timxx/CloudSearch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.3.2: fix 401 on save-records fetch + fix 429 rate limiter behind proxy

Browse Source 
- AdminDashboard: M() now sends admin_token from localStorage with fetch
- rate-limit: keyGenerator uses req.ip instead of req.socket.remoteAddress
  (Express trust proxy reads X-Forwarded-For for real client IP)
- main.ts: moved global rateLimiter after express.static so static files
  (JS/CSS/admin page/favicon) are never rate-limited
This commit is contained in:
admin
2026-05-17 04:20:30 +08:00
parent e57298471a
commit 9a4751692f
4 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
source_clean/src/middleware/rate-limit.ts
View File

@@ -6,7 +6,7 @@ export const searchLimiter = rateLimit({
max: 150,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.socket.remoteAddress ?? 'unknown',
keyGenerator: (req) => req.ip ?? 'unknown',
message: { error: '搜索请求过于频繁,请稍后再试', code: 429 },
});
@@ -16,7 +16,7 @@ export const adminLimiter = rateLimit({
max: 30,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.socket.remoteAddress ?? 'unknown',
keyGenerator: (req) => req.ip ?? 'unknown',
message: { error: '操作过于频繁,请稍后再试', code: 429 },
});
@@ -26,7 +26,7 @@ export const loginLimiter = rateLimit({
max: 5,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.socket.remoteAddress ?? 'unknown',
keyGenerator: (req) => req.ip ?? 'unknown',
message: { error: '登录尝试次数过多,请一分钟后重试', code: 429 },
});
@@ -36,7 +36,7 @@ export const saveLimiter = rateLimit({
max: 30,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.socket.remoteAddress ?? 'unknown',
keyGenerator: (req) => req.ip ?? 'unknown',
message: { error: '转存操作过于频繁,请稍后再试', code: 429 },
});
@@ -46,11 +46,11 @@ const defaultLimiter = rateLimit({
max: 100,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.socket.remoteAddress ?? 'unknown',
keyGenerator: (req) => req.ip ?? 'unknown',
message: { error: 'Too many requests, please try again later.', code: 429 },
});
export default defaultLimiter;
// NOTE v0.2.8: Fixed keyGenerator to use getClientIP() instead of req.socket.remoteAddress
// v0.3.2: Fixed keyGenerator to use req.ip (Express trust proxy reads X-Forwarded-For)
// This ensures rate limiting works correctly behind reverse proxy (OpenResty)