admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
podcastdistributiona/lib/ratelimit/index.ts
T
Leon Serfaty 51c541ad22 Security & robustness hardening pass 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
2026-06-20 20:59:03 -04:00

91 lines
3.3 KiB
TypeScript
Raw Permalink Blame History

import { Pool } from "pg";
import {
RateLimiterMemory,
RateLimiterPostgres,
type RateLimiterAbstract,
} from "rate-limiter-flexible";
/**
* Backend selection (default = in-memory):
*
* - DEFAULT: RateLimiterMemory — per-process counters. Fine for a single
* instance (the Plesk VPS). No DB connection is ever opened in this mode.
* - OPT-IN: set RATE_LIMIT_BACKEND="postgres" *and* provide DATABASE_URL to
* share limits across multiple instances via RateLimiterPostgres. The
* limiter table ("rate_limits") is created automatically by
* rate-limiter-flexible on first use, so no migration is required.
*
* The pg Pool is created lazily on first consume — importing this module never
* connects to the database, so memory mode stays connection-free.
*/
const usePostgres =
process.env.RATE_LIMIT_BACKEND === "postgres" && !!process.env.DATABASE_URL;
const limiters = new Map<string, RateLimiterAbstract>();
// Lazily-created shared pg Pool. Constructing it does NOT open a connection
// (pg connects on first query), and it is only built when a Postgres-backed
// limiter is first needed — so memory mode never creates a pool.
let pgPool: Pool | null = null;
function getPool(): Pool {
if (!pgPool) {
pgPool = new Pool({ connectionString: process.env.DATABASE_URL });
}
return pgPool;
}
function getLimiter(name: string, points: number, durationSec: number): RateLimiterAbstract {
let limiter = limiters.get(name);
if (!limiter) {
if (usePostgres) {
// The constructor opens the (lazy) pool and ensures the backing table
// exists; ready before the first consume() thanks to the insurance limiter.
limiter = new RateLimiterPostgres({
storeClient: getPool(),
tableName: "rate_limits",
keyPrefix: name,
points,
duration: durationSec,
// If Postgres is briefly unreachable, degrade to per-process counting
// instead of failing the request outright.
insuranceLimiter: new RateLimiterMemory({ points, duration: durationSec }),
});
} else {
limiter = new RateLimiterMemory({ points, duration: durationSec });
}
limiters.set(name, limiter);
}
return limiter;
}
export interface RateLimitResult {
ok: boolean;
retryAfterSec?: number;
}
/** Consume one unit for `key` under a named bucket; returns ok=false when throttled. */
export async function rateLimit(
bucket: string,
key: string,
opts: { points: number; durationSec: number }
): Promise<RateLimitResult> {
const limiter = getLimiter(bucket, opts.points, opts.durationSec);
try {
await limiter.consume(key);
return { ok: true };
} catch (res) {
const retryAfterSec = Math.ceil((res as { msBeforeNext?: number }).msBeforeNext ?? 1000) / 1000;
return { ok: false, retryAfterSec: Math.ceil(retryAfterSec) };
}
}
// Common presets.
export const LIMITS = {
generation: { points: 10, durationSec: 60 }, // 10 generations / min / user
repurpose: { points: 15, durationSec: 60 },
api: { points: 60, durationSec: 60 }, // 60 API calls / min / key (writes)
read: { points: 120, durationSec: 60 }, // 120 read/list calls / min / key
stream: { points: 30, durationSec: 60 }, // SSE (re)connects / min / user
publicMedia: { points: 120, durationSec: 60 }, // anon audio/cover (Range) reqs / min / IP
} as const;
Reference in New Issue View Git Blame Copy Permalink