From d2c36e71be414226a053c09fcbb696a31c2069e3 Mon Sep 17 00:00:00 2001 From: Theis Gaedigk Date: Sun, 26 Apr 2026 16:10:34 +0200 Subject: [PATCH] added request limiter to backend --- backendV2/package-lock.json | 32 ++++++++++++++++++++++++++++++-- backendV2/package.json | 3 ++- backendV2/server.js | 22 +++++++++++++++++----- 3 files changed, 49 insertions(+), 8 deletions(-) diff --git a/backendV2/package-lock.json b/backendV2/package-lock.json index 0b39461..aeb4f7d 100644 --- a/backendV2/package-lock.json +++ b/backendV2/package-lock.json @@ -1,18 +1,19 @@ { "name": "backendv2", - "version": "1.0.0", + "version": "v2.1.1 (dev)", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "backendv2", - "version": "1.0.0", + "version": "v2.1.1 (dev)", "license": "ISC", "dependencies": { "cors": "^2.8.5", "dotenv": "^17.2.1", "ejs": "^3.1.10", "express": "^5.1.0", + "express-rate-limit": "^8.4.1", "jose": "^6.0.12", "mysql2": "^3.14.3", "nodemailer": "^7.0.6" @@ -349,6 +350,24 @@ "url": "https://opencollective.com/express" } }, + "node_modules/express-rate-limit": { + "version": "8.4.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.4.1.tgz", + "integrity": "sha512-NGVYwQSAyEQgzxX1iCM978PP9AdO/hW93gMcF6ZwQCm+rFvLsBH6w4xcXWTcliS8La5EPRN3p9wzItqBwJrfNw==", + "license": "MIT", + "dependencies": { + "ip-address": "10.1.0" + }, + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, "node_modules/filelist": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz", @@ -527,6 +546,15 @@ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", "license": "ISC" }, + "node_modules/ip-address": { + "version": "10.1.0", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz", + "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==", + "license": "MIT", + "engines": { + "node": ">= 12" + } + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", diff --git a/backendV2/package.json b/backendV2/package.json index 9c9a53e..c16054e 100644 --- a/backendV2/package.json +++ b/backendV2/package.json @@ -15,8 +15,9 @@ "dotenv": "^17.2.1", "ejs": "^3.1.10", "express": "^5.1.0", + "express-rate-limit": "^8.4.1", "jose": "^6.0.12", "mysql2": "^3.14.3", "nodemailer": "^7.0.6" } -} \ No newline at end of file +} diff --git a/backendV2/server.js b/backendV2/server.js index c268042..c255551 100644 --- a/backendV2/server.js +++ b/backendV2/server.js @@ -3,6 +3,23 @@ import cors from "cors"; import dotenv from "dotenv"; import info from "./info.json" assert { type: "json" }; import { authenticate } from "./services/authentication.js"; +import { rateLimit } from "express-rate-limit"; + +dotenv.config(); +const app = express(); +const port = 8004; +const naasURL = process.env.NAAS_URL; + +const limiter = rateLimit({ + windowMs: 1 * 60 * 1000, // 1 minute + limit: 50, // Limit each IP to 50 requests per `window` (here, per 1 minute). + standardHeaders: "draft-8", // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header + legacyHeaders: false, // Disable the `X-RateLimit-*` headers. + ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive + // store: ... , // Redis, Memcached, etc. See below. +}); + +app.use(limiter); // frontend routes import loansMgmtRouter from "./routes/app/loanMgmt.route.js"; @@ -19,11 +36,6 @@ import serverConfMgmtRouter from "./routes/admin/serverConfMgmt.route.js"; // API routes import apiRouter from "./routes/api/api.route.js"; -dotenv.config(); -const app = express(); -const port = 8004; -const naasURL = process.env.NAAS_URL; - app.use(cors()); // Body-Parser VOR den Routen registrieren app.use(express.json({ limit: "10mb" }));