Fix runner api rate limit bypass

2025-10-06 03:50:26 +02:00 · 2023-06-20 14:17:34 +02:00 · 2023-06-20 14:17:34 +02:00 · e915cde30e
commit e915cde30e
parent 923e41fa4f
26 changed files with 122 additions and 31 deletions
--- a/server/controllers/api/runners/index.ts
+++ b/server/controllers/api/runners/index.ts
@ -6,6 +6,8 @@ import { runnerRegistrationTokensRouter } from './registration-tokens'

 const runnersRouter = express.Router()

+// No api route limiter here, they are defined in child routers
+
 runnersRouter.use('/', manageRunnersRouter)
 runnersRouter.use('/', runnerJobsRouter)
 runnersRouter.use('/', runnerJobFilesRouter)
--- a/server/controllers/api/runners/jobs-files.ts
+++ b/server/controllers/api/runners/jobs-files.ts
@ -3,7 +3,7 @@ import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { proxifyHLS, proxifyWebTorrentFile } from '@server/lib/object-storage'
 import { VideoPathManager } from '@server/lib/video-path-manager'
 import { getStudioTaskFilePath } from '@server/lib/video-studio'
-import { asyncMiddleware } from '@server/middlewares'
+import { apiRateLimiter, asyncMiddleware } from '@server/middlewares'
 import { jobOfRunnerGetValidator } from '@server/middlewares/validators/runners'
 import {
  runnerJobGetVideoStudioTaskFileValidator,
@ -16,18 +16,21 @@ const lTags = loggerTagsFactory('api', 'runner')
 const runnerJobFilesRouter = express.Router()

 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/max-quality',
+  apiRateLimiter,
  asyncMiddleware(jobOfRunnerGetValidator),
  asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
  asyncMiddleware(getMaxQualityVideoFile)
 )

 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/previews/max-quality',
+  apiRateLimiter,
  asyncMiddleware(jobOfRunnerGetValidator),
  asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
  getMaxQualityVideoPreview
 )

 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/studio/task-files/:filename',
+  apiRateLimiter,
  asyncMiddleware(jobOfRunnerGetValidator),
  asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
  runnerJobGetVideoStudioTaskFileValidator,
--- a/server/controllers/api/runners/jobs.ts
+++ b/server/controllers/api/runners/jobs.ts
@ -7,6 +7,7 @@ import { MIMETYPES } from '@server/initializers/constants'
 import { sequelizeTypescript } from '@server/initializers/database'
 import { getRunnerJobHandlerClass, updateLastRunnerContact } from '@server/lib/runners'
 import {
+  apiRateLimiter,
  asyncMiddleware,
  authenticate,
  ensureUserHasRight,
@ -69,11 +70,13 @@ const runnerJobsRouter = express.Router()
 // ---------------------------------------------------------------------------

 runnerJobsRouter.post('/jobs/request',
+  apiRateLimiter,
  asyncMiddleware(getRunnerFromTokenValidator),
  asyncMiddleware(requestRunnerJob)
 )

 runnerJobsRouter.post('/jobs/:jobUUID/accept',
+  apiRateLimiter,
  asyncMiddleware(runnerJobGetValidator),
  acceptRunnerJobValidator,
  asyncMiddleware(getRunnerFromTokenValidator),
@ -81,6 +84,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/accept',
 )

 runnerJobsRouter.post('/jobs/:jobUUID/abort',
+  apiRateLimiter,
  asyncMiddleware(jobOfRunnerGetValidator),
  abortRunnerJobValidator,
  asyncMiddleware(abortRunnerJob)
@ -88,6 +92,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/abort',

 runnerJobsRouter.post('/jobs/:jobUUID/update',
  runnerJobUpdateVideoFiles,
+  apiRateLimiter, // Has to be after multer middleware to parse runner token
  asyncMiddleware(jobOfRunnerGetValidator),
  updateRunnerJobValidator,
  asyncMiddleware(updateRunnerJobController)
@ -101,6 +106,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/error',

 runnerJobsRouter.post('/jobs/:jobUUID/success',
  postRunnerJobSuccessVideoFiles,
+  apiRateLimiter, // Has to be after multer middleware to parse runner token
  asyncMiddleware(jobOfRunnerGetValidator),
  successRunnerJobValidator,
  asyncMiddleware(postRunnerJobSuccess)
--- a/server/controllers/api/runners/manage-runners.ts
+++ b/server/controllers/api/runners/manage-runners.ts
@ -2,6 +2,7 @@ import express from 'express'
 import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { generateRunnerToken } from '@server/helpers/token-generator'
 import {
+  apiRateLimiter,
  asyncMiddleware,
  authenticate,
  ensureUserHasRight,
@ -19,15 +20,18 @@ const lTags = loggerTagsFactory('api', 'runner')
 const manageRunnersRouter = express.Router()

 manageRunnersRouter.post('/register',
+  apiRateLimiter,
  asyncMiddleware(registerRunnerValidator),
  asyncMiddleware(registerRunner)
 )
 manageRunnersRouter.post('/unregister',
+  apiRateLimiter,
  asyncMiddleware(getRunnerFromTokenValidator),
  asyncMiddleware(unregisterRunner)
 )

 manageRunnersRouter.delete('/:runnerId',
+  apiRateLimiter,
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_RUNNERS),
  asyncMiddleware(deleteRunnerValidator),
@ -35,6 +39,7 @@ manageRunnersRouter.delete('/:runnerId',
 )

 manageRunnersRouter.get('/',
+  apiRateLimiter,
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_RUNNERS),
  paginationValidator,
--- a/server/controllers/api/runners/registration-tokens.ts
+++ b/server/controllers/api/runners/registration-tokens.ts
@ -1,6 +1,8 @@
 import express from 'express'
+import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { generateRunnerRegistrationToken } from '@server/helpers/token-generator'
 import {
+  apiRateLimiter,
  asyncMiddleware,
  authenticate,
  ensureUserHasRight,
@ -12,19 +14,20 @@ import {
 import { deleteRegistrationTokenValidator } from '@server/middlewares/validators/runners'
 import { RunnerRegistrationTokenModel } from '@server/models/runner/runner-registration-token'
 import { HttpStatusCode, ListRunnerRegistrationTokensQuery, UserRight } from '@shared/models'
-import { logger, loggerTagsFactory } from '@server/helpers/logger'

 const lTags = loggerTagsFactory('api', 'runner')

 const runnerRegistrationTokensRouter = express.Router()

 runnerRegistrationTokensRouter.post('/registration-tokens/generate',
+  apiRateLimiter,
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_RUNNERS),
  asyncMiddleware(generateRegistrationToken)
 )

 runnerRegistrationTokensRouter.delete('/registration-tokens/:id',
+  apiRateLimiter,
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_RUNNERS),
  asyncMiddleware(deleteRegistrationTokenValidator),
@ -32,6 +35,7 @@ runnerRegistrationTokensRouter.delete('/registration-tokens/:id',
 )

 runnerRegistrationTokensRouter.get('/registration-tokens',
+  apiRateLimiter,
  authenticate,
  ensureUserHasRight(UserRight.MANAGE_RUNNERS),
  paginationValidator,