From 2465189fb1f635a91b7ccce1d167951c6cb34e09 Mon Sep 17 00:00:00 2001
From: Phillip Thelen <phillip@habitica.com>
Date: Thu, 18 Jul 2024 18:49:58 +0200
Subject: [PATCH] Improve rate limiting

---
 website/server/middlewares/rateLimiter.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/website/server/middlewares/rateLimiter.js b/website/server/middlewares/rateLimiter.js
index e62f85ff92..e085eac65e 100644
--- a/website/server/middlewares/rateLimiter.js
+++ b/website/server/middlewares/rateLimiter.js
@@ -22,6 +22,8 @@ const REDIS_HOST = nconf.get('REDIS_HOST');
 const REDIS_PASSWORD = nconf.get('REDIS_PASSWORD');
 const REDIS_PORT = nconf.get('REDIS_PORT');
 const LIVELINESS_PROBE_KEY = nconf.get('LIVELINESS_PROBE_KEY');
+const REGISTRATION_COST = nconf.get('REGISTRATION_RATE_LIMIT_COST') || 5;
+const IP_RATE_LIMIT_COST = nconf.get('IP_RATE_LIMIT_COST') || 5;
 
 let redisClient;
 let rateLimiter;
@@ -76,7 +78,14 @@ export default function rateLimiterMiddleware (req, res, next) {
 
   const userId = req.header('x-api-user');
 
-  return rateLimiter.consume(userId || req.ip)
+  let cost = 1;
+  if (req.path === '/api/v4/user/auth/local/register' || req.path === '/api/v3/user/auth/local/register') {
+    cost = REGISTRATION_COST;
+  } else if (!userId) {
+    cost = IP_RATE_LIMIT_COST;
+  }
+
+  return rateLimiter.consume(userId || req.ip, cost)
     .then(rateLimiterRes => {
       setResponseHeaders(res, rateLimiterRes);
       return next();