feat(rate-limiting): implement rate limiting for various controllers to enhance API stability

Author: fox3000foxy

src/app.ts

@@ -43,3 +43,5 @@ server.setErrorConfig(app => {
 });
 
 export const app = server.build();
+
+

src/controllers/GameController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import rateLimit from 'express-rate-limit';
 import { inject } from 'inversify';
 import { controller, httpGet, httpPost, httpPut } from 'inversify-express-utils';
 import fetch from 'node-fetch';
@@ -30,6 +31,46 @@ async function validateOr400(schema: yup.Schema<unknown>, data: unknown, res: Re
   }
 }
 
+const createGameRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 5, 
+  message: 'Too many game creations, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const updateGameRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 10, 
+  message: 'Too many game updates, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const buyGameRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 20, 
+  message: 'Too many game purchases, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const transferOwnershipRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 5, 
+  message: 'Too many ownership transfers, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const transferGameRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 10, 
+  message: 'Too many game transfers, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 @controller('/games')
 export class Games {
   constructor(
@@ -157,7 +198,7 @@ export class Games {
     }
   }
 
-  @httpPost('/', LoggedCheck.middleware)
+  @httpPost('/', LoggedCheck.middleware, createGameRateLimit)
   public async createGame(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(createGameBodySchema, req.body, res))) {
       await this.createLog(req, 'createGame', 'games', 400, req.user?.user_id);
@@ -176,7 +217,7 @@ export class Games {
     }
   }
 
-  @httpPut(':gameId', LoggedCheck.middleware)
+  @httpPut(':gameId', LoggedCheck.middleware, updateGameRateLimit)
   public async updateGame(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(gameIdParamSchema, req.params, res))) {
       await this.createLog(req, 'updateGame', 'games', 400, req.user?.user_id);
@@ -206,7 +247,7 @@ export class Games {
     }
   }
 
-  @httpPost(':gameId/buy', LoggedCheck.middleware)
+  @httpPost(':gameId/buy', LoggedCheck.middleware, buyGameRateLimit)
   public async buyGame(req: AuthenticatedRequest, res: Response) {
     const { gameId } = req.params;
     const userId = req.user.user_id;
@@ -251,7 +292,7 @@ export class Games {
     }
   }
 
-  @httpPost('/transfer-ownership/:gameId', LoggedCheck.middleware)
+  @httpPost('/transfer-ownership/:gameId', LoggedCheck.middleware, transferOwnershipRateLimit)
   public async transferOwnership(req: AuthenticatedRequest, res: Response) {
     const { gameId } = req.params;
     const { newOwnerId } = req.body;
@@ -285,7 +326,7 @@ export class Games {
     }
   }
 
-  @httpPost(':gameId/transfer', LoggedCheck.middleware)
+  @httpPost(':gameId/transfer', LoggedCheck.middleware, transferGameRateLimit)
   public async transferGame(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(gameIdParamSchema, req.params, res))) {
       await this.createLog(req, 'transferGame', 'games', 400, req.user?.user_id);
@@ -378,3 +419,5 @@ export class Games {
     }
   }
 }
+
+

src/controllers/ItemController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import rateLimit from 'express-rate-limit';
 import { inject } from 'inversify';
 import { controller, httpDelete, httpGet, httpPost, httpPut } from 'inversify-express-utils';
 import { v4 } from 'uuid';
@@ -30,6 +31,70 @@ async function validateOr400(schema: Schema<unknown>, data: unknown, res: Respon
   }
 }
 
+const createItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 500,
+  message: 'Too many item creations, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const updateItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 1000, 
+  message: 'Too many item updates, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const deleteItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 500, 
+  message: 'Too many item deletions, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const buyItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 2000, 
+  message: 'Too many item purchases, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const sellItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 2000, 
+  message: 'Too many item sales, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const consumeItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 1000, 
+  message: 'Too many item consumptions, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const dropItemRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 1000, 
+  message: 'Too many item drops, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const transferOwnershipRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 500, 
+  message: 'Too many ownership transfers, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 @controller('/items')
 export class Items {
   constructor(
@@ -216,7 +281,7 @@ export class Items {
     example: 'POST /api/items/create {"name": "Apple", "description": "A fruit", "price": 100, "iconHash": "abc123", "showInStore": true}',
     requiresAuth: true,
   })
-  @httpPost('/create', LoggedCheck.middleware)
+  @httpPost('/create', LoggedCheck.middleware, createItemRateLimit)
   public async createItem(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(createItemValidator, req.body, res, 'Invalid item data'))) {
       await this.createLog(req, 'items', 400);
@@ -259,7 +324,7 @@ export class Items {
     example: 'PUT /api/items/update/123 {"name": "Apple", "description": "A fruit", "price": 100, "iconHash": "abc123", "showInStore": true}',
     requiresAuth: true,
   })
-  @httpPut('/update/:itemId', OwnerCheck.middleware)
+  @httpPut('/update/:itemId', OwnerCheck.middleware, updateItemRateLimit)
   public async updateItem(req: AuthenticatedRequestWithOwner, res: Response) {
     if (!(await validateOr400(itemIdParamValidator, req.params, res, 'Invalid itemId'))) {
       await this.createLog(req, 'items', 400);
@@ -305,7 +370,7 @@ export class Items {
     example: 'DELETE /api/items/delete/123',
     requiresAuth: true,
   })
-  @httpDelete('/delete/:itemId', OwnerCheck.middleware)
+  @httpDelete('/delete/:itemId', OwnerCheck.middleware, deleteItemRateLimit)
   public async deleteItem(req: AuthenticatedRequestWithOwner, res: Response) {
     if (!(await validateOr400(itemIdParamValidator, req.params, res, 'Invalid itemId'))) {
       await this.createLog(req, 'items', 400);
@@ -322,7 +387,7 @@ export class Items {
     }
   }
 
-  @httpPost('/buy/:itemId', LoggedCheck.middleware)
+  @httpPost('/buy/:itemId', LoggedCheck.middleware, buyItemRateLimit)
   public async buyItem(req: AuthenticatedRequest, res: Response) {
     const { itemId } = req.params;
     const { amount } = req.body;
@@ -362,7 +427,7 @@ export class Items {
     }
   }
 
-  @httpPost('/sell/:itemId', LoggedCheck.middleware)
+  @httpPost('/sell/:itemId', LoggedCheck.middleware, sellItemRateLimit)
   public async sellItem(req: AuthenticatedRequest, res: Response) {
     const { itemId } = req.params;
     const { amount, purchasePrice, dataItemIndex } = req.body;
@@ -418,7 +483,7 @@ export class Items {
     }
   }
 
-  @httpPost('/consume/:itemId', OwnerCheck.middleware)
+  @httpPost('/consume/:itemId', OwnerCheck.middleware, consumeItemRateLimit)
   public async consumeItem(req: AuthenticatedRequestWithOwner, res: Response) {
     const { itemId } = req.params;
     const { amount, uniqueId, userId } = req.body;
@@ -468,7 +533,7 @@ export class Items {
     }
   }
 
-  @httpPost('/drop/:itemId', LoggedCheck.middleware)
+  @httpPost('/drop/:itemId', LoggedCheck.middleware, dropItemRateLimit)
   public async dropItem(req: AuthenticatedRequest, res: Response) {
     const { itemId } = req.params;
     const { amount, uniqueId, dataItemIndex } = req.body;
@@ -513,7 +578,7 @@ export class Items {
     }
   }
 
-  @httpPost('/transfer-ownership/:itemId', OwnerCheck.middleware)
+  @httpPost('/transfer-ownership/:itemId', OwnerCheck.middleware, transferOwnershipRateLimit)
   public async transferOwnership(req: AuthenticatedRequestWithOwner, res: Response) {
     const { itemId } = req.params;
     const { newOwnerId } = req.body;
@@ -541,3 +606,5 @@ export class Items {
     }
   }
 }
+
+

src/controllers/LobbyController.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import rateLimit from 'express-rate-limit';
 import { inject } from 'inversify';
 import { controller, httpGet, httpPost } from 'inversify-express-utils';
 import { v4 } from 'uuid';
@@ -27,6 +28,30 @@ async function validateOr400(schema: Schema<unknown>, data: unknown, res: Respon
   }
 }
 
+const createLobbyRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 30, 
+  message: 'Too many lobby creations, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const joinLobbyRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 100, 
+  message: 'Too many lobby joins, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const leaveLobbyRateLimit = rateLimit({
+  windowMs: 60 * 60 * 1000, 
+  max: 100, 
+  message: 'Too many lobby leaves, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
 @controller('/lobbies')
 export class Lobbies {
   constructor(
@@ -59,7 +84,7 @@ export class Lobbies {
     example: 'POST /api/lobbies',
     requiresAuth: true,
   })
-  @httpPost('/', LoggedCheck.middleware)
+  @httpPost('/', LoggedCheck.middleware, createLobbyRateLimit)
   public async createLobby(req: AuthenticatedRequest, res: Response) {
     try {
       const lobbyId = v4();
@@ -179,7 +204,7 @@ export class Lobbies {
     example: 'POST /api/lobbies/123/join',
     requiresAuth: true,
   })
-  @httpPost('/:lobbyId/join', LoggedCheck.middleware)
+  @httpPost('/:lobbyId/join', LoggedCheck.middleware, joinLobbyRateLimit)
   public async joinLobby(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(lobbyIdParamSchema, req.params, res))) {
       await this.createLog(req, 'joinLobby', 'lobbies', 400, req.user.user_id);
@@ -205,7 +230,7 @@ export class Lobbies {
     example: 'POST /api/lobbies/123/leave',
     requiresAuth: true,
   })
-  @httpPost('/:lobbyId/leave', LoggedCheck.middleware)
+  @httpPost('/:lobbyId/leave', LoggedCheck.middleware, leaveLobbyRateLimit)
   public async leaveLobby(req: AuthenticatedRequest, res: Response) {
     if (!(await validateOr400(lobbyIdParamSchema, req.params, res))) {
       await this.createLog(req, 'leaveLobby', 'lobbies', 400, req.user.user_id);
@@ -221,3 +246,5 @@ export class Lobbies {
     }
   }
 }
+
+