From a2e8de6c36d61a39586ecd73f18330d99d6b3284 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 4 Oct 2024 16:48:24 -0500
Subject: [PATCH] Rate-limit the captcha endpoints

---
 src/app.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index aa3b874f..e9ab44fc 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -279,8 +279,13 @@ app.put('/api/v1/admin/ditto/relays', requireRole('admin'), adminSetRelaysContro
 app.post('/api/v1/ditto/names', requireSigner, nameRequestController);
 app.get('/api/v1/ditto/names', requireSigner, nameRequestsController);
 
-app.get('/api/v1/ditto/captcha', captchaController);
-app.post('/api/v1/ditto/captcha/:id/verify', requireProof(), captchaVerifyController);
+app.get('/api/v1/ditto/captcha', rateLimitMiddleware(3, Time.minutes(1)), captchaController);
+app.post(
+  '/api/v1/ditto/captcha/:id/verify',
+  rateLimitMiddleware(8, Time.minutes(1)),
+  requireProof(),
+  captchaVerifyController,
+);
 
 app.get('/api/v1/ditto/zap_splits', getZapSplitsController);
 app.get('/api/v1/ditto/:id{[0-9a-f]{64}}/zap_splits', statusZapSplitsController);