diff options
| author | dakkar <dakkar@thenautilus.net> | 2024-08-18 13:13:23 +0100 |
|---|---|---|
| committer | dakkar <dakkar@thenautilus.net> | 2024-08-18 13:13:23 +0100 |
| commit | a58df8ac7c7f6d460ac07dc1ba7b0e59dd196b5a (patch) | |
| tree | 32e420ec85d1af1b6734ef5f84612652adb9158b /packages/backend/src/server/api/StreamingApiServerService.ts | |
| parent | upd: apply suggestions on en-US locales (diff) | |
| parent | merge: Rate limiting for websockets (!598) (diff) | |
| download | sharkey-a58df8ac7c7f6d460ac07dc1ba7b0e59dd196b5a.tar.gz sharkey-a58df8ac7c7f6d460ac07dc1ba7b0e59dd196b5a.tar.bz2 sharkey-a58df8ac7c7f6d460ac07dc1ba7b0e59dd196b5a.zip | |
Merge branch 'develop' into feature/misskey-2024.07
Diffstat (limited to 'packages/backend/src/server/api/StreamingApiServerService.ts')
| -rw-r--r-- | packages/backend/src/server/api/StreamingApiServerService.ts | 62 |
1 files changed, 61 insertions, 1 deletions
diff --git a/packages/backend/src/server/api/StreamingApiServerService.ts b/packages/backend/src/server/api/StreamingApiServerService.ts index b8f448477b..2070ab6106 100644 --- a/packages/backend/src/server/api/StreamingApiServerService.ts +++ b/packages/backend/src/server/api/StreamingApiServerService.ts @@ -19,7 +19,15 @@ import { ChannelFollowingService } from '@/core/ChannelFollowingService.js'; import { AuthenticateService, AuthenticationError } from './AuthenticateService.js'; import MainStreamConnection from './stream/Connection.js'; import { ChannelsService } from './stream/ChannelsService.js'; +import { RateLimiterService } from './RateLimiterService.js'; +import { RoleService } from '@/core/RoleService.js'; +import { getIpHash } from '@/misc/get-ip-hash.js'; +import proxyAddr from 'proxy-addr'; +import ms from 'ms'; import type * as http from 'node:http'; +import type { IEndpointMeta } from './endpoints.js'; +import { LoggerService } from '@/core/LoggerService.js'; +import type Logger from '@/logger.js'; @Injectable() export class StreamingApiServerService { @@ -41,10 +49,36 @@ export class StreamingApiServerService { private notificationService: NotificationService, private usersService: UserService, private channelFollowingService: ChannelFollowingService, + private rateLimiterService: RateLimiterService, + private roleService: RoleService, + private loggerService: LoggerService, ) { } @bindThis + private async rateLimitThis( + user: MiLocalUser | null | undefined, + requestIp: string | undefined, + limit: IEndpointMeta['limit'] & { key: NonNullable<string> }, + ) : Promise<boolean> { + let limitActor: string; + if (user) { + limitActor = user.id; + } else { + limitActor = getIpHash(requestIp || 'wtf'); + } + + const factor = user ? (await this.roleService.getUserPolicies(user.id)).rateLimitFactor : 1; + + if (factor <= 0) return false; + + // Rate limit + return await this.rateLimiterService.limit(limit, limitActor, factor) + .then(() => { return false; }) + .catch(err => { return true; }); + } + + @bindThis public attach(server: http.Server): void { this.#wss = new WebSocket.WebSocketServer({ noServer: true, @@ -57,6 +91,22 @@ export class StreamingApiServerService { return; } + // ServerServices sets `trustProxy: true`, which inside + // fastify/request.js ends up calling `proxyAddr` in this way, + // so we do the same + const requestIp = proxyAddr(request, () => { return true; } ); + + if (await this.rateLimitThis(null, requestIp, { + key: 'wsconnect', + duration: ms('5min'), + max: 32, + minInterval: ms('1sec'), + })) { + socket.write('HTTP/1.1 429 Rate Limit Exceeded\r\n\r\n'); + socket.destroy(); + return; + } + const q = new URL(request.url, `http://${request.headers.host}`).searchParams; let user: MiLocalUser | null = null; @@ -94,13 +144,23 @@ export class StreamingApiServerService { return; } + const rateLimiter = () => { + return this.rateLimitThis(user, requestIp, { + key: 'wsmessage', + duration: ms('5sec'), + max: 256, + }); + }; + const stream = new MainStreamConnection( this.channelsService, this.noteReadService, this.notificationService, this.cacheService, this.channelFollowingService, - user, app, + this.loggerService, + user, app, requestIp, + rateLimiter, ); await stream.init(); |