Merge branch 'tl-ratelimit' into 'main'

Stricter timeline rate limits See merge request soapbox-pub/ditto!612
2025-12-06 11:29:46 +00:00 · 2024-12-27 19:20:29 +00:00 · 2024-12-27 19:20:29 +00:00 · 51fc0c9cc9
commit 51fc0c9cc9
parent e32976945e b85513496c
1 changed files with 33 additions and 11 deletions
--- a/src/app.ts
+++ b/src/app.ts
@ -227,11 +227,33 @@ app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/block', requireSigner, blockCon
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unblock', requireSigner, unblockController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/mute', requireSigner, muteController);
 app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unmute', requireSigner, unmuteController);
-app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow', requireSigner, followController);
-app.post('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow', requireSigner, unfollowController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers', followersController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/following', followingController);
-app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}/statuses', accountStatusesController);
+app.post(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/follow',
+  rateLimitMiddleware(2, Time.seconds(1)),
+  requireSigner,
+  followController,
+);
+app.post(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/unfollow',
+  rateLimitMiddleware(2, Time.seconds(1)),
+  requireSigner,
+  unfollowController,
+);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/followers',
+  rateLimitMiddleware(8, Time.seconds(30)),
+  followersController,
+);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/following',
+  rateLimitMiddleware(8, Time.seconds(30)),
+  followingController,
+);
+app.get(
+  '/api/v1/accounts/:pubkey{[0-9a-f]{64}}/statuses',
+  rateLimitMiddleware(12, Time.seconds(30)),
+  accountStatusesController,
+);
 app.get('/api/v1/accounts/:pubkey{[0-9a-f]{64}}', accountController);

 app.get('/api/v1/statuses/:id{[0-9a-f]{64}}/favourited_by', favouritedByController);
@ -264,10 +286,10 @@ app.put(
 );
 app.post('/api/v2/media', mediaController);

-app.get('/api/v1/timelines/home', requireSigner, homeTimelineController);
-app.get('/api/v1/timelines/public', publicTimelineController);
-app.get('/api/v1/timelines/tag/:hashtag', hashtagTimelineController);
-app.get('/api/v1/timelines/suggested', suggestedTimelineController);
+app.get('/api/v1/timelines/home', rateLimitMiddleware(8, Time.seconds(30)), requireSigner, homeTimelineController);
+app.get('/api/v1/timelines/public', rateLimitMiddleware(8, Time.seconds(30)), publicTimelineController);
+app.get('/api/v1/timelines/tag/:hashtag', rateLimitMiddleware(8, Time.seconds(30)), hashtagTimelineController);
+app.get('/api/v1/timelines/suggested', rateLimitMiddleware(8, Time.seconds(30)), suggestedTimelineController);

 app.get('/api/v1/preferences', preferencesController);
 app.get('/api/v1/search', searchController);
@ -275,7 +297,7 @@ app.get('/api/v2/search', searchController);

 app.get('/api/pleroma/frontend_configurations', frontendConfigController);

-app.get('/api/v1/trends/statuses', trendingStatusesController);
+app.get('/api/v1/trends/statuses', rateLimitMiddleware(8, Time.seconds(30)), trendingStatusesController);
 app.get('/api/v1/trends/links', trendingLinksController);
 app.get('/api/v1/trends/tags', trendingTagsController);
 app.get('/api/v1/trends', trendingTagsController);
@ -283,7 +305,7 @@ app.get('/api/v1/trends', trendingTagsController);
 app.get('/api/v1/suggestions', suggestionsV1Controller);
 app.get('/api/v2/suggestions', suggestionsV2Controller);

-app.get('/api/v1/notifications', requireSigner, notificationsController);
+app.get('/api/v1/notifications', rateLimitMiddleware(8, Time.seconds(30)), requireSigner, notificationsController);
 app.get('/api/v1/notifications/:id', requireSigner, notificationController);

 app.get('/api/v1/favourites', requireSigner, favouritesController);