From b35cd58a76eb42bf2f4a3e531e6116084f94a4b0 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Mon, 19 Jun 2023 10:21:48 -0700 Subject: [PATCH] rate limit user_balance_post by bearer OR ip --- web3_proxy/src/frontend/users/payment.rs | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/web3_proxy/src/frontend/users/payment.rs b/web3_proxy/src/frontend/users/payment.rs index 37b14bff..a2293dca 100644 --- a/web3_proxy/src/frontend/users/payment.rs +++ b/web3_proxy/src/frontend/users/payment.rs @@ -109,11 +109,21 @@ pub async fn user_balance_post( Extension(app): Extension>, InsecureClientIp(ip): InsecureClientIp, Path(mut params): Path>, + bearer: Option>>, ) -> Web3ProxyResponse { - // I suppose this is ok / good, so people don't spam this endpoint as it is not "cheap" - // we rate limit by ip instead of bearer token so transactions are easy to submit from scripts - // TODO: if ip is a 10. or a 172., allow unlimited - let authorization = login_is_authorized(&app, ip).await?; + // rate limit by bearer token **OR** IP address + let (authorization, _semaphore) = if let Some(TypedHeader(Authorization(bearer))) = bearer { + let (_, semaphore) = app.bearer_is_authorized(bearer).await?; + + // TODO: is handling this as internal fine? + let authorization = Web3ProxyAuthorization::internal(app.db_conn())?; + + (authorization, Some(semaphore)) + } else { + let authorization = login_is_authorized(&app, ip).await?; + + (authorization, None) + }; // Get the transaction hash let tx_hash: H256 = params