feat: add rate limiting

backend/src/app.module.ts

@@ -4,6 +4,8 @@ import { ScheduleModule } from "@nestjs/schedule";
 import { AuthModule } from "./auth/auth.module";
 import { JobsService } from "./jobs/jobs.service";
 
+import { APP_GUARD } from "@nestjs/core";
+import { ThrottlerGuard, ThrottlerModule } from "@nestjs/throttler";
 import { FileController } from "./file/file.controller";
 import { FileModule } from "./file/file.module";
 import { PrismaModule } from "./prisma/prisma.module";
@@ -19,9 +21,20 @@ import { UserController } from "./user/user.controller";
     FileModule,
     PrismaModule,
     ConfigModule.forRoot({ isGlobal: true }),
+    ThrottlerModule.forRoot({
+      ttl: 60,
+      limit: 100,
+    }),
     ScheduleModule.forRoot(),
   ],
-  providers: [PrismaService, JobsService],
+  providers: [
+    PrismaService,
+    JobsService,
+    {
+      provide: APP_GUARD,
+      useClass: ThrottlerGuard,
+    },
+  ],
   controllers: [UserController, ShareController, FileController],
 })
 export class AppModule {}

backend/src/auth/auth.controller.ts

@@ -6,7 +6,7 @@ import {
   Post,
 } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
-
+import { Throttle } from "@nestjs/throttler";
 import { AuthService } from "./auth.service";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
@@ -19,6 +19,7 @@ export class AuthController {
     private config: ConfigService
   ) {}
 
+  @Throttle(10, 5 * 60)
   @Post("signUp")
   signUp(@Body() dto: AuthRegisterDTO) {
     if (this.config.get("ALLOW_REGISTRATION") == "false")
@@ -26,6 +27,7 @@ export class AuthController {
     return this.authService.signUp(dto);
   }
 
+  @Throttle(10, 5 * 60)
   @Post("signIn")
   @HttpCode(200)
   signIn(@Body() dto: AuthSignInDTO) {

backend/src/main.ts

@@ -1,12 +1,16 @@
 import { ClassSerializerInterceptor, ValidationPipe } from "@nestjs/common";
 import { NestFactory, Reflector } from "@nestjs/core";
+import { NestExpressApplication } from "@nestjs/platform-express";
 import * as fs from "fs";
 import { AppModule } from "./app.module";
+
 async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
   app.useGlobalPipes(new ValidationPipe());
   app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));
 
+  app.set("trust proxy", true);
+
   await fs.promises.mkdir("./data/uploads/_temp", { recursive: true });
 
   app.setGlobalPrefix("api");

backend/src/share/share.controller.ts

@@ -8,6 +8,7 @@ import {
   Post,
   UseGuards,
 } from "@nestjs/common";
+import { Throttle } from "@nestjs/throttler";
 import { User } from "@prisma/client";
 import { GetUser } from "src/auth/decorator/getUser.decorator";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
@@ -20,7 +21,6 @@ import { ShareOwnerGuard } from "./guard/shareOwner.guard";
 import { ShareSecurityGuard } from "./guard/shareSecurity.guard";
 import { ShareTokenSecurity } from "./guard/shareTokenSecurity.guard";
 import { ShareService } from "./share.service";
-
 @Controller("shares")
 export class ShareController {
   constructor(private shareService: ShareService) {}
@@ -70,6 +70,7 @@ export class ShareController {
   }
 
   @HttpCode(200)
+  @Throttle(10, 5 * 60)
   @UseGuards(ShareTokenSecurity)
   @Post(":id/token")
   async getShareToken(@Param("id") id: string, @Body() body: SharePasswordDto) {