From dcd33803c185045b8a743a3b1125457e5cfe955c Mon Sep 17 00:00:00 2001
From: dumbmoron <log@riseup.net>
Date: Fri, 4 Oct 2024 17:03:57 +0000
Subject: [PATCH] api/core: generate JWT rate limiting key in auth handler

---
 api/src/core/api.js | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/api/src/core/api.js b/api/src/core/api.js
index 72a9502f..71c182f0 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -81,12 +81,7 @@ export const runAPI = (express, app, __dirname) => {
         max: env.rateLimitMax,
         standardHeaders: true,
         legacyHeaders: false,
-        keyGenerator: req => {
-            if (req.authorized) {
-                return generateHmac(req.header("Authorization"), ipSalt);
-            }
-            return generateHmac(getIP(req), ipSalt);
-        },
+        keyGenerator: req => req.rateLimitKey || generateHmac(getIP(req), ipSalt),
         handler: handleRateExceeded
     })
 
@@ -147,7 +142,7 @@ export const runAPI = (express, app, __dirname) => {
                 return fail(res, "error.api.auth.jwt.invalid");
             }
 
-            req.authorized = true;
+            req.rateLimitKey = generateHmac(req.header("Authorization"), ipSalt);
         } catch {
             return fail(res, "error.api.generic");
         }