From c0d3b776e26416e2e7e63edfa036a97ed8d1f324 Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Fri, 11 Jun 2021 09:40:08 +0100 Subject: [PATCH] Merge pull request #4166 from overleaf/sk-analytics-rate-limit Analytics: add rate-limiter to analytics api GitOrigin-RevId: c58843a2c693b5276e962cc23d701b960e82f186 --- .../src/Features/Analytics/AnalyticsRouter.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/services/web/app/src/Features/Analytics/AnalyticsRouter.js b/services/web/app/src/Features/Analytics/AnalyticsRouter.js index b4a8af81b9..90707a3eb7 100644 --- a/services/web/app/src/Features/Analytics/AnalyticsRouter.js +++ b/services/web/app/src/Features/Analytics/AnalyticsRouter.js @@ -1,22 +1,39 @@ const AuthenticationController = require('./../Authentication/AuthenticationController') const AnalyticsController = require('./AnalyticsController') const AnalyticsProxy = require('./AnalyticsProxy') +const RateLimiterMiddleware = require('./../Security/RateLimiterMiddleware') module.exports = { apply(webRouter, privateApiRouter, publicApiRouter) { webRouter.post( '/event/:event([a-z0-9-_]+)', + RateLimiterMiddleware.rateLimit({ + endpointName: 'analytics-record-event', + maxRequests: 200, + timeInterval: 60, + }), AnalyticsController.recordEvent ) webRouter.put( '/editingSession/:projectId', + RateLimiterMiddleware.rateLimit({ + endpointName: 'analytics-update-editing-session', + params: ['projectId'], + maxRequests: 20, + timeInterval: 60, + }), AnalyticsController.updateEditingSession ) publicApiRouter.use( '/analytics/uniExternalCollaboration', AuthenticationController.requirePrivateApiAuth(), + RateLimiterMiddleware.rateLimit({ + endpointName: 'analytics-uni-external-collab-proxy', + maxRequests: 20, + timeInterval: 60, + }), AnalyticsProxy.call('/uniExternalCollaboration') ) },