api: use req.ip instead of cloudflare headers, ratelimit ipv6 by prefix

allows for more versatile configurations that do not necessarily have to use cloudflare also ratelimits IPv6 addresses by prefix instead of individual addresses currently set at /56, which should not be too strict (yet allows a /48 holder to make 256 as many requests instead of 2^80 as many requests), change if needed
2023-07-25 19:46:25 +00:00
parent b4f11b047e
commit a375000ae9
3 changed files with 16 additions and 3 deletions
--- a/src/core/api.js
+++ b/src/core/api.js
@@ -24,7 +24,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
        max: 20,
        standardHeaders: true,
        legacyHeaders: false,
-        keyGenerator: (req, res) => sha256(getIP(req), ipSalt),
+        keyGenerator: req => sha256(getIP(req), ipSalt),
        handler: (req, res, next, opt) => {
            return res.status(429).json({
                "status": "rate-limit",
@@ -37,7 +37,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
        max: 25,
        standardHeaders: true,
        legacyHeaders: false,
-        keyGenerator: (req, res) => sha256(getIP(req), ipSalt),
+        keyGenerator: req => sha256(getIP(req), ipSalt),
        handler: (req, res, next, opt) => {
            return res.status(429).json({
                "status": "rate-limit",
@@ -49,6 +49,8 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
    const startTime = new Date();
    const startTimestamp = Math.floor(startTime.getTime());

+    app.set('trust proxy', ['loopback', 'uniquelocal']);
+
    app.use('/api/:type', cors(corsConfig));
    app.use('/api/json', apiLimiter);
    app.use('/api/stream', apiLimiterStream);