API v3 Rate Limiter (#12117)

* simplify ip address management by using the trust proxy express option * add setupExpress file * fix redirects middleware tests * fix lint * short circuit the ip blocking middleware * basic implementation with ip based limiting * improve logging * upgrade apidoc * apidoc: add introduction section * fix lint * fix tests * fix lint * add unit tests for rate limiter * do not send retry-after header when points are available * automatically fix lint * fix more lint issues * use userId as key for rate limit when available
2025-12-15 21:57:22 +01:00 · 2020-07-17 16:13:51 +02:00
parent e3bcc48481
commit e7c8833c9a
15 changed files with 332 additions and 61 deletions
--- a/website/server/middlewares/redirects.js
+++ b/website/server/middlewares/redirects.js
@@ -4,6 +4,8 @@ import url from 'url';
 const IS_PROD = nconf.get('IS_PROD');
 const IGNORE_REDIRECT = nconf.get('IGNORE_REDIRECT') === 'true';
 const BASE_URL = nconf.get('BASE_URL');
+const HTTPS_BASE_URL = BASE_URL.indexOf('https') === 0;
+
 // A secret key that if passed as req.query.skipSSLCheck allows to skip
 // the redirects to SSL, used for health checks from the load balancer
 const SKIP_SSL_CHECK_KEY = nconf.get('SKIP_SSL_CHECK_KEY');
@@ -12,10 +14,9 @@ const BASE_URL_HOST = url.parse(BASE_URL).hostname;

 function isHTTP (req) {
  return ( // eslint-disable-line no-extra-parens
-    req.header('x-forwarded-proto')
-    && req.header('x-forwarded-proto') === 'http'
+    req.protocol === 'http'
    && IS_PROD
-    && BASE_URL.indexOf('https') === 0
+    && HTTPS_BASE_URL === true
  );
 }