relayer rate limiting

polymorpher · Jul 6, 2021 · d5310f2 · d5310f2
1 parent 27dfdaf
commit d5310f2
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 8 deletions.
diff --git a/code/relayer/app.js b/code/relayer/app.js
@@ -1,5 +1,7 @@
 require('dotenv').config()
 const createError = require('http-errors')
+const rateLimit = require('express-rate-limit')
+const Fingerprint = require('express-fingerprint')
 const express = require('express')
 const path = require('path')
 const cookieParser = require('cookie-parser')
@@ -46,6 +48,14 @@ if (config.https.only) {
 }
 httpsServer = https.createServer(httpsOptions, app)
 
+app.use(Fingerprint({
+  parameters: [
+    Fingerprint.useragent,
+    Fingerprint.acceptHeaders,
+    Fingerprint.geoip,
+  ]
+}))
+
 app.use(bodyParser.json({
   verify: function (req, _res, buf) {
     req.rawBody = buf
@@ -75,7 +85,7 @@ if (config.corsOrigins) {
   })
 }
 
-app.use(express.static(path.join(__dirname, 'public')))
+app.use(express.static(path.join(__dirname, 'public')), rateLimit({ windowMs: 1000 * 60, max: 6 }))
 app.options('*', async (_req, res) => res.end())
 app.use('/', _index)
 

diff --git a/code/relayer/package.json b/code/relayer/package.json
@@ -19,6 +19,7 @@
     "dotenv": "^10.0.0",
     "express": "^4.17.1",
     "express-fingerprint": "^1.2.2",
+    "express-rate-limit": "^5.3.0",
     "express-slow-down": "^1.4.0",
     "http-errors": "^1.8.0",
     "http-status-codes": "^2.1.4",

diff --git a/code/relayer/routes/index.js b/code/relayer/routes/index.js
@@ -5,6 +5,7 @@ const router = express.Router()
 const { StatusCodes } = require('http-status-codes')
 const blockchain = require('../blockchain')
 const BN = require('bn.js')
+const rateLimit = require('express-rate-limit')
 
 const checkParams = (params, res) => {
   params = mapValues(params, e => e === undefined ? null : e)
@@ -34,7 +35,35 @@ const parseError = (ex) => {
   return { success: false, code: StatusCodes.INTERNAL_SERVER_ERROR, error }
 }
 
-router.get('/health', async (req, res) => {
+const generalLimiter = (args) => rateLimit({
+  windowMs: 1000 * 60,
+  max: 6,
+  keyGenerator: req => req.fingerprint?.hash || '',
+  ...args,
+
+})
+
+const walletAddressLimiter = (args) => rateLimit({
+  windowMs: 1000 * 60,
+  keyGenerator: req => req.body.address || '',
+  ...args,
+
+})
+
+const rootHashLimiter = args => rateLimit({
+  windowMs: 1000 * 60,
+  keyGenerator: req => req.body.root || '',
+  ...args,
+})
+
+const globalLimiter = args => rateLimit({
+  windowMs: 1000 * 60,
+  keyGenerator: req => '',
+  ...args,
+})
+
+router.get('/health', generalLimiter(), async (req, res) => {
+  console.log(req.fingerprint)
   res.send('OK').end()
 })
 
@@ -58,7 +87,7 @@ router.use((req, res, next) => {
 
 // TODO: rate limiting + fingerprinting + delay with backoff
 
-router.post('/new', async (req, res) => {
+router.post('/new', rootHashLimiter({ max: 6 }), generalLimiter({ max: 1 }), globalLimiter({ max: 250 }), async (req, res) => {
   let { root, height, interval, t0, lifespan, slotSize, lastResortAddress, dailyLimit } = req.body
   // root is hex string, 32 bytes
   height = parseInt(height)
@@ -87,7 +116,7 @@ router.post('/new', async (req, res) => {
   }
 })
 
-router.post('/commit', async (req, res) => {
+router.post('/commit', generalLimiter({ max: 30 }), walletAddressLimiter({ max: 30 }), async (req, res) => {
   let { hash, address } = req.body
   if (config.debug || config.verbose) {
     console.log(`[/commit] `, { hash, address })
@@ -109,7 +138,7 @@ router.post('/commit', async (req, res) => {
   }
 })
 
-router.post('/reveal/transfer', async (req, res) => {
+router.post('/reveal/transfer', generalLimiter({ max: 30 }), walletAddressLimiter({ max: 30 }), async (req, res) => {
   let { neighbors, index, eotp, dest, amount, address } = req.body
   if (!checkParams({ neighbors, index, eotp, dest, amount, address }, res)) {
     return
@@ -126,7 +155,7 @@ router.post('/reveal/transfer', async (req, res) => {
   }
 })
 
-router.post('/reveal/recovery', async (req, res) => {
+router.post('/reveal/recovery', generalLimiter({ max: 30 }), walletAddressLimiter({ max: 30 }), async (req, res) => {
   let { neighbors, index, eotp, address } = req.body
   if (!checkParams({ neighbors, index, eotp, address }, res)) {
     return
@@ -143,7 +172,7 @@ router.post('/reveal/recovery', async (req, res) => {
   }
 })
 
-router.post('/reveal/set-recovery-address', async (req, res) => {
+router.post('/reveal/set-recovery-address', generalLimiter({ max: 30 }), walletAddressLimiter({ max: 30 }), async (req, res) => {
   let { neighbors, index, eotp, address, lastResortAddress } = req.body
   if (!checkParams({ neighbors, index, eotp, address, lastResortAddress }, res)) {
     return
@@ -160,7 +189,7 @@ router.post('/reveal/set-recovery-address', async (req, res) => {
   }
 })
 
-router.post('/retire', async (req, res) => {
+router.post('/retire', generalLimiter({ max: 6 }), walletAddressLimiter({ max: 6 }), async (req, res) => {
   let { address } = req.body
   if (!checkParams({ address }, res)) {
     return

diff --git a/code/relayer/yarn.lock b/code/relayer/yarn.lock
@@ -2901,6 +2901,11 @@ express-fingerprint@^1.2.2:
     traverse "^0.6.6"
     useragent "^2.3.0"
 
+express-rate-limit@^5.3.0:
+  version "5.3.0"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-5.3.0.tgz#e7b9d3c2e09ece6e0406a869b2ce00d03fe48aea"
+  integrity sha512-qJhfEgCnmteSeZAeuOKQ2WEIFTX5ajrzE0xS6gCOBCoRQcU+xEzQmgYQQTpzCcqUAAzTEtu4YEih4pnLfvNtew==
+
 express-slow-down@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/express-slow-down/-/express-slow-down-1.4.0.tgz#89e0aef6c3bb3602b70f06e0824889bd2362cc21"