FoundKey/packages/backend/src/server/api/endpoints/notes/reactions/create.ts
Johann150 e9f68e65b7
server: fix rate limit for adding reactions
Adding a reaction may delete a previous reaction to the same note,
thus consequently this needs to be in the rate limiting group if this
happens. Otherwise the rate limit can be circumvented.

Changelog: Fixed
2023-03-28 22:50:04 +02:00

60 lines
1.8 KiB
TypeScript

import { createReaction } from '@/services/note/reaction/create.js';
import define from '@/server/api/define.js';
import { getNote } from '@/server/api/common/getters.js';
import { ApiError } from '@/server/api/error.js';
import { HOUR, SECOND } from '@/const.js';
import { limiter } from '@/server/api/limiter.js';
import { NoteReactions } from '@/models/index.js';
export const meta = {
tags: ['reactions', 'notes'],
description: 'Add a reaction to a note. If there already is a reaction to this note, deletes it and is consequently subject to the `delete` rate limiting group as if using `notes/reactions/delete`.',
requireCredential: true,
kind: 'write:reactions',
errors: ['NO_SUCH_NOTE', 'ALREADY_REACTED', 'BLOCKED', 'RATE_LIMIT_EXCEEDED'],
} as const;
export const paramDef = {
type: 'object',
properties: {
noteId: { type: 'string', format: 'misskey:id' },
reaction: { type: 'string' },
},
required: ['noteId', 'reaction'],
} as const;
// eslint-disable-next-line import/no-default-export
export default define(meta, paramDef, async (ps, user) => {
const [note, reactionCount] = await Promise.all([
getNote(ps.noteId, user).catch(err => {
if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError('NO_SUCH_NOTE');
throw err;
}),
NoteReactions.countBy({
noteId: ps.noteId,
userId: user.id,
}),
]);
if (reactionCount > 0) {
const limit = {
key: 'delete',
duration: HOUR,
max: 30,
minInterval: 10 * SECOND,
};
await limiter(limit, user.id);
}
await createReaction(user, note, ps.reaction).catch(e => {
if (e.id === '51c42bb4-931a-456b-bff7-e5a8a70dd298') throw new ApiError('ALREADY_REACTED');
if (e.id === 'e70412a4-7197-4726-8e74-f3e0deb92aa7') throw new ApiError('BLOCKED');
throw e;
});
return;
});