✨ Add auth support for API key pair

Author: AnandChowdhary

src/config.ts

@@ -17,7 +17,13 @@ export const RATE_LIMIT_TIME = process.env.RATE_LIMIT_TIME
   : 60000; // 1 minute
 export const RATE_LIMIT_MAX = process.env.RATE_LIMIT_MAX
   ? parseInt(process.env.RATE_LIMIT_MAX)
-  : 200; // Max 200 requests/minute from an IP
+  : 300; // Max 300 requests/minute from an IP
+export const PUBLIC_RATE_LIMIT_TIME = process.env.PUBLIC_RATE_LIMIT_TIME
+  ? parseInt(process.env.PUBLIC_RATE_LIMIT_TIME)
+  : 60000; // 1 minute
+export const PUBLIC_RATE_LIMIT_MAX = process.env.PUBLIC_RATE_LIMIT_MAX
+  ? parseInt(process.env.PUBLIC_RATE_LIMIT_MAX)
+  : 60; // Max 60 requests/minute from an IP
 export const SPEED_LIMIT_TIME = process.env.SPEED_LIMIT_TIME
   ? parseInt(process.env.SPEED_LIMIT_TIME)
   : 600000; // 10 minutes

src/crud/user.ts

@@ -211,6 +211,19 @@ export const getApiKey = async (apiKey: string) => {
   ))[0];
 };
 
+/**
+ * Get an API key/secret
+ */
+export const getApiKeySecret = async (apiKey: string, secretKey: string) => {
+  deleteItemFromCache(CacheCategories.API_KEY, apiKey);
+  return (<ApiKey[]>(
+    await query(
+      "SELECT * FROM `api-keys` WHERE apiKey = ? AND secretKey = ? LIMIT 1",
+      [apiKey, secretKey]
+    )
+  ))[0];
+};
+
 /**
  * Create an API key
  */

src/helpers/middleware.ts

@@ -12,8 +12,11 @@ import {
   RATE_LIMIT_TIME,
   SPEED_LIMIT_DELAY,
   SPEED_LIMIT_COUNT,
-  SPEED_LIMIT_TIME
+  SPEED_LIMIT_TIME,
+  PUBLIC_RATE_LIMIT_TIME,
+  PUBLIC_RATE_LIMIT_MAX
 } from "../config";
+import { getApiKey, getApiKeySecret } from "../crud/user";
 const store = new Brute.MemoryStore();
 const bruteForce = new Brute(store, {
   freeRetries: BRUTE_FREE_RETRIES,
@@ -23,6 +26,10 @@ const rateLimiter = RateLimit({
   windowMs: RATE_LIMIT_TIME,
   max: RATE_LIMIT_MAX
 });
+const publicRateLimiter = RateLimit({
+  windowMs: PUBLIC_RATE_LIMIT_TIME,
+  max: PUBLIC_RATE_LIMIT_MAX
+});
 const speedLimiter = slowDown({
   windowMs: SPEED_LIMIT_TIME,
   delayAfter: SPEED_LIMIT_COUNT,
@@ -80,10 +87,23 @@ export const authHandler = async (
     return res.json(error);
   }
   if (token.startsWith("Bearer ")) token = token.replace("Bearer ", "");
+  let localsToken;
+  try {
+    localsToken = await verifyToken(token, Tokens.LOGIN);
+  } catch (e) {}
+  const secretKey = req.get("X-Api-Secret");
   try {
-    res.locals.token = await verifyToken(token, Tokens.LOGIN);
+    if (secretKey) {
+      const apiKey = await getApiKeySecret(token, secretKey);
+      if (apiKey.userId) {
+        localsToken = { id: apiKey.userId };
+      }
+    }
+  } catch (e) {}
+  if (localsToken) {
+    res.locals.token = localsToken;
     next();
-  } catch (e) {
+  } else {
     const error = safeError(ErrorCode.INVALID_TOKEN);
     res.status(error.status);
     return res.json(error);
@@ -98,9 +118,36 @@ export const bruteForceHandler = bruteForce.prevent;
 /**
  * Rate limiting middleware
  */
-export const rateLimitHandler = rateLimiter;
+export const rateLimitHandler = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const apiKey = req.get("X-Api-Key");
+  if (apiKey) {
+    const apiKeyDetails = await getApiKey(apiKey);
+    if (apiKeyDetails.userId) {
+      return rateLimiter(req, res, next);
+    }
+  }
+  return publicRateLimiter(req, res, next);
+};
 
 /**
  * Speed limiting middleware
  */
-export const speedLimitHandler = speedLimiter;
+export const speedLimitHandler = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const apiKey = req.get("X-Api-Key");
+  if (apiKey) {
+    const apiKeyDetails = await getApiKey(apiKey);
+    if (apiKeyDetails.userId) {
+      // Don't slow down requests if an API key is used
+      return next();
+    }
+  }
+  return speedLimiter(req, res, next);
+};