From 392bc9c5b104f2fca4078553e6f4c51a88c513db Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Sun, 20 Apr 2025 15:21:12 -0700
Subject: [PATCH] Block requests missing IP address. Add rate limit of 10
 requests per minute which is bypassed for CLI.

---
 src/bin/server.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/bin/server.ts b/src/bin/server.ts
index dfce1f5..45f7093 100755
--- a/src/bin/server.ts
+++ b/src/bin/server.ts
@@ -30,9 +30,13 @@ function log (...args: any[]): void {
 }
 
 process.title = 'NanoPow Server'
+const MAX_REQUEST_COUNT = 10
+const MAX_REQUEST_TIME = 60000
 const MAX_REQUEST_SIZE = 1024
 const MAX_BODY_SIZE = 158
 
+const requests: Map<string, { tokens: number, time: number }> = new Map()
+
 const CONFIG = {
 	DEBUG: false,
 	EFFORT: 8,
@@ -126,6 +130,22 @@ async function respond (res: http.ServerResponse, data: Buffer[]): Promise<void>
 
 // Create server
 const server = http.createServer((req, res): void => {
+	if (req.socket.remoteAddress == null) {
+		res.writeHead(401, { 'Content-Type': 'text/plain' })
+		res.end('Unauthorized')
+		return
+	}
+	const client = requests.get(req.socket.remoteAddress)
+	if (process.send != null || client == null || client.time < Date.now() - MAX_REQUEST_TIME) {
+		requests.set(req.socket.remoteAddress, { tokens: MAX_REQUEST_COUNT, time: Date.now() })
+	} else {
+		if (--client.tokens <= 0) {
+			log(`${req.socket.remoteAddress} potential abuse`)
+			res.writeHead(429, { 'Content-Type': 'text/plain' })
+			res.end('Too Many Requests')
+			return
+		}
+	}
 	let data: Buffer[] = []
 	let reqSize = 0
 	if (req.method === 'POST') {
-- 
2.34.1