feat: ratelimits (#2073)

* feat: rate limits

* ip

apps/server/package.json

@@ -44,6 +44,7 @@
     "@langchain/core": "1.1.34",
     "@langchain/textsplitters": "1.0.1",
     "@modelcontextprotocol/sdk": "^1.27.1",
+    "@nest-lab/throttler-storage-redis": "^1.2.0",
     "@nestjs-labs/nestjs-ioredis": "^11.0.4",
     "@nestjs/bullmq": "^11.0.4",
     "@nestjs/cache-manager": "^3.1.0",
@@ -58,6 +59,7 @@
     "@nestjs/platform-socket.io": "^11.1.17",
     "@nestjs/schedule": "^6.1.1",
     "@nestjs/terminus": "^11.1.1",
+    "@nestjs/throttler": "^6.5.0",
     "@nestjs/websockets": "^11.1.17",
     "@node-saml/passport-saml": "^5.1.0",
     "@react-email/components": "1.0.10",
@@ -73,6 +75,7 @@
     "class-transformer": "^0.5.1",
     "class-validator": "^0.15.1",
     "cookie": "^1.1.1",
+    "fastify-ip": "^2.0.0",
     "fs-extra": "^11.3.4",
     "happy-dom": "20.8.9",
     "ioredis": "^5.10.1",

apps/server/src/app.module.ts

@@ -26,6 +26,7 @@ import KeyvRedis from '@keyv/redis';
 import { LoggerModule } from './common/logger/logger.module';
 import { ClsModule } from 'nestjs-cls';
 import { NoopAuditModule } from './integrations/audit/audit.module';
+import { ThrottleModule } from './integrations/throttle/throttle.module';
 
 const enterpriseModules = [];
 try {
@@ -83,6 +84,7 @@ try {
     EventEmitterModule.forRoot(),
     SecurityModule,
     TelemetryModule,
+    ThrottleModule,
     ...enterpriseModules,
   ],
   controllers: [AppController],

apps/server/src/common/logger/pino.config.ts

@@ -50,20 +50,12 @@ export function createPinoConfig(): Params {
         },
       },
       serializers: {
-        req: (req) => {
-          const forwardedFor = req.headers?.['x-forwarded-for'];
-          const ip =
-            req.headers?.['cf-connecting-ip'] ||
-            (typeof forwardedFor === 'string' ? forwardedFor.split(',')[0]?.trim() : undefined) ||
-            req.remoteAddress;
-
-          return {
-            method: req.method,
-            url: req.url,
-            ip,
-            userAgent: req.headers?.['user-agent'],
-          };
-        },
+        req: (req) => ({
+          method: req.method,
+          url: req.url,
+          ip: req.ip || req.remoteAddress,
+          userAgent: req.headers?.['user-agent'],
+        }),
         res: (res) => ({
           statusCode: res.statusCode,
         }),

apps/server/src/common/middlewares/audit-context.middleware.ts

@@ -18,7 +18,8 @@ export class AuditContextMiddleware implements NestMiddleware {
 
   use(req: FastifyRequest['raw'], res: FastifyReply['raw'], next: () => void) {
     const workspaceId = (req as any).workspaceId ?? null;
-    const ipAddress = this.extractIpAddress(req);
+
+    const ipAddress = (req as any).ip ?? (req as any).socket?.remoteAddress ?? null;
 
     const userAgent =
       (req.headers['user-agent'] as string) ?? null;
@@ -35,21 +36,4 @@ export class AuditContextMiddleware implements NestMiddleware {
 
     next();
   }
-
-  private extractIpAddress(req: FastifyRequest['raw']): string | null {
-    const xForwardedFor = req.headers['x-forwarded-for'];
-    if (xForwardedFor) {
-      const ips = Array.isArray(xForwardedFor)
-        ? xForwardedFor[0]
-        : xForwardedFor.split(',')[0];
-      return ips?.trim() ?? null;
-    }
-
-    const xRealIp = req.headers['x-real-ip'];
-    if (xRealIp) {
-      return Array.isArray(xRealIp) ? xRealIp[0] : xRealIp;
-    }
-
-    return (req as any).socket?.remoteAddress ?? null;
-  }
 }

apps/server/src/core/auth/auth.controller.ts

@@ -10,6 +10,7 @@ import {
   UseGuards,
   Logger,
 } from '@nestjs/common';
+import { SkipThrottle, ThrottlerGuard } from '@nestjs/throttler';
 import { LoginDto } from './dto/login.dto';
 import { AuthService } from './services/auth.service';
 import { SessionService } from '../session/session.service';
@@ -33,6 +34,7 @@ import {
   IAuditService,
 } from '../../integrations/audit/audit.service';
 
+@UseGuards(ThrottlerGuard)
 @Controller('auth')
 export class AuthController {
   private readonly logger = new Logger(AuthController.name);
@@ -111,6 +113,7 @@ export class AuthController {
     return workspace;
   }
 
+  @SkipThrottle()
   @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   @Post('change-password')
@@ -173,6 +176,7 @@ export class AuthController {
     return this.authService.verifyUserToken(verifyUserTokenDto, workspace.id);
   }
 
+  @SkipThrottle()
   @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   @Post('collab-token')
@@ -183,6 +187,7 @@ export class AuthController {
     return this.authService.getCollabToken(user, workspace.id);
   }
 
+  @SkipThrottle()
   @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   @Post('logout')

apps/server/src/integrations/throttle/throttle.module.ts

@@ -0,0 +1,35 @@
+import { Module } from '@nestjs/common';
+import { ThrottlerModule } from '@nestjs/throttler';
+import { ThrottlerStorageRedisService } from '@nest-lab/throttler-storage-redis';
+import { EnvironmentService } from '../environment/environment.service';
+import { EnvironmentModule } from '../environment/environment.module';
+import { parseRedisUrl } from '../../common/helpers';
+import Redis from 'ioredis';
+
+@Module({
+  imports: [
+    ThrottlerModule.forRootAsync({
+      imports: [EnvironmentModule],
+      useFactory: (environmentService: EnvironmentService) => {
+        const redisConfig = parseRedisUrl(environmentService.getRedisUrl());
+
+        return {
+          throttlers: [{ name: 'auth', ttl: 60_000, limit: 10 }],
+          errorMessage: 'Too many requests',
+          storage: new ThrottlerStorageRedisService(
+            new Redis({
+              host: redisConfig.host,
+              port: redisConfig.port,
+              password: redisConfig.password,
+              db: redisConfig.db,
+              family: redisConfig.family,
+              keyPrefix: 'throttle:',
+            }),
+          ),
+        };
+      },
+      inject: [EnvironmentService],
+    }),
+  ],
+})
+export class ThrottleModule {}

apps/server/src/main.ts

@@ -10,6 +10,7 @@ import { TransformHttpResponseInterceptor } from './common/interceptors/http-res
 import { WsRedisIoAdapter } from './ws/adapter/ws-redis.adapter';
 import fastifyMultipart from '@fastify/multipart';
 import fastifyCookie from '@fastify/cookie';
+import fastifyIp from 'fastify-ip';
 import { InternalLogFilter } from './common/logger/internal-log-filter';
 
 async function bootstrap() {
@@ -45,6 +46,7 @@ async function bootstrap() {
 
   app.useWebSocketAdapter(redisIoAdapter);
 
+  await app.register(fastifyIp);
   await app.register(fastifyMultipart);
   await app.register(fastifyCookie);