From 96ec73fc057898d4cb69bd746c0a5c43ebfd0b23 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 9 Jan 2026 21:54:17 +0000
Subject: [PATCH] Add rate limiting to prevent abuse

Co-authored-by: mblanke <9078342+mblanke@users.noreply.github.com>
---
 package-lock.json | 28 ++++++++++++++++++++++++++++
 package.json      |  1 +
 server.js         | 12 ++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 11abcd6..5501990 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,6 +13,7 @@
         "cors": "^2.8.5",
         "dockerode": "^4.0.9",
         "express": "^4.22.1",
+        "express-rate-limit": "^8.2.1",
         "ws": "^8.19.0"
       }
     },
@@ -723,6 +724,24 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/express-rate-limit": {
+      "version": "8.2.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.2.1.tgz",
+      "integrity": "sha512-PCZEIEIxqwhzw4KF0n7QF4QqruVTcF73O5kFKUnGOyjbCCgizBBiFaYpd/fnBLUMPw/BWw9OsiN7GgrNYr7j6g==",
+      "license": "MIT",
+      "dependencies": {
+        "ip-address": "10.0.1"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": ">= 4.11"
+      }
+    },
     "node_modules/express/node_modules/debug": {
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
@@ -995,6 +1014,15 @@
       "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
       "license": "ISC"
     },
+    "node_modules/ip-address": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.0.1.tgz",
+      "integrity": "sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
     "node_modules/ipaddr.js": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
diff --git a/package.json b/package.json
index fac62fe..78f39bc 100644
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
     "cors": "^2.8.5",
     "dockerode": "^4.0.9",
     "express": "^4.22.1",
+    "express-rate-limit": "^8.2.1",
     "ws": "^8.19.0"
   }
 }
diff --git a/server.js b/server.js
index 15470da..0d06970 100644
--- a/server.js
+++ b/server.js
@@ -5,19 +5,31 @@ const axios = require('axios');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const rateLimit = require('express-rate-limit');
 
 const app = express();
 const PORT = process.env.PORT || 3001;
 const FRONTEND_PORT = 3000;
 
+// Rate limiting to prevent abuse
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: 'Too many requests from this IP, please try again later.'
+});
+
 // Middleware
 app.use(cors());
 app.use(express.json());
+app.use('/api', limiter); // Apply rate limiting to all API routes
 
 // Serve frontend static files in production
 const frontendDistPath = path.join(__dirname, 'frontend', 'dist');
 if (fs.existsSync(frontendDistPath)) {
   const frontendApp = express();
+  
+  // Apply rate limiting to frontend serving as well
+  frontendApp.use(limiter);
   frontendApp.use(express.static(frontendDistPath));
   frontendApp.get('/*', (req, res) => {
     res.sendFile(path.join(frontendDistPath, 'index.html'));