Add more rate limits

Chocobozzz · Jul 26, 2023 · 97583d0 · 97583d0
1 parent 9901c8d
commit 97583d0
Show file tree

Hide file tree

Showing 23 changed files with 216 additions and 37 deletions.
diff --git a/config/default.yaml b/config/default.yaml
@@ -36,6 +36,26 @@ rates_limit:
     # 10 attempts in 10 min
     window: 10 minutes
     max: 10
+  plugins:
+    # 500 attempts in 10 seconds (we also serve plugin static files)
+    window: 10 seconds
+    max: 500
+  well_known:
+    # 200 attempts in 10 seconds
+    window: 10 seconds
+    max: 200
+  feeds:
+    # 50 attempts in 10 seconds
+    window: 10 seconds
+    max: 50
+  activity_pub:
+    # 500 attempts in 10 seconds (we can have many AP requests)
+    window: 10 seconds
+    max: 500
+  client: # HTML files generated by PeerTube
+    # 500 attempts in 10 seconds (to not break crawlers)
+    window: 10 seconds
+    max: 500
 
 oauth2:
   token_lifetime:

diff --git a/config/production.yaml.example b/config/production.yaml.example
@@ -34,6 +34,26 @@ rates_limit:
     # 10 attempts in 10 min
     window: 10 minutes
     max: 10
+  plugins:
+    # 500 attempts in 10 seconds (we also serve plugin static files)
+    window: 10 seconds
+    max: 500
+  well_known:
+    # 200 attempts in 10 seconds
+    window: 10 seconds
+    max: 200
+  feeds:
+    # 50 attempts in 10 seconds
+    window: 10 seconds
+    max: 50
+  activity_pub:
+    # 500 attempts in 10 seconds (we can have many AP requests)
+    window: 10 seconds
+    max: 500
+  client: # HTML files generated by PeerTube
+    # 500 attempts in 10 seconds (to not break crawlers)
+    window: 10 seconds
+    max: 500
 
 oauth2:
   token_lifetime:

diff --git a/server.ts b/server.ts
@@ -115,7 +115,7 @@ import {
   pluginsRouter,
   trackerRouter,
   createWebsocketTrackerServer,
-  botsRouter,
+  sitemapRouter,
   downloadRouter
 } from './server/controllers'
 import { advertiseDoNotTrack } from './server/middlewares/dnt'
@@ -222,9 +222,7 @@ OpenTelemetryMetrics.Instance.init(app)
 
 // ----------- Views, routes and static files -----------
 
-// API
-const apiRoute = '/api/' + API_VERSION
-app.use(apiRoute, apiRouter)
+app.use('/api/' + API_VERSION, apiRouter)
 
 // Services (oembed...)
 app.use('/services', servicesRouter)
@@ -235,7 +233,7 @@ app.use('/', pluginsRouter)
 app.use('/', activityPubRouter)
 app.use('/', feedsRouter)
 app.use('/', trackerRouter)
-app.use('/', botsRouter)
+app.use('/', sitemapRouter)
 
 // Static files
 app.use('/', staticRouter)

diff --git a/server/controllers/activitypub/client.ts b/server/controllers/activitypub/client.ts
@@ -19,6 +19,7 @@ import {
   getLocalVideoSharesActivityPubUrl
 } from '../../lib/activitypub/url'
 import {
+  activityPubRateLimiter,
   asyncMiddleware,
   ensureIsLocalChannel,
   executeIfActivityPub,
@@ -47,32 +48,38 @@ activityPubClientRouter.use(cors())
 activityPubClientRouter.get(
   [ '/accounts?/:name', '/accounts?/:name/video-channels', '/a/:name', '/a/:name/video-channels' ],
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(localAccountValidator),
   asyncMiddleware(accountController)
 )
 activityPubClientRouter.get('/accounts?/:name/followers',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(localAccountValidator),
   asyncMiddleware(accountFollowersController)
 )
 activityPubClientRouter.get('/accounts?/:name/following',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(localAccountValidator),
   asyncMiddleware(accountFollowingController)
 )
 activityPubClientRouter.get('/accounts?/:name/playlists',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(localAccountValidator),
   asyncMiddleware(accountPlaylistsController)
 )
 activityPubClientRouter.get('/accounts?/:name/likes/:videoId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   cacheRoute(ROUTE_CACHE_LIFETIME.ACTIVITY_PUB.VIDEOS),
   asyncMiddleware(getAccountVideoRateValidatorFactory('like')),
   asyncMiddleware(getAccountVideoRateFactory('like'))
 )
 activityPubClientRouter.get('/accounts?/:name/dislikes/:videoId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   cacheRoute(ROUTE_CACHE_LIFETIME.ACTIVITY_PUB.VIDEOS),
   asyncMiddleware(getAccountVideoRateValidatorFactory('dislike')),
   asyncMiddleware(getAccountVideoRateFactory('dislike'))
@@ -81,102 +88,120 @@ activityPubClientRouter.get('/accounts?/:name/dislikes/:videoId',
 activityPubClientRouter.get(
   [ '/videos/watch/:id', '/w/:id' ],
   executeIfActivityPub,
+  activityPubRateLimiter,
   cacheRoute(ROUTE_CACHE_LIFETIME.ACTIVITY_PUB.VIDEOS),
   asyncMiddleware(videosCustomGetValidator('all')),
   asyncMiddleware(videoController)
 )
 activityPubClientRouter.get('/videos/watch/:id/activity',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosCustomGetValidator('all')),
   asyncMiddleware(videoController)
 )
 activityPubClientRouter.get('/videos/watch/:id/announces',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosCustomGetValidator('only-immutable-attributes')),
   asyncMiddleware(videoAnnouncesController)
 )
 activityPubClientRouter.get('/videos/watch/:id/announces/:actorId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosShareValidator),
   asyncMiddleware(videoAnnounceController)
 )
 activityPubClientRouter.get('/videos/watch/:id/likes',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosCustomGetValidator('only-immutable-attributes')),
   asyncMiddleware(videoLikesController)
 )
 activityPubClientRouter.get('/videos/watch/:id/dislikes',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosCustomGetValidator('only-immutable-attributes')),
   asyncMiddleware(videoDislikesController)
 )
 activityPubClientRouter.get('/videos/watch/:id/comments',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videosCustomGetValidator('only-immutable-attributes')),
   asyncMiddleware(videoCommentsController)
 )
 activityPubClientRouter.get('/videos/watch/:videoId/comments/:commentId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoCommentGetValidator),
   asyncMiddleware(videoCommentController)
 )
 activityPubClientRouter.get('/videos/watch/:videoId/comments/:commentId/activity',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoCommentGetValidator),
   asyncMiddleware(videoCommentController)
 )
 
 activityPubClientRouter.get(
   [ '/video-channels/:nameWithHost', '/video-channels/:nameWithHost/videos', '/c/:nameWithHost', '/c/:nameWithHost/videos' ],
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
   asyncMiddleware(videoChannelController)
 )
 activityPubClientRouter.get('/video-channels/:nameWithHost/followers',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
   asyncMiddleware(videoChannelFollowersController)
 )
 activityPubClientRouter.get('/video-channels/:nameWithHost/following',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
   asyncMiddleware(videoChannelFollowingController)
 )
 activityPubClientRouter.get('/video-channels/:nameWithHost/playlists',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,
   asyncMiddleware(videoChannelPlaylistsController)
 )
 
 activityPubClientRouter.get('/redundancy/videos/:videoId/:resolution([0-9]+)(-:fps([0-9]+))?',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoFileRedundancyGetValidator),
   asyncMiddleware(videoRedundancyController)
 )
 activityPubClientRouter.get('/redundancy/streaming-playlists/:streamingPlaylistType/:videoId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoPlaylistRedundancyGetValidator),
   asyncMiddleware(videoRedundancyController)
 )
 
 activityPubClientRouter.get(
   [ '/video-playlists/:playlistId', '/videos/watch/playlist/:playlistId', '/w/p/:playlistId' ],
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoPlaylistsGetValidator('all')),
   asyncMiddleware(videoPlaylistController)
 )
 activityPubClientRouter.get('/video-playlists/:playlistId/videos/:playlistElementId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(videoPlaylistElementAPGetValidator),
   asyncMiddleware(videoPlaylistElementController)
 )
 
 activityPubClientRouter.get('/videos/local-viewer/:localViewerId',
   executeIfActivityPub,
+  activityPubRateLimiter,
   asyncMiddleware(getVideoLocalViewerValidator),
   asyncMiddleware(getVideoLocalViewerController)
 )

diff --git a/server/controllers/activitypub/inbox.ts b/server/controllers/activitypub/inbox.ts
@@ -5,6 +5,7 @@ import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { isActivityValid } from '../../helpers/custom-validators/activitypub/activity'
 import { logger } from '../../helpers/logger'
 import {
+  activityPubRateLimiter,
   asyncMiddleware,
   checkSignature,
   ensureIsLocalChannel,
@@ -17,20 +18,24 @@ import { activityPubValidator } from '../../middlewares/validators/activitypub/a
 const inboxRouter = express.Router()
 
 inboxRouter.post('/inbox',
+  activityPubRateLimiter,
   signatureValidator,
   asyncMiddleware(checkSignature),
   asyncMiddleware(activityPubValidator),
   inboxController
 )
 
 inboxRouter.post('/accounts/:name/inbox',
+  activityPubRateLimiter,
   signatureValidator,
   asyncMiddleware(checkSignature),
   asyncMiddleware(localAccountValidator),
   asyncMiddleware(activityPubValidator),
   inboxController
 )
+
 inboxRouter.post('/video-channels/:nameWithHost/inbox',
+  activityPubRateLimiter,
   signatureValidator,
   asyncMiddleware(checkSignature),
   asyncMiddleware(videoChannelsNameWithHostValidator),

diff --git a/server/controllers/activitypub/index.ts b/server/controllers/activitypub/index.ts
@@ -1,4 +1,5 @@
 import express from 'express'
+
 import { activityPubClientRouter } from './client'
 import { inboxRouter } from './inbox'
 import { outboxRouter } from './outbox'

diff --git a/server/controllers/activitypub/outbox.ts b/server/controllers/activitypub/outbox.ts
@@ -7,20 +7,28 @@ import { VideoPrivacy } from '../../../shared/models/videos'
 import { logger } from '../../helpers/logger'
 import { buildAudience } from '../../lib/activitypub/audience'
 import { buildAnnounceActivity, buildCreateActivity } from '../../lib/activitypub/send'
-import { asyncMiddleware, ensureIsLocalChannel, localAccountValidator, videoChannelsNameWithHostValidator } from '../../middlewares'
+import {
+  activityPubRateLimiter,
+  asyncMiddleware,
+  ensureIsLocalChannel,
+  localAccountValidator,
+  videoChannelsNameWithHostValidator
+} from '../../middlewares'
 import { apPaginationValidator } from '../../middlewares/validators/activitypub'
 import { VideoModel } from '../../models/video/video'
 import { activityPubResponse } from './utils'
 
 const outboxRouter = express.Router()
 
 outboxRouter.get('/accounts/:name/outbox',
+  activityPubRateLimiter,
   apPaginationValidator,
   localAccountValidator,
   asyncMiddleware(outboxController)
 )
 
 outboxRouter.get('/video-channels/:nameWithHost/outbox',
+  activityPubRateLimiter,
   apPaginationValidator,
   asyncMiddleware(videoChannelsNameWithHostValidator),
   ensureIsLocalChannel,