ack

Signed-off-by: limepotato <limepot@protonmail.ch>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "iceshrimp",
-  "version": "2023.12.9-jormungandr.23",
+  "version": "2023.12.9-jormungandr.23.1",
   "repository": {
     "type": "git",
     "url": "https://iceshrimp.dev/limepotato/jormungandr-bite.git"

packages/backend/src/remote/activitypub/models/question.ts

@@ -8,10 +8,8 @@ import type { IPoll } from "@/models/entities/poll.js";
 
 export async function extractPollFromQuestion(
 	source: string | IObject,
-	resolver?: Resolver,
+	resolver: Resolver,
 ): Promise<IPoll> {
-	if (resolver == null) resolver = new Resolver();
-
 	const question = await resolver.resolve(source);
 
 	if (!isQuestion(question)) {
@@ -52,7 +50,7 @@ export async function extractPollFromQuestion(
  */
 export async function updateQuestion(
 	value: string | IQuestion,
-	resolver?: Resolver,
+	resolver: Resolver,
 ): Promise<boolean> {
 	const uri = typeof value === "string" ? value : getApId(value);
 
@@ -68,8 +66,7 @@ export async function updateQuestion(
 	//#endregion
 
 	// resolve new Question object
-	const _resolver = resolver ?? new Resolver();
+	const question = (await resolver.resolve(value)) as IQuestion;
-	const question = (await _resolver.resolve(value)) as IQuestion;
 	apLogger.debug(`fetched question: ${JSON.stringify(question, null, 2)}`);
 
 	if (question.type !== "Question") throw new Error("object is not a Question");

packages/backend/src/server/api/endpoints/ap/show.ts

@@ -104,6 +104,8 @@ async function fetchAny(
 	if (await shouldBlockInstance(extractDbHost(uri))) return null;
 
 	const dbResolver = new DbResolver();
+	const resolver = new Resolver();
+	resolver.setUser(me);
 
 	const [user, note] = await Promise.all([
 		dbResolver.getUserFromApId(uri),
@@ -115,7 +117,7 @@ async function fetchAny(
 			// Update questions if the stored (remote) note contains the poll
 			const key = `pollFetched:${note.uri}`;
 			if ((await redisClient.exists(key)) === 0) {
-				if (await updateQuestion(note.uri)) {
+				if (await updateQuestion(note.uri, resolver)) {
 					local.object.poll = await populatePoll(note, me?.id ?? null);
 				}
 				// Allow fetching the poll again after 1 minute
@@ -126,8 +128,6 @@ async function fetchAny(
 	}
 
 	// fetching Object once from remote
-	const resolver = new Resolver();
-	resolver.setUser(me);
 	const object = await resolver.resolve(uri);
 
 	// /@user If a URI other than the id is specified,

packages/backend/src/server/file/send-drive-file.ts

@@ -14,7 +14,10 @@ import { detectType } from "@/misc/get-file-info.js";
 import { convertToWebp } from "@/services/drive/image-processor.js";
 import { GenerateVideoThumbnail } from "@/services/drive/generate-video-thumbnail.js";
 import { StatusError } from "@/misc/fetch.js";
-import { FILE_TYPE_BROWSERSAFE } from "@/const.js";
+import { FILE_TYPE_BROWSERSAFE, MINUTE } from "@/const.js";
+import { IEndpointMeta } from "@/server/api/endpoints.js";
+import { getIpHash } from "@/misc/get-ip-hash.js";
+import { limiter } from "@/server/api/limiter.js";
 
 const _filename = fileURLToPath(import.meta.url);
 const _dirname = dirname(_filename);
@@ -31,6 +34,31 @@ const commonReadableHandlerGenerator =
 export default async function (ctx: Koa.Context) {
 	const key = ctx.params.key;
 
+	// koa will automatically load the `X-Forwarded-For` header if `proxy: true` is configured in the app.
+	let limitActor: string;
+	limitActor = getIpHash(ctx.ip);
+
+	const limit: IEndpointMeta["limit"] = {
+		key: `drive-file:${key}`,
+		duration: MINUTE * 10,
+		max: 10
+	}
+
+	// Rate limit
+	await limiter(
+		limit as IEndpointMeta["limit"] & { key: NonNullable<string> },
+		limitActor,
+	).catch((e) => {
+		const remainingTime = e.remainingTime
+			? `Please try again in ${e.remainingTime}.`
+			: "Please try again later.";
+
+		ctx.status = 429;
+		ctx.body = "Rate limit exceeded. " + remainingTime;
+	});
+
+	if (ctx.status == 429) return;
+
 	// Fetch drive file
 	const file = await DriveFiles.createQueryBuilder("file")
 		.where("file.accessKey = :accessKey", { accessKey: key })

packages/backend/src/server/proxy/proxy-media.ts

@@ -9,9 +9,12 @@ import { createTemp } from "@/misc/create-temp.js";
 import { downloadUrl } from "@/misc/download-url.js";
 import { detectType } from "@/misc/get-file-info.js";
 import { StatusError } from "@/misc/fetch.js";
-import { FILE_TYPE_BROWSERSAFE } from "@/const.js";
+import { FILE_TYPE_BROWSERSAFE, MINUTE } from "@/const.js";
 import { serverLogger } from "../index.js";
 import { isMimeImage } from "@/misc/is-mime-image.js";
+import { getIpHash } from "@/misc/get-ip-hash.js";
+import { limiter } from "@/server/api/limiter.js";
+import { IEndpointMeta } from "@/server/api/endpoints.js";
 
 export async function proxyMedia(ctx: Koa.Context) {
 	const url = "url" in ctx.query ? ctx.query.url : `https://${ctx.params.url}`;
@@ -21,6 +24,33 @@ export async function proxyMedia(ctx: Koa.Context) {
 		return;
 	}
 
+	// koa will automatically load the `X-Forwarded-For` header if `proxy: true` is configured in the app.
+	let limitActor: string;
+	limitActor = getIpHash(ctx.ip);
+
+	const parsedUrl = new URL(url);
+
+	const limit: IEndpointMeta["limit"] = {
+		key: `media-proxy:${parsedUrl.host}:${parsedUrl.pathname}`,
+		duration: MINUTE * 10,
+		max: 10
+	}
+
+	// Rate limit
+	await limiter(
+		limit as IEndpointMeta["limit"] & { key: NonNullable<string> },
+		limitActor,
+	).catch((e) => {
+		const remainingTime = e.remainingTime
+			? `Please try again in ${e.remainingTime}.`
+			: "Please try again later.";
+
+		ctx.status = 429;
+		ctx.body = "Rate limit exceeded. " + remainingTime;
+	});
+
+	if (ctx.status == 429) return;
+
 	const { hostname } = new URL(url);
 	let resolvedIps;
 	try {

packages/client/src/components/MkNoteHeader.vue

@@ -79,6 +79,7 @@ const showTicker =
 	justify-self: flex-end;
 	border-radius: var(--radius-big);
 	font-size: 0.8em;
+	width: 100%;
 	> .avatar {
 		width: 3.7em;
 		height: 3.7em;