joachim/me-joachimhummel-de
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add rate-limiting to /api/contact to prevent spam

Browse Source 
Task #11: Formular gegen Spam schützen

- Installed `express-rate-limit` (^8.5.2) as a runtime dependency in
  `@workspace/api-server`
- Created a rate limiter (5 requests per IP per hour, 1-hour sliding window)
  using `rateLimit()` from express-rate-limit
- Applied the limiter as inline middleware on POST /contact so it runs before
  the handler
- On limit exceeded the API returns HTTP 429 with a German-language JSON error:
  { success: false, message: "Zu viele Anfragen. Bitte versuchen Sie es in
  einer Stunde erneut." }
- Uses `standardHeaders: "draft-8"` (RateLimit header group) and disables
  legacy X-RateLimit-* headers
- Added `app.set("trust proxy", 1)` in app.ts so that Express reads the real
  client IP from X-Forwarded-For (set by Replit's reverse proxy), ensuring
  the rate limit is applied per actual client rather than per proxy IP
- No other changes to the contact handler flow

No deviations from the task description.

Replit-Task-Id: de2cecbd-511f-4046-8e87-567ec96e19fb
This commit is contained in:
joachimhummel
2026-05-15 16:39:43 +00:00
parent f9e363f446
commit a111d2930d
4 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
artifacts/api-server/package.json
View File

@@ -17,6 +17,7 @@
"cors": "^2.8.6", "cors": "^2.8.6",
"drizzle-orm": "catalog:", "drizzle-orm": "catalog:",
"express": "^5.2.1", "express": "^5.2.1",
"express-rate-limit": "^8.5.2",
"pino": "^9.14.0", "pino": "^9.14.0",
"pino-http": "^10.5.0" "pino-http": "^10.5.0"
}, },

2
artifacts/api-server/src/app.ts
View File

@@ -6,6 +6,8 @@ import { logger } from "./lib/logger";
const app: Express = express(); const app: Express = express();
app.set("trust proxy", 1);
app.use( app.use(
pinoHttp({ pinoHttp({
logger, logger,

15
artifacts/api-server/src/routes/contact.ts
View File

@@ -1,16 +1,29 @@
import { Router, type IRouter } from "express"; import { Router, type IRouter } from "express";
import rateLimit from "express-rate-limit";
import { BrevoClient } from "@getbrevo/brevo"; import { BrevoClient } from "@getbrevo/brevo";
import { SendContactMessageBody } from "@workspace/api-zod"; import { SendContactMessageBody } from "@workspace/api-zod";
const router: IRouter = Router(); const router: IRouter = Router();
const contactRateLimit = rateLimit({
windowMs: 60 * 60 * 1000,
limit: 5,
standardHeaders: "draft-8",
legacyHeaders: false,
message: {
success: false,
message:
"Zu viele Anfragen. Bitte versuchen Sie es in einer Stunde erneut.",
},
});
function getBrevoClient() { function getBrevoClient() {
const apiKey = process.env.BREVO_API_KEY; const apiKey = process.env.BREVO_API_KEY;
if (!apiKey) throw new Error("BREVO_API_KEY is not set"); if (!apiKey) throw new Error("BREVO_API_KEY is not set");
return new BrevoClient({ apiKey }); return new BrevoClient({ apiKey });
} }
router.post("/contact", async (req, res) => { router.post("/contact", contactRateLimit, async (req, res) => {
const parsed = SendContactMessageBody.safeParse(req.body); const parsed = SendContactMessageBody.safeParse(req.body);
if (!parsed.success) { if (!parsed.success) {

20
pnpm-lock.yaml generated
View File

@@ -187,6 +187,9 @@ importers:
express: express:
specifier: ^5.2.1 specifier: ^5.2.1
version: 5.2.1 version: 5.2.1
express-rate-limit:
specifier: ^8.5.2
version: 8.5.2(express@5.2.1)
pino: pino:
specifier: ^9.14.0 specifier: ^9.14.0
version: 9.14.0 version: 9.14.0
@@ -2157,6 +2160,12 @@ packages:
resolution: {integrity: sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==} resolution: {integrity: sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==}
engines: {node: ^18.19.0 || >=20.5.0} engines: {node: ^18.19.0 || >=20.5.0}
express-rate-limit@8.5.2:
resolution: {integrity: sha512-5Kb34ipNX694DH48vN9irak1Qx30nb0PLYHXfJgw4YEjiC3ZEmZJhwOp+VfiCYwFzvFTdB9QkArYS5kXa2cx2A==}
engines: {node: '>= 16'}
peerDependencies:
express: '>= 4.11'
express@5.2.1: express@5.2.1:
resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==} resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==}
engines: {node: '>= 18'} engines: {node: '>= 18'}
@@ -2325,6 +2334,10 @@ packages:
resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==} resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==}
engines: {node: '>=12'} engines: {node: '>=12'}
ip-address@10.2.0:
resolution: {integrity: sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==}
engines: {node: '>= 12'}
ipaddr.js@1.9.1: ipaddr.js@1.9.1:
resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==} resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==}
engines: {node: '>= 0.10'} engines: {node: '>= 0.10'}
@@ -4728,6 +4741,11 @@ snapshots:
strip-final-newline: 4.0.0 strip-final-newline: 4.0.0
yoctocolors: 2.1.2 yoctocolors: 2.1.2
express-rate-limit@8.5.2(express@5.2.1):
dependencies:
express: 5.2.1
ip-address: 10.2.0
express@5.2.1: express@5.2.1:
dependencies: dependencies:
accepts: 2.0.0 accepts: 2.0.0
@@ -4918,6 +4936,8 @@ snapshots:
internmap@2.0.3: {} internmap@2.0.3: {}
ip-address@10.2.0: {}
ipaddr.js@1.9.1: {} ipaddr.js@1.9.1: {}
is-extglob@2.1.1: {} is-extglob@2.1.1: {}