Return back to basic rate limit middleware, setup server session to block user route to test

2025-04-19 19:01:19 +00:00 · 2024-09-30 19:41:26 -05:00 · 2024-09-30 19:41:26 -05:00 · e59bee30f7
commit e59bee30f7
parent f56c54cebb
2 changed files with 13 additions and 41 deletions
--- a/src/middleware.js
+++ b/src/middleware.js
@ -4,54 +4,22 @@ import { kv } from '@vercel/kv';

 const ratelimit = new Ratelimit({
  redis: kv,
+  // 5 requests from the same IP in 10 seconds
  limiter: Ratelimit.slidingWindow(5, '10 s'),
 });

+// Define which routes you want to rate limit
 export const config = {
-  matcher: ['/api/:path*'],
+  matcher: '/',
 };

-export default async function combinedMiddleware(request) {
+export default async function middleware(request) {
+  // You could alternatively limit based on user ID or similar
  const ip = request.ip ?? '127.0.0.1';
-  const pathname = request.nextUrl.pathname;
-
-  // Allow access to .well-known paths
-  if (pathname.startsWith('/.well-known')) {
-    const { success } = await ratelimit.limit(ip);
-    return success
-      ? NextResponse.next()
-      : NextResponse.redirect(new URL('/blocked', request.url));
-  }
-
-  // Check if the request is internal
-  if (!isInternalRequest(request)) {
-    return new NextResponse(JSON.stringify({ error: 'Forbidden' }), { 
-      status: 403,
-      headers: { 'Content-Type': 'application/json' }
-    });
-  }
-
-  // Apply rate limiting for allowed requests
-  const { success } = await ratelimit.limit(ip);
+  const { success, pending, limit, reset, remaining } = await ratelimit.limit(
+    ip
+  );
  return success
    ? NextResponse.next()
    : NextResponse.redirect(new URL('/blocked', request.url));
-}
-
-function isInternalRequest(request) {
-  // Check if the request is from the same origin
-  const requestHost = request.headers.get('host');
-  const requestProtocol = request.headers.get('x-forwarded-proto') || 'http';
-  const requestOrigin = `${requestProtocol}://${requestHost}`;
-
-  // Check if the request has a referer from the same origin
-  const referer = request.headers.get('referer');
-  
-  // Allow requests with no referer (direct API calls from your app)
-  if (!referer) {
-    return true;
-  }
-
-  // Check if the referer matches the request origin
-  return referer.startsWith(requestOrigin);
 }
--- a/src/pages/api/users/index.js
+++ b/src/pages/api/users/index.js
@ -6,7 +6,11 @@ export default async function handler(req, res) {
  if (req.method === 'GET') {
    try {
      const session = await getServerSession(req, res, authOptions)
-      console.log("Session", session)
+      
+      if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+      }
+
      const users = await getAllUsers();
      res.status(200).json(users);
    } catch (error) {