fix: add ratelimiting to the asset upload endpoint

Author: MohamedBassem

packages/api/middlewares/rateLimit.ts

@@ -0,0 +1,40 @@
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+
+import type { RateLimitConfig } from "@karakeep/shared/ratelimiting";
+import serverConfig from "@karakeep/shared/config";
+import { getRateLimitClient } from "@karakeep/shared/ratelimiting";
+import { Context } from "@karakeep/trpc";
+
+export function createRateLimitMiddleware(config: RateLimitConfig) {
+  return createMiddleware<{
+    Variables: {
+      ctx: Context;
+    };
+  }>(async (c, next) => {
+    if (!serverConfig.rateLimiting.enabled) {
+      return next();
+    }
+
+    const ip = c.var.ctx.req.ip;
+    if (!ip) {
+      return next();
+    }
+
+    const client = await getRateLimitClient();
+    if (!client) {
+      return next();
+    }
+
+    const key = `${ip}:${config.name}`;
+    const result = await client.checkRateLimit(config, key);
+
+    if (!result.allowed) {
+      throw new HTTPException(429, {
+        message: `Rate limit exceeded. Try again in ${result.resetInSeconds} seconds.`,
+      });
+    }
+
+    return next();
+  });
+}

packages/api/routes/assets.ts

@@ -5,13 +5,19 @@ import { z } from "zod";
 import { Asset } from "@karakeep/trpc/models/assets";
 
 import { authMiddleware } from "../middlewares/auth";
+import { createRateLimitMiddleware } from "../middlewares/rateLimit";
 import { serveAsset } from "../utils/assets";
 import { uploadAsset } from "../utils/upload";
 
 const app = new Hono()
   .use(authMiddleware)
   .post(
     "/",
+    createRateLimitMiddleware({
+      name: "assets.upload",
+      windowMs: 60 * 1000,
+      maxRequests: 30,
+    }),
     zValidator(
       "form",
       z