[patch] fix: risk of getting fluid requests

rnmeow · Nov 2, 2024 · 6799cf7 · 6799cf7
1 parent 9d95318
commit 6799cf7
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -23,7 +23,9 @@
     "wrangler": "^3.81.0"
   },
   "dependencies": {
+    "@hono-rate-limiter/cloudflare": "^0.2.1",
     "hono": "4.6.5",
+    "hono-rate-limiter": "^0.4.0",
     "nanoid": "^5.0.7"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/app.ts b/src/app.ts
@@ -15,18 +15,34 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-import { Hono } from 'hono'
+import { Hono, type Context, type Next } from 'hono'
 import { RegExpRouter } from 'hono/router/reg-exp-router'
 import { HTTPException } from 'hono/http-exception'
 
+import { rateLimiter } from 'hono-rate-limiter'
+import {
+  DurableObjectStore,
+  DurableObjectRateLimiter,
+} from '@hono-rate-limiter/cloudflare'
+
 import { handlers as rootHandlers } from '@/routes/root'
 import { handlers as redirectHandlers } from '@/routes/[slug]'
 import { handlers as shortenHandlers } from '@/routes/api/shorten'
 import { handlers as revokeHandlers } from '@/routes/api/revoke'
 
 import { genHttpException } from '@/errors/http_error'
 
-const app = new Hono({ router: new RegExpRouter() })
+const app = new Hono<{
+  Bindings: { CACHE: DurableObjectNamespace<DurableObjectRateLimiter> }
+}>({ router: new RegExpRouter() }).use((ctxt: Context, next: Next) =>
+  rateLimiter({
+    windowMs: 10 * 60 * 1000, // 10 mins
+    limit: 10,
+    standardHeaders: 'draft-6',
+    keyGenerator: (_ctxt) => crypto.randomUUID(),
+    store: new DurableObjectStore({ namespace: ctxt.env.CACHE }),
+  })(ctxt, next),
+)
 
 app
   .get('/', ...rootHandlers)

diff --git a/src/routes/api/shorten.ts b/src/routes/api/shorten.ts
@@ -1,5 +1,6 @@
 import { createFactory } from 'hono/factory'
 import { logger } from 'hono/logger'
+
 import { nanoid } from 'nanoid/non-secure'
 
 import { baseUrl, randSlugSize } from '@/conf'
@@ -75,6 +76,9 @@ export const handlers = factory.createHandlers(logger(), async (ctxt) => {
     )
   }
 
+  // TEMP SOLUTION SINCE TOKEN ISN'T DESIGNED
+  ctxt.header('Referrer-Policy', 'strict-origin-when-cross-origin')
+
   return ctxt.json<
     JsonResp & {
       shortenedUrl: string

diff --git a/wrangler.toml b/wrangler.toml
@@ -10,3 +10,11 @@ assets = { directory = "./www/", binding = "ASSETS" }
 binding = "DB"
 database_name = "url-shortner-db"
 database_id = "83e2a789-0639-4e3b-b2e3-545deb75a421"
+
+[[durable_objects.bindings]]
+name = "CACHE"
+class_name = "DurableObjectRateLimiter"
+
+[[migrations]]
+tag = "v0"
+new_classes = ["DurableObjectRateLimiter"]