diff options
| author | dakkar <dakkar@thenautilus.net> | 2025-05-04 18:04:46 +0000 |
|---|---|---|
| committer | dakkar <dakkar@thenautilus.net> | 2025-05-04 18:04:46 +0000 |
| commit | 75b022cef9a469579676ef166db0837aaecfe913 (patch) | |
| tree | 25744724758e0e63b240130239694525426f1e90 /packages/backend/src/server/api | |
| parent | fix scrolling in following feed on mobile (diff) | |
| parent | check role assignments in featured timeline (diff) | |
| download | sharkey-75b022cef9a469579676ef166db0837aaecfe913.tar.gz sharkey-75b022cef9a469579676ef166db0837aaecfe913.tar.bz2 sharkey-75b022cef9a469579676ef166db0837aaecfe913.zip | |
merge: Protect featured timeline endpoint (!979)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/979
Approved-by: Marie <github@yuugi.dev>
Diffstat (limited to 'packages/backend/src/server/api')
| -rw-r--r-- | packages/backend/src/server/api/endpoints/notes/featured.ts | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/packages/backend/src/server/api/endpoints/notes/featured.ts b/packages/backend/src/server/api/endpoints/notes/featured.ts index 734ff31700..02d572e89b 100644 --- a/packages/backend/src/server/api/endpoints/notes/featured.ts +++ b/packages/backend/src/server/api/endpoints/notes/featured.ts @@ -12,6 +12,8 @@ import { FeaturedService } from '@/core/FeaturedService.js'; import { isUserRelated } from '@/misc/is-user-related.js'; import { CacheService } from '@/core/CacheService.js'; import { QueryService } from '@/core/QueryService.js'; +import { ApiError } from '@/server/api/error.js'; +import { RoleService } from '@/core/RoleService.js'; export const meta = { tags: ['notes'], @@ -30,10 +32,19 @@ export const meta = { }, }, - // 10 calls per 5 seconds + errors: { + ltlDisabled: { + message: 'Local timeline has been disabled.', + code: 'LTL_DISABLED', + id: '45a6eb02-7695-4393-b023-dd3be9aaaefd', + }, + }, + + // Burst of 10 calls to handle tab reload, then 4/second for refresh limit: { - duration: 1000 * 5, - max: 10, + type: 'bucket', + size: 10, + dripSize: 4, }, } as const; @@ -60,8 +71,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- private noteEntityService: NoteEntityService, private featuredService: FeaturedService, private queryService: QueryService, + private readonly roleService: RoleService, ) { super(meta, paramDef, async (ps, me) => { + const policies = await this.roleService.getUserPolicies(me ? me.id : null); + if (!policies.ltlAvailable) { + throw new ApiError(meta.errors.ltlDisabled); + } + let noteIds: string[]; if (ps.channelId) { noteIds = await this.featuredService.getInChannelNotesRanking(ps.channelId, 50); |