Add express-slow-down to thumbnail route

packages/server/package.json

@@ -24,6 +24,7 @@
     "@types/express": "^4.17.10",
     "@types/express-fileupload": "^1.1.6",
     "@types/express-rate-limit": "^5.1.1",
+    "@types/express-slow-down": "^1.3.1",
     "@types/file-type": "^10.9.1",
     "@types/fluent-ffmpeg": "^2.1.16",
     "@types/jest": "^26.0.21",
@@ -57,6 +58,7 @@
     "express": "^4.17.1",
     "express-fileupload": "^1.2.1",
     "express-rate-limit": "^5.2.6",
+    "express-slow-down": "^1.4.0",
     "file-type": "^16.5.0",
     "fluent-ffmpeg": "^2.1.2",
     "morgan": "^1.10.0",

packages/server/src/app.ts

@@ -3,6 +3,7 @@ import cors from 'cors';
 import morgan from 'morgan';
 import cookieParser from 'cookie-parser';
 import rateLimit from 'express-rate-limit';
+import slowDown from 'express-slow-down';
 import fileUpload from 'express-fileupload';
 import fileType from 'file-type';
 import thumbnailsRouter from './routes/thumbnails';
@@ -34,6 +35,12 @@ const rateLimiter = rateLimit({
   },
   onLimitReached: (req) => logger.warn(`${req.ip} hit rate limit`),
 });
+const speedLimiter = slowDown({
+  windowMs: 60 * 1000, // 15 minutes
+  delayAfter: 5, // allow 100 requests per 15 minutes, then...
+  delayMs: 300, // begin adding 500ms of delay per request above 100:
+});
+
 app.use(express.json());
 app.use(cookieParser());
 app.use(express.urlencoded({ extended: true }));
@@ -41,7 +48,7 @@ app.set('trust proxy', config.PROXY);
 
 app.use(express.static('public'));
 app.use('/api/images', requireAuth, fileUpload(), imagesRouter);
-app.use('/api/thumbnails', requireAuth, thumbnailsRouter);
+app.use('/api/thumbnails', requireAuth, speedLimiter, thumbnailsRouter);
 app.use('/api/meta', metaRouter);
 app.use('/api/login', rateLimiter, loginRouter);
 app.use('/api/user', requireAuth, userRouter);