Fix runner api rate limit bypass

5 files changed, 22 insertions, 2 deletions

diff --git a/server/controllers/api/runners/index.ts b/server/controllers/api/runners/index.ts
index c98ded354..9998fe4cc 100644
--- a/server/controllers/api/runners/index.ts
+++ b/server/controllers/api/runners/index.ts
@@ -6,6 +6,8 @@ import { runnerRegistrationTokensRouter } from './registration-tokens'
 
 const runnersRouter = express.Router()
 
+// No api route limiter here, they are defined in child routers
+
 runnersRouter.use('/', manageRunnersRouter)
 runnersRouter.use('/', runnerJobsRouter)
 runnersRouter.use('/', runnerJobFilesRouter)
diff --git a/server/controllers/api/runners/jobs-files.ts b/server/controllers/api/runners/jobs-files.ts
index 260d824a8..4e69fb902 100644
--- a/server/controllers/api/runners/jobs-files.ts
+++ b/server/controllers/api/runners/jobs-files.ts
@@ -3,7 +3,7 @@ import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { proxifyHLS, proxifyWebTorrentFile } from '@server/lib/object-storage'
 import { VideoPathManager } from '@server/lib/video-path-manager'
 import { getStudioTaskFilePath } from '@server/lib/video-studio'
-import { asyncMiddleware } from '@server/middlewares'
+import { apiRateLimiter, asyncMiddleware } from '@server/middlewares'
 import { jobOfRunnerGetValidator } from '@server/middlewares/validators/runners'
 import {
   runnerJobGetVideoStudioTaskFileValidator,
@@ -16,18 +16,21 @@ const lTags = loggerTagsFactory('api', 'runner')
 const runnerJobFilesRouter = express.Router()
 
 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/max-quality',
+  apiRateLimiter,
   asyncMiddleware(jobOfRunnerGetValidator),
   asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
   asyncMiddleware(getMaxQualityVideoFile)
 )
 
 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/previews/max-quality',
+  apiRateLimiter,
   asyncMiddleware(jobOfRunnerGetValidator),
   asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
   getMaxQualityVideoPreview
 )
 
 runnerJobFilesRouter.post('/jobs/:jobUUID/files/videos/:videoId/studio/task-files/:filename',
+  apiRateLimiter,
   asyncMiddleware(jobOfRunnerGetValidator),
   asyncMiddleware(runnerJobGetVideoTranscodingFileValidator),
   runnerJobGetVideoStudioTaskFileValidator,
diff --git a/server/controllers/api/runners/jobs.ts b/server/controllers/api/runners/jobs.ts
index 140f062be..5d687e689 100644
--- a/server/controllers/api/runners/jobs.ts
+++ b/server/controllers/api/runners/jobs.ts
@@ -7,6 +7,7 @@ import { MIMETYPES } from '@server/initializers/constants'
 import { sequelizeTypescript } from '@server/initializers/database'
 import { getRunnerJobHandlerClass, updateLastRunnerContact } from '@server/lib/runners'
 import {
+  apiRateLimiter,
   asyncMiddleware,
   authenticate,
   ensureUserHasRight,
@@ -69,11 +70,13 @@ const runnerJobsRouter = express.Router()
 // ---------------------------------------------------------------------------
 
 runnerJobsRouter.post('/jobs/request',
+  apiRateLimiter,
   asyncMiddleware(getRunnerFromTokenValidator),
   asyncMiddleware(requestRunnerJob)
 )
 
 runnerJobsRouter.post('/jobs/:jobUUID/accept',
+  apiRateLimiter,
   asyncMiddleware(runnerJobGetValidator),
   acceptRunnerJobValidator,
   asyncMiddleware(getRunnerFromTokenValidator),
@@ -81,6 +84,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/accept',
 )
 
 runnerJobsRouter.post('/jobs/:jobUUID/abort',
+  apiRateLimiter,
   asyncMiddleware(jobOfRunnerGetValidator),
   abortRunnerJobValidator,
   asyncMiddleware(abortRunnerJob)
@@ -88,6 +92,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/abort',
 
 runnerJobsRouter.post('/jobs/:jobUUID/update',
   runnerJobUpdateVideoFiles,
+  apiRateLimiter, // Has to be after multer middleware to parse runner token
   asyncMiddleware(jobOfRunnerGetValidator),
   updateRunnerJobValidator,
   asyncMiddleware(updateRunnerJobController)
@@ -101,6 +106,7 @@ runnerJobsRouter.post('/jobs/:jobUUID/error',
 
 runnerJobsRouter.post('/jobs/:jobUUID/success',
   postRunnerJobSuccessVideoFiles,
+  apiRateLimiter, // Has to be after multer middleware to parse runner token
   asyncMiddleware(jobOfRunnerGetValidator),
   successRunnerJobValidator,
   asyncMiddleware(postRunnerJobSuccess)
diff --git a/server/controllers/api/runners/manage-runners.ts b/server/controllers/api/runners/manage-runners.ts
index eb08c4b1d..be7ebc0b3 100644
--- a/server/controllers/api/runners/manage-runners.ts
+++ b/server/controllers/api/runners/manage-runners.ts
@@ -2,6 +2,7 @@ import express from 'express'
 import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { generateRunnerToken } from '@server/helpers/token-generator'
 import {
+  apiRateLimiter,
   asyncMiddleware,
   authenticate,
   ensureUserHasRight,
@@ -19,15 +20,18 @@ const lTags = loggerTagsFactory('api', 'runner')
 const manageRunnersRouter = express.Router()
 
 manageRunnersRouter.post('/register',
+  apiRateLimiter,
   asyncMiddleware(registerRunnerValidator),
   asyncMiddleware(registerRunner)
 )
 manageRunnersRouter.post('/unregister',
+  apiRateLimiter,
   asyncMiddleware(getRunnerFromTokenValidator),
   asyncMiddleware(unregisterRunner)
 )
 
 manageRunnersRouter.delete('/:runnerId',
+  apiRateLimiter,
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_RUNNERS),
   asyncMiddleware(deleteRunnerValidator),
@@ -35,6 +39,7 @@ manageRunnersRouter.delete('/:runnerId',
 )
 
 manageRunnersRouter.get('/',
+  apiRateLimiter,
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_RUNNERS),
   paginationValidator,
diff --git a/server/controllers/api/runners/registration-tokens.ts b/server/controllers/api/runners/registration-tokens.ts
index 5ac3773fe..117ff271b 100644
--- a/server/controllers/api/runners/registration-tokens.ts
+++ b/server/controllers/api/runners/registration-tokens.ts
@@ -1,6 +1,8 @@
 import express from 'express'
+import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { generateRunnerRegistrationToken } from '@server/helpers/token-generator'
 import {
+  apiRateLimiter,
   asyncMiddleware,
   authenticate,
   ensureUserHasRight,
@@ -12,19 +14,20 @@ import {
 import { deleteRegistrationTokenValidator } from '@server/middlewares/validators/runners'
 import { RunnerRegistrationTokenModel } from '@server/models/runner/runner-registration-token'
 import { HttpStatusCode, ListRunnerRegistrationTokensQuery, UserRight } from '@shared/models'
-import { logger, loggerTagsFactory } from '@server/helpers/logger'
 
 const lTags = loggerTagsFactory('api', 'runner')
 
 const runnerRegistrationTokensRouter = express.Router()
 
 runnerRegistrationTokensRouter.post('/registration-tokens/generate',
+  apiRateLimiter,
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_RUNNERS),
   asyncMiddleware(generateRegistrationToken)
 )
 
 runnerRegistrationTokensRouter.delete('/registration-tokens/:id',
+  apiRateLimiter,
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_RUNNERS),
   asyncMiddleware(deleteRegistrationTokenValidator),
@@ -32,6 +35,7 @@ runnerRegistrationTokensRouter.delete('/registration-tokens/:id',
 )
 
 runnerRegistrationTokensRouter.get('/registration-tokens',
+  apiRateLimiter,
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_RUNNERS),
   paginationValidator,