From eb10cdce7622d2bc3015acf3c0c2c2176708e5e8 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 27 Dec 2024 13:06:32 -0600
Subject: [PATCH 1/4] Stricter timeline rate limits

---
 src/app.ts | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index 29886c89..b86b2c4a 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -264,10 +264,10 @@ app.put(
 );
 app.post('/api/v2/media', mediaController);
 
-app.get('/api/v1/timelines/home', requireSigner, homeTimelineController);
-app.get('/api/v1/timelines/public', publicTimelineController);
-app.get('/api/v1/timelines/tag/:hashtag', hashtagTimelineController);
-app.get('/api/v1/timelines/suggested', suggestedTimelineController);
+app.get('/api/v1/timelines/home', rateLimitMiddleware(5, Time.seconds(30)), requireSigner, homeTimelineController);
+app.get('/api/v1/timelines/public', rateLimitMiddleware(5, Time.seconds(30)), publicTimelineController);
+app.get('/api/v1/timelines/tag/:hashtag', rateLimitMiddleware(5, Time.seconds(30)), hashtagTimelineController);
+app.get('/api/v1/timelines/suggested', rateLimitMiddleware(5, Time.seconds(30)), suggestedTimelineController);
 
 app.get('/api/v1/preferences', preferencesController);
 app.get('/api/v1/search', searchController);
@@ -275,7 +275,7 @@ app.get('/api/v2/search', searchController);
 
 app.get('/api/pleroma/frontend_configurations', frontendConfigController);
 
-app.get('/api/v1/trends/statuses', trendingStatusesController);
+app.get('/api/v1/trends/statuses', rateLimitMiddleware(5, Time.seconds(30)), trendingStatusesController);
 app.get('/api/v1/trends/links', trendingLinksController);
 app.get('/api/v1/trends/tags', trendingTagsController);
 app.get('/api/v1/trends', trendingTagsController);
@@ -283,7 +283,7 @@ app.get('/api/v1/trends', trendingTagsController);
 app.get('/api/v1/suggestions', suggestionsV1Controller);
 app.get('/api/v2/suggestions', suggestionsV2Controller);
 
-app.get('/api/v1/notifications', requireSigner, notificationsController);
+app.get('/api/v1/notifications', rateLimitMiddleware(5, Time.seconds(30)), requireSigner, notificationsController);
 app.get('/api/v1/notifications/:id', requireSigner, notificationController);
 
 app.get('/api/v1/favourites', requireSigner, favouritesController);

From a316e920014cde18028e13350bea341045116bba Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 27 Dec 2024 13:15:47 -0600
Subject: [PATCH 2/4] Bump limits slightly, also limit account statuses
 controller

---
 src/app.ts | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index b86b2c4a..5e9edee6 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -231,7 +231,11 @@ app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow', requireSigner, followC
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow', requireSigner, unfollowController);
 app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers', followersController);
 app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/following', followingController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/statuses', accountStatusesController);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/statuses',
+  rateLimitMiddleware(12, Time.seconds(30)),
+  accountStatusesController,
+);
 app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}', accountController);
 
 app.get('/api/v1/statuses/:id{[0-9a-f]{64}}/favourited_by', favouritedByController);
@@ -264,10 +268,10 @@ app.put(
 );
 app.post('/api/v2/media', mediaController);
 
-app.get('/api/v1/timelines/home', rateLimitMiddleware(5, Time.seconds(30)), requireSigner, homeTimelineController);
-app.get('/api/v1/timelines/public', rateLimitMiddleware(5, Time.seconds(30)), publicTimelineController);
-app.get('/api/v1/timelines/tag/:hashtag', rateLimitMiddleware(5, Time.seconds(30)), hashtagTimelineController);
-app.get('/api/v1/timelines/suggested', rateLimitMiddleware(5, Time.seconds(30)), suggestedTimelineController);
+app.get('/api/v1/timelines/home', rateLimitMiddleware(8, Time.seconds(30)), requireSigner, homeTimelineController);
+app.get('/api/v1/timelines/public', rateLimitMiddleware(8, Time.seconds(30)), publicTimelineController);
+app.get('/api/v1/timelines/tag/:hashtag', rateLimitMiddleware(8, Time.seconds(30)), hashtagTimelineController);
+app.get('/api/v1/timelines/suggested', rateLimitMiddleware(8, Time.seconds(30)), suggestedTimelineController);
 
 app.get('/api/v1/preferences', preferencesController);
 app.get('/api/v1/search', searchController);
@@ -275,7 +279,7 @@ app.get('/api/v2/search', searchController);
 
 app.get('/api/pleroma/frontend_configurations', frontendConfigController);
 
-app.get('/api/v1/trends/statuses', rateLimitMiddleware(5, Time.seconds(30)), trendingStatusesController);
+app.get('/api/v1/trends/statuses', rateLimitMiddleware(8, Time.seconds(30)), trendingStatusesController);
 app.get('/api/v1/trends/links', trendingLinksController);
 app.get('/api/v1/trends/tags', trendingTagsController);
 app.get('/api/v1/trends', trendingTagsController);
@@ -283,7 +287,7 @@ app.get('/api/v1/trends', trendingTagsController);
 app.get('/api/v1/suggestions', suggestionsV1Controller);
 app.get('/api/v2/suggestions', suggestionsV2Controller);
 
-app.get('/api/v1/notifications', rateLimitMiddleware(5, Time.seconds(30)), requireSigner, notificationsController);
+app.get('/api/v1/notifications', rateLimitMiddleware(8, Time.seconds(30)), requireSigner, notificationsController);
 app.get('/api/v1/notifications/:id', requireSigner, notificationController);
 
 app.get('/api/v1/favourites', requireSigner, favouritesController);

From 54c398c5faeeffa80acbbccf9ea3d4cae745117e Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 27 Dec 2024 13:16:33 -0600
Subject: [PATCH 3/4] Ratelimit /followers and /following endpoints

---
 src/app.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index 5e9edee6..b8cd7a83 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -229,8 +229,16 @@ app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/mute', requireSigner, muteContr
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unmute', requireSigner, unmuteController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow', requireSigner, followController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow', requireSigner, unfollowController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers', followersController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/following', followingController);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers',
+  rateLimitMiddleware(8, Time.seconds(30)),
+  followersController,
+);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/following',
+  rateLimitMiddleware(8, Time.seconds(30)),
+  followingController,
+);
 app.get(
   '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/statuses',
   rateLimitMiddleware(12, Time.seconds(30)),

From b85513496c3ad6c9293c56f03d7d6eb94e6ac123 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 27 Dec 2024 13:18:22 -0600
Subject: [PATCH 4/4] Ratelimit follow and unfollow

---
 src/app.ts | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index b8cd7a83..c9d51441 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -227,8 +227,18 @@ app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/block', requireSigner, blockCon
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unblock', requireSigner, unblockController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/mute', requireSigner, muteController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unmute', requireSigner, unmuteController);
-app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow', requireSigner, followController);
-app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow', requireSigner, unfollowController);
+app.post(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow',
+  rateLimitMiddleware(2, Time.seconds(1)),
+  requireSigner,
+  followController,
+);
+app.post(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow',
+  rateLimitMiddleware(2, Time.seconds(1)),
+  requireSigner,
+  unfollowController,
+);
 app.get(
   '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers',
   rateLimitMiddleware(8, Time.seconds(30)),