Add default rate limiting

backend/python/app/__init__.py

@@ -5,6 +5,8 @@
 from flask import Flask
 from flask.cli import ScriptInfo
 from flask_cors import CORS
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 from flask_sqlalchemy import SQLAlchemy
 from logging.config import dictConfig
 
@@ -47,6 +49,15 @@ def create_app(config_name):
     app.config["CORS_SUPPORTS_CREDENTIALS"] = True
     CORS(app)
 
+    default_minute_rate_limit = (
+        os.getenv("BACKEND_API_DEFAULT_PER_MINUTE_RATE_LIMIT") or 15
+    )
+    Limiter(
+        app,
+        key_func=get_remote_address,
+        default_limits=[f"{default_minute_rate_limit} per minute"],
+    )
+
     if os.getenv("FLASK_CONFIG") != "production":
         app.config[
             "SQLALCHEMY_DATABASE_URI"

backend/python/requirements.txt

@@ -10,8 +10,9 @@ chardet==4.0.0
 click==7.1.2
 dnspython==1.16.0
 firebase-admin==4.5.3
-Flask==1.1.2
+Flask==2.0.2
 Flask-Cors==3.0.10
+Flask-Limiter==2.1.3
 Flask-Migrate==3.0.1
 Flask-SQLAlchemy==2.4.4
 google-api-core==1.26.3
@@ -29,10 +30,10 @@ httplib2==0.19.1
 idna==2.10
 importlib-metadata==4.4.0
 iniconfig==1.1.1
-itsdangerous==1.1.0
-Jinja2==2.11.2
+itsdangerous==2.0.1
+Jinja2==3.0.3
 Mako==1.1.4
-MarkupSafe==1.1.1
+MarkupSafe==2.0.1
 mongoengine==0.23.0
 mongomock==3.23.0
 msgpack==1.0.2
@@ -66,5 +67,5 @@ typed-ast==1.4.2
 typing-extensions==3.7.4.3
 uritemplate==3.0.1
 urllib3==1.26.4
-Werkzeug==1.0.1
+Werkzeug==2.0.3
 zipp==3.4.1

backend/typescript/graphql/index.ts

@@ -1,6 +1,8 @@
 import { makeExecutableSchema, gql } from "apollo-server-express";
 import { applyMiddleware } from "graphql-middleware";
 import { merge } from "lodash";
+import { createRateLimitRule } from "graphql-rate-limit";
+import { shield } from "graphql-shield";
 
 import {
   isAuthorizedByEmail,
@@ -56,4 +58,28 @@ const graphQLMiddlewares = {
   },
 };
 
-export default applyMiddleware(executableSchema, graphQLMiddlewares);
+const rateLimitRule = createRateLimitRule({
+  identifyContext: (ctx) => ctx.id,
+  formatError: () => "Too many requests, please try again later.",
+});
+
+const defaultMinuteRateLimit = parseInt(
+  process.env.BACKEND_API_DEFAULT_PER_MINUTE_RATE_LIMIT || "15",
+  10,
+);
+
+const rateLimiters = shield(
+  {},
+  {
+    fallbackRule: rateLimitRule({
+      window: "1m",
+      max: defaultMinuteRateLimit,
+    }),
+  },
+);
+
+export default applyMiddleware(
+  executableSchema,
+  graphQLMiddlewares,
+  rateLimiters,
+);

backend/typescript/package.json

@@ -26,9 +26,12 @@
     "cors": "^2.8.5",
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
+    "express-rate-limit": "^6.2.0",
     "firebase-admin": "^9.5.0",
     "graphql": "^15.5.0",
     "graphql-middleware": "^6.0.6",
+    "graphql-rate-limit": "^3.3.0",
+    "graphql-shield": "^7.5.0",
     "graphql-upload": "^12.0.0",
     "json2csv": "^5.0.6",
     "lodash": "^4.17.21",

backend/typescript/server.ts

@@ -1,6 +1,7 @@
 import cookieParser from "cookie-parser";
 import cors from "cors";
 import express from "express";
+import RateLimit from "express-rate-limit";
 import * as firebaseAdmin from "firebase-admin";
 import swaggerUi from "swagger-ui-express";
 import YAML from "yamljs";
@@ -27,11 +28,23 @@ const CORS_OPTIONS: cors.CorsOptions = {
 
 const swaggerDocument = YAML.load("swagger.yml");
 
+const defaultMinuteRateLimit = parseInt(
+  process.env.BACKEND_API_DEFAULT_PER_MINUTE_RATE_LIMIT || "15",
+  10,
+);
+const limiter = RateLimit({
+  windowMs: 1 * 60 * 1000, // 1 minute
+  max: defaultMinuteRateLimit,
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
 const app = express();
 app.use(cookieParser());
 app.use(cors(CORS_OPTIONS));
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
+// app.use(limiter);
 
 app.use("/auth", authRouter);
 app.use("/entities", entityRouter);