fixes; locked down api (allegedly, idk, i let claude vibe it) and vandilised pedophiles profiles

This commit is contained in:
Clippii
2026-06-28 11:44:52 +01:00
parent 931dd0141c
commit e9567e367b
2 changed files with 68 additions and 7 deletions
+21 -3
View File
@@ -1944,6 +1944,8 @@ function isRateLimited(req) {
const current = rateLimits.get(ip)
if (!current || current.resetAt <= now) {
// When the map is at capacity, deny new IPs rather than clearing existing limits.
if (!current && rateLimits.size >= MAX_RATE_LIMIT_KEYS) return true
rateLimits.set(ip, { count: 1, resetAt: now + API_RATE_LIMIT_WINDOW_MS })
return false
}
@@ -1956,11 +1958,17 @@ function pruneMaps() {
const now = Date.now()
for (const [key, value] of apiCache) {
if (value.expiresAt <= now || apiCache.size > MAX_CACHE_ENTRIES) apiCache.delete(key)
if (value.expiresAt <= now) apiCache.delete(key)
}
if (apiCache.size > MAX_CACHE_ENTRIES) {
const sorted = [...apiCache.entries()].sort((a, b) => a[1].expiresAt - b[1].expiresAt)
for (const [key] of sorted.slice(0, apiCache.size - MAX_CACHE_ENTRIES)) {
apiCache.delete(key)
}
}
for (const [key, value] of rateLimits) {
if (value.resetAt <= now || rateLimits.size > MAX_RATE_LIMIT_KEYS) rateLimits.delete(key)
if (value.resetAt <= now) rateLimits.delete(key)
}
}
@@ -2156,6 +2164,8 @@ function proxyRequest(req, res) {
delete headers['access-control-allow-methods']
delete headers['access-control-allow-headers']
delete headers['access-control-expose-headers']
delete headers['server']
delete headers['x-powered-by']
res.writeHead(statusCode, headers)
@@ -2759,7 +2769,11 @@ const server = http.createServer((req, res) => {
}
if (req.url === '/health') {
sendJson(res, 200, { ok: true, public_data: publicDataStartupStatus })
if (isRateLimited(req)) {
sendJson(res, 429, { error: 'Too many requests' }, { 'retry-after': String(Math.ceil(API_RATE_LIMIT_WINDOW_MS / 1000)) })
return
}
sendJson(res, 200, { ok: true })
return
}
@@ -2790,6 +2804,10 @@ const server = http.createServer((req, res) => {
}
if (req.method === 'GET' && req.url === '/api/viewers') {
if (!isSameOriginRequest(req)) {
sendJson(res, 403, { error: 'Viewer analytics are restricted to this site' })
return
}
if (isRateLimited(req)) {
sendJson(res, 429, { error: 'Too many requests' }, { 'retry-after': String(Math.ceil(API_RATE_LIMIT_WINDOW_MS / 1000)) })
return