mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-22 07:36:33 +01:00
ecd6d76bc8
* fix: Add removePorts keyGenerator to all IP-based rate limiters Six IP-based rate limiters are missing the `keyGenerator: removePorts` option that is already used by the auth-related limiters (login, register, resetPassword, verifyEmail). Without it, reverse proxies that include ports in X-Forwarded-For headers cause ERR_ERL_INVALID_IP_ADDRESS errors from express-rate-limit. Fixes #12318 * fix: make removePorts IPv6-safe to prevent rate-limit key collisions The original regex `/:\d+[^:]*$/` treated the last colon-delimited segment of bare IPv6 addresses as a port, mangling valid IPs (e.g. `::1` → `::`, `2001:db8::1` → `2001:db8::`). Distinct IPv6 clients could collapse into the same rate-limit bucket. Use `net.isIP()` as a fast path for already-valid IPs, then match bracketed IPv6+port and IPv4+port explicitly. Bare IPv6 addresses are now returned unchanged. Also fixes pre-existing property ordering inconsistency in ttsLimiters.js userLimiterOptions (keyGenerator before store). * refactor: move removePorts to packages/api as TypeScript, fix import order - Move removePorts implementation to packages/api/src/utils/removePorts.ts with proper Express Request typing - Reduce api/server/utils/removePorts.js to a thin re-export from @librechat/api for backward compatibility - Consolidate removePorts import with limiterCache from @librechat/api in all 6 limiter files, fixing import order (package imports shortest to longest, local imports longest to shortest) - Remove narrating inline comments per code style guidelines --------- Co-authored-by: Danny Avila <danny@librechat.ai>
85 lines
2.8 KiB
JavaScript
85 lines
2.8 KiB
JavaScript
const rateLimit = require('express-rate-limit');
|
|
const { ViolationTypes } = require('librechat-data-provider');
|
|
const { limiterCache, removePorts } = require('@librechat/api');
|
|
const logViolation = require('~/cache/logViolation');
|
|
|
|
const getEnvironmentVariables = () => {
|
|
const FILE_UPLOAD_IP_MAX = parseInt(process.env.FILE_UPLOAD_IP_MAX) || 100;
|
|
const FILE_UPLOAD_IP_WINDOW = parseInt(process.env.FILE_UPLOAD_IP_WINDOW) || 15;
|
|
const FILE_UPLOAD_USER_MAX = parseInt(process.env.FILE_UPLOAD_USER_MAX) || 50;
|
|
const FILE_UPLOAD_USER_WINDOW = parseInt(process.env.FILE_UPLOAD_USER_WINDOW) || 15;
|
|
const FILE_UPLOAD_VIOLATION_SCORE = process.env.FILE_UPLOAD_VIOLATION_SCORE;
|
|
|
|
const fileUploadIpWindowMs = FILE_UPLOAD_IP_WINDOW * 60 * 1000;
|
|
const fileUploadIpMax = FILE_UPLOAD_IP_MAX;
|
|
const fileUploadIpWindowInMinutes = fileUploadIpWindowMs / 60000;
|
|
|
|
const fileUploadUserWindowMs = FILE_UPLOAD_USER_WINDOW * 60 * 1000;
|
|
const fileUploadUserMax = FILE_UPLOAD_USER_MAX;
|
|
const fileUploadUserWindowInMinutes = fileUploadUserWindowMs / 60000;
|
|
|
|
return {
|
|
fileUploadIpWindowMs,
|
|
fileUploadIpMax,
|
|
fileUploadIpWindowInMinutes,
|
|
fileUploadUserWindowMs,
|
|
fileUploadUserMax,
|
|
fileUploadUserWindowInMinutes,
|
|
fileUploadViolationScore: FILE_UPLOAD_VIOLATION_SCORE,
|
|
};
|
|
};
|
|
|
|
const createFileUploadHandler = (ip = true) => {
|
|
const {
|
|
fileUploadIpMax,
|
|
fileUploadIpWindowInMinutes,
|
|
fileUploadUserMax,
|
|
fileUploadUserWindowInMinutes,
|
|
fileUploadViolationScore,
|
|
} = getEnvironmentVariables();
|
|
|
|
return async (req, res) => {
|
|
const type = ViolationTypes.FILE_UPLOAD_LIMIT;
|
|
const errorMessage = {
|
|
type,
|
|
max: ip ? fileUploadIpMax : fileUploadUserMax,
|
|
limiter: ip ? 'ip' : 'user',
|
|
windowInMinutes: ip ? fileUploadIpWindowInMinutes : fileUploadUserWindowInMinutes,
|
|
};
|
|
|
|
await logViolation(req, res, type, errorMessage, fileUploadViolationScore);
|
|
res.status(429).json({ message: 'Too many file upload requests. Try again later' });
|
|
};
|
|
};
|
|
|
|
const createFileLimiters = () => {
|
|
const { fileUploadIpWindowMs, fileUploadIpMax, fileUploadUserWindowMs, fileUploadUserMax } =
|
|
getEnvironmentVariables();
|
|
|
|
const ipLimiterOptions = {
|
|
windowMs: fileUploadIpWindowMs,
|
|
max: fileUploadIpMax,
|
|
handler: createFileUploadHandler(),
|
|
keyGenerator: removePorts,
|
|
store: limiterCache('file_upload_ip_limiter'),
|
|
};
|
|
|
|
const userLimiterOptions = {
|
|
windowMs: fileUploadUserWindowMs,
|
|
max: fileUploadUserMax,
|
|
handler: createFileUploadHandler(false),
|
|
keyGenerator: function (req) {
|
|
return req.user?.id;
|
|
},
|
|
store: limiterCache('file_upload_user_limiter'),
|
|
};
|
|
|
|
const fileUploadIpLimiter = rateLimit(ipLimiterOptions);
|
|
const fileUploadUserLimiter = rateLimit(userLimiterOptions);
|
|
|
|
return { fileUploadIpLimiter, fileUploadUserLimiter };
|
|
};
|
|
|
|
module.exports = {
|
|
createFileLimiters,
|
|
};
|