Use Fly-Client-Ip as rate limit key

epicweb-dev / epic-stack

This is a Full Stack app starter with the foundational things setup and configured for you to hit the ground running on your next EPIC idea.

https://www.epicweb.dev/epic-stack

MIT License

4.32k stars 355 forks source link

Use Fly-Client-Ip as rate limit key #782

Closed nickjamesio closed 2 months ago

nickjamesio commented 2 months ago

The ip used for rate limiting can be spoofed as detailed here https://github.com/epicweb-dev/epic-stack/issues/682

Test Plan

In the browser, submit to a protected route such as login to trigger the rate limit.
Use curl or Postman to submit to the login endpoint but attempt to override the Fly-Client-Ip header for each request. Rate limiting should still be triggered

nickjamesio commented 2 months ago

I don't actually use the Epic stack and I had trouble deploying this to Fly to verify the fix :( This is the error I kept getting.

Error: failed to fetch an image or build from source: error building: failed to receive status: rpc error: code = Unavailable desc = error reading from server: remote error: tls: bad record MAC

It still runs locally though. I copied some of the code I used so it should work. I'm hoping you can try it out in Fly

kentcdodds commented 2 months ago

Could you fix the TypeScript issue?

nickjamesio commented 2 months ago

Could you fix the TypeScript issue?

Sure can! Fixing now