723,7 @@ router.post(
     optional: true,
   }),
   pagination(),
+  rateLimiter(RateLimiterStrategy.OneHundredPerMinute),
   validate(T.DocumentsSearchSchema),
   async (ctx: APIContext<T.DocumentsSearchReq>) => {
     const {
@@ -839,6 +841,7 @@ router.post(
 router.post(
   "documents.templatize",
   auth({ member: true }),
+  rateLimiter(RateLimiterStrategy.TwentyFivePerMinute),
   validate(T.DocumentsTemplatizeSchema),
   async (ctx: APIContext<T.DocumentsTemplatizeReq>) => {
     const { id } = ctx.input.body;
@@ -1163,6 +1166,7 @@ router.post(
 router.post(
   "documents.import",
   auth(),
+  rateLimiter(RateLimiterStrategy.TwentyFivePerMinute),
   validate(T.DocumentsImportSchema),
   transaction(),
   async (ctx: APIContext<T.DocumentsImportReq>) => {
@@ -1246,6 +1250,7 @@ router.post(
 router.post(
   "documents.create",
   auth(),
+  rateLimiter(RateLimiterStrategy.TwentyFivePerMinute),
   validate(T.DocumentsCreateSchema),
   transaction(),
   async (ctx: APIContext<T.DocumentsCreateReq>) => {
diff --git a/server/utils/RateLimiter.ts b/server/utils/RateLimiter.ts
index 2dbe2915c..1bb6c0f07 100644
--- a/server/utils/RateLimiter.ts
+++ b/server/utils/RateLimiter.ts
@@ -56,11 +56,26 @@ export const RateLimiterStrategy = {
     duration: 60,
     requests: 10,
   },
+  /** Allows twenty five requests per minute, per IP address */
+  TwentyFivePerMinute: {
+    duration: 60,
+    requests: 25,
+  },
+  /** Allows one hundred requests per minute, per IP address */
+  OneHundredPerMinute: {
+    duration: 60,
+    requests: 100,
+  },
   /** Allows one thousand requests per hour, per IP address */
   OneThousandPerHour: {
     duration: 3600,
     requests: 1000,
   },
+  /** Allows one hunred requests per hour, per IP address */
+  OneHundredPerHour: {
+    duration: 3600,
+    requests: 100,
+  },
   /** Allows ten requests per hour, per IP address */
   TenPerHour: {
     duration: 3600,