From 418602ca87d9a9e42b63162a9a5b1d14fa41d8d0 Mon Sep 17 00:00:00 2001
From: dumbmoron <log@riseup.net>
Date: Fri, 4 Oct 2024 17:02:00 +0000
Subject: [PATCH] api/core: add rate limiter for session

---
 api/src/core/api.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/api/src/core/api.js b/api/src/core/api.js
index 80da5bcc..72a9502f 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -67,6 +67,15 @@ export const runAPI = (express, app, __dirname) => {
         return res.status(status).json(body);
     };
 
+    const sessionLimiter = rateLimit({
+        windowMs: 60000,
+        max: 10,
+        standardHeaders: true,
+        legacyHeaders: false,
+        keyGenerator: req => generateHmac(getIP(req), ipSalt),
+        handler: handleRateExceeded
+    });
+
     const apiLimiter = rateLimit({
         windowMs: env.rateLimitWindow * 1000,
         max: env.rateLimitMax,
@@ -159,7 +168,7 @@ export const runAPI = (express, app, __dirname) => {
         next();
     });
 
-    app.post("/session", async (req, res) => {
+    app.post("/session", sessionLimiter, async (req, res) => {
         if (!env.sessionEnabled) {
             return fail(res, "error.api.auth.not_configured")
         }