From 4984a26aa7c141b642325e7ea388782f1c22c927 Mon Sep 17 00:00:00 2001
From: Ondrej Synacek <ondrejsynacek@fastmail.com>
Date: Tue, 5 Nov 2019 21:08:59 +0100
Subject: [PATCH] set more strict rate limiting for download endpoint

---
 lib/index.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index 8c806bd..26eb086 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -22,6 +22,10 @@ const enforceHTTPS = Boolean(process.env.ENFORCE_HTTPS)
 
 const app = express()
 const appLogger = createAppLogger({ dev: isDevelopment })
+const limiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 10,
+})
 
 // Force app to always redirect to HTTPS
 // use when you can't configure web server
@@ -34,6 +38,7 @@ app.use(createRouteLogger({ dev: isDevelopment }))
 
 app.set('view engine', 'ejs')
 app.set('views', path.join(__dirname, 'views'))
+app.set('trust proxy', 1)
 
 app.use(express.static(path.join(__dirname, 'public')))
 app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
@@ -66,8 +71,8 @@ app.get('*', (req, res) => {
   res.status(400).render('404')
 })
 
+app.use('/download', limiter)
 app.use('/download', checkURLParameter)
-app.use('/download', rateLimit())
 app.post('/download', async (req, res, next) => {
   try {
     const { url } = req.body