Block requests missing IP address. Add rate limit of 10 requests per minute which...

diff --git a/src/bin/server.ts b/src/bin/server.ts
index dfce1f59d752a1245efbe65ba9c61f5442ae601f..45f7093b34c890be4fd4ec8eb57b2de587ef95f6 100755 (executable)
--- a/src/bin/server.ts
+++ b/src/bin/server.ts
@@ -30,9 +30,13 @@ function log (...args: any[]): void {
 }
 
 process.title = 'NanoPow Server'
+const MAX_REQUEST_COUNT = 10
+const MAX_REQUEST_TIME = 60000
 const MAX_REQUEST_SIZE = 1024
 const MAX_BODY_SIZE = 158
 
+const requests: Map<string, { tokens: number, time: number }> = new Map()
+
 const CONFIG = {
        DEBUG: false,
        EFFORT: 8,
@@ -126,6 +130,22 @@ async function respond (res: http.ServerResponse, data: Buffer[]): Promise<void>
 
 // Create server
 const server = http.createServer((req, res): void => {
+       if (req.socket.remoteAddress == null) {
+               res.writeHead(401, { 'Content-Type': 'text/plain' })
+               res.end('Unauthorized')
+               return
+       }
+       const client = requests.get(req.socket.remoteAddress)
+       if (process.send != null || client == null || client.time < Date.now() - MAX_REQUEST_TIME) {
+               requests.set(req.socket.remoteAddress, { tokens: MAX_REQUEST_COUNT, time: Date.now() })
+       } else {
+               if (--client.tokens <= 0) {
+                       log(`${req.socket.remoteAddress} potential abuse`)
+                       res.writeHead(429, { 'Content-Type': 'text/plain' })
+                       res.end('Too Many Requests')
+                       return
+               }
+       }
        let data: Buffer[] = []
        let reqSize = 0
        if (req.method === 'POST') {