ADD: rate limiting

controllers/api.js

@@ -53,7 +53,14 @@ redis.info(function(err, info) {
 
 // ######################## ROUTES ########################
 
-router.post('/create', async function(req, res) {
+const rateLimit = require('express-rate-limit');
+const postLimiter = rateLimit({
+  windowMs: 30 * 60 * 1000,
+  max: 50,
+  message: 'You are going too fast',
+});
+
+router.post('/create', postLimiter, async function(req, res) {
   logger.log('/create', [req.id]);
   if (!(req.body.partnerid && req.body.partnerid === 'bluewallet' && req.body.accounttype)) return errorBadArguments(res);
 
@@ -63,7 +70,7 @@ router.post('/create', async function(req, res) {
   res.send({ login: u.getLogin(), password: u.getPassword() });
 });
 
-router.post('/auth', async function(req, res) {
+router.post('/auth', postLimiter, async function(req, res) {
   logger.log('/auth', [req.id]);
   if (!((req.body.login && req.body.password) || req.body.refresh_token)) return errorBadArguments(res);
 
@@ -84,12 +91,13 @@ router.post('/auth', async function(req, res) {
   }
 });
 
-router.post('/addinvoice', async function(req, res) {
+router.post('/addinvoice', postLimiter, async function(req, res) {
   logger.log('/addinvoice', [req.id]);
   let u = new User(redis, bitcoinclient, lightning);
   if (!(await u.loadByAuthorization(req.headers.authorization))) {
     return errorBadAuth(res);
   }
+  logger.log('/addinvoice', [req.id, 'userid: ' + u.getUserId()]);
 
   if (!req.body.amt) return errorBadArguments(res);
 
@@ -243,7 +251,7 @@ router.get('/getbtc', async function(req, res) {
   res.send([{ address }]);
 });
 
-router.get('/balance', async function(req, res) {
+router.get('/balance', postLimiter, async function(req, res) {
   logger.log('/balance', [req.id]);
   let u = new User(redis, bitcoinclient, lightning);
   if (!(await u.loadByAuthorization(req.headers.authorization))) {
@@ -257,7 +265,7 @@ router.get('/balance', async function(req, res) {
   res.send({ BTC: { AvailableBalance: balance } });
 });
 
-router.get('/getinfo', async function(req, res) {
+router.get('/getinfo', postLimiter, async function(req, res) {
   logger.log('/getinfo', [req.id]);
   let u = new User(redis, bitcoinclient, lightning);
   if (!(await u.loadByAuthorization(req.headers.authorization))) {

package-lock.json

@@ -1476,6 +1476,11 @@
         }
       }
     },
+    "clone": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
+      "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
+    },
     "cluster-key-slot": {
       "version": "1.0.12",
       "resolved": "https://registry.npmjs.org/cluster-key-slot/-/cluster-key-slot-1.0.12.tgz",
@@ -1691,6 +1696,14 @@
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz",
       "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ="
     },
+    "defaults": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz",
+      "integrity": "sha1-xlYFHpgX2f8I7YgUd/P+QBnz730=",
+      "requires": {
+        "clone": "^1.0.2"
+      }
+    },
     "define-property": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/define-property/-/define-property-2.0.2.tgz",
@@ -2138,6 +2151,14 @@
         "vary": "~1.1.2"
       }
     },
+    "express-rate-limit": {
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-3.4.0.tgz",
+      "integrity": "sha512-SktWQGHhTQfIOZykiVIaoqmHCptqq177fEbumVytWsMpEqe+g78IFrfzivJTimoCdMZ5+vYJ5/a/w1darXMv+A==",
+      "requires": {
+        "defaults": "^1.0.3"
+      }
+    },
     "extend": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",

package.json

@@ -26,6 +26,7 @@
     "eslint-config-prettier": "^3.3.0",
     "eslint-plugin-prettier": "^3.0.0",
     "express": "^4.16.4",
+    "express-rate-limit": "^3.4.0",
     "grpc": "^1.17.0-pre1",
     "ioredis": "^4.2.0",
     "jayson": "^2.1.0",