Potential fix for code scanning alert no. 63: Missing rate limiting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
sthsuyash · Jan 25, 2025 · c4eae41 · c4eae41
1 parent 5fca159
commit c4eae41
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/api/package.json b/api/package.json
@@ -32,7 +32,8 @@
 		"mongoose": "^8.9.4",
 		"morgan": "^1.10.0",
 		"multer": "^1.4.5-lts.1",
-		"nodemailer": "^6.9.16"
+		"nodemailer": "^6.9.16",
+		"express-rate-limit": "^7.5.0"
 	},
 	"devDependencies": {
 		"nodemon": "^3.1.9",

diff --git a/api/routes/post.route.js b/api/routes/post.route.js
@@ -1,4 +1,5 @@
 import express from "express";
+import rateLimit from "express-rate-limit";
 import {
   getAllPosts,
   createPost,
@@ -23,11 +24,18 @@ const storage = multer.diskStorage({
   },
 });
 const upload = multer({ storage });
+
+// Configure rate limiter: maximum of 100 requests per 15 minutes
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+});
+
 const router = express.Router();
 
 // Admin routes
 router.get("/admin", verifyToken, isAdmin, getAllPosts);
-router.post("/admin", verifyToken, isAdmin, upload.single("image"), createPost);
+router.post("/admin", limiter, verifyToken, isAdmin, upload.single("image"), createPost);
 router.get("/admin/:postId", verifyToken, isAdmin, getPostById);
 router.put("/admin/:postId", verifyToken, isAdmin, updatePostById);
 router.delete("/admin/:postId", verifyToken, isAdmin, deletePostById);