From 8a6aef743009d3ef69160cf68a83f8e328a30e6b Mon Sep 17 00:00:00 2001
From: TZGyn <ca538901d@mozmail.com>
Date: Sat, 3 Aug 2024 18:03:56 +0800
Subject: [PATCH] added rate limiter + click limiter to redirect

---
 redirect/bun.lockb    | Bin 30726 -> 33229 bytes
 redirect/package.json |   3 +-
 redirect/src/index.ts |  76 ++++++++++++++++++++++++------------------
 3 files changed, 45 insertions(+), 34 deletions(-)

diff --git a/redirect/bun.lockb b/redirect/bun.lockb
index 0983070a445038c273edc3bc53958bb5ccae8fd5..b9abd06e3d64666dc3067b84d212645fc74dcc90 100755
GIT binary patch
delta 5227
zcmeHLc~q1~67T+GlusEs1Z6-4HQqAFISkhT-a))|00lt>WJN%ZC@2AphO8zgZW#@}
zsEIKeV~qMx<Cz$bsPTwbJT`|%bQ3jRi7~+_?ytU?aecdP_PzaU|JZ)7y1qKPySl3S
z`d+*(kG!C~7T9Imd(*2o8RFd*?5lYD*5;JjkzE51J=i;F!ALj%qMD&6W2%K#Qs-O!
zx)-I`2qCia%8GL{g(xqWpt15%y9iNLm}AozGXHJA$|;Hv?qE(U$;xN7383|$M*%kn
z?r+D1IRUx(B@v>J6r!2dNkCyiL7oT#?FsrBU~bpSj`K6~3v$unIQyWb`Gt9<Il1`}
zjfH3hy{^EnLXbrohHh&jgbH3XFprsA9FUV&FiuQ$7NRL=qn$6I#I|+-%{GiH${e3n
zEW}apS<e#{x6h{4(y#J@&Za#%FRzRz{27|?D216N6SF|8@CCc$6!aJ$K;;X(A2iQo
z8Y;$<%8KDhA%>z2kM3~mdJM(#RlwZuQahdp>?TBH)eg+h06_&9+|XiIn2<HDGzXnc
zhUr`!9gZ(3n3N04DrkV>7dgYjHW^2N{y8uO<4Uu+wIe`9&}SzEdeCwu*5{g+jSOvR
zo821F?6bRGb@!Fc(z%^$MRGvKob|NcDWc2my%mLTo;iGS-U}l1qR;1_t=PEt%S~rq
z?ceLI?|%C>=G<&Lx#Dur@Ef|i3r^lrmQ%gXB3F~Su|-~^GSu0$74>^mkNRseH?gR0
zNSg=@r%-$olR6XBv!EnX@-WpmvB(B8J6mKNl{s6~S&f9~t!Y;~o8$qihXiufBBQAc
zbrEe<ExO%KLL^XybCl|Y5GB}pH$*st2nC@dshVUBZEb3icc{LpMIDSB8wH6V*~}#0
zrLtxgd7ZYRewON+S=5=xBQ~-T#iQjODs!=@55Z$o8WEckPxatcBM+m&Q|QyiCb^T!
z^cK|vA?GP+6O?199=yfiu_cX2I-At9ptw~Nwo7e~*l@p^m1+T~NKMA0z?H6=D^a(h
zt*8^J9`!;pyIIsP5H{A8B=shp7qT>%b~cVu`{64Nd{_^s){xoVBEO?DcZ(X1v}E_d
z4z!pJDvBODN6B4e_OPhGfM&~`s9JAQ`ZuR?k63jla<dnhE)?%-Qh8<ChGdmUSBh*A
ztCoP-A1bh;xk>jWs8sG%33Q|TEn@YB$oVLUF*CtV=}xzG&iXar2J>Lx!led{t9}D+
z4{#Ok%0<QEV7FoC5PxabgWIVwcAntSxK9Da6M};92ee0UI@5YD7mD_bR(^M<a?e;b
z5(|K%>7@C44k-3FQVtV33X12fMOF1~;Yc5jOe!eWw8@r&>Z!GZY3k9(GLEPRHad<d
zJOFACC?3y~s?p1fp!$K*ao#9LJSnnOtm5QF<*j1X7_2?pVnF^VrCxL&%*|l(tl<N6
z_6Ss%)^)Y3Nf(Dj8%;Z1qtqGriqrVe((M2h%PT;+-;&A=v1$aiQVx{nCZ(no-8aN4
zds<PXPox<U<=s##PhzAc@4#AN%x?F#ks8)fMVml+;Nv!cC4P3vA7Lyr(GlPT=xW!0
z5<63puOChD^_PMweEs6NU-&~Sj1>T8p_Qj$?l%^IT|&gO7FD$MtK?pgvRZi(vsPaK
zTQyLVJ{@!WB)j}+nB{})a>m$Z#Be(eOux5vujH|?!w75|BF!#)8s@&z?eagu?1>Bj
z<8c5kPh#dz0I)|U3Q?)KWD*E2e}vh9JWcB#m`P5ICzHd$`;SQi#WsRww(0i&Owm@*
z|9GZ^|96>ESL?UJJ#O9D+v^uDI&pp2hv$Cv2wODk%&_Ly2ktS}B$>W_ckrCr!d<7g
z{IYaZP<ru44W(;4RQ#>2&*%MPyp?0MR}SxJa(&lKstEF?n4m-%Mt=^nQbe$xZh$h8
zIoL`+fLaoqD9v;g)EgmsN(xC#!b$SDINkG^I%>%$vqpHn^m5a8_U)cFGUr2AS1LIh
z`jh+36LBu@ZO!~uck_-<_s#1(ORgjaT#i`j)3Nd5*Y9+>I(Jd&{%SMDgnC!Tc+GBm
zdBHaqZp6{8H%~`(JlOW5<hviyhmoHaM?d(nJg)v+?Tpp^_W9pwU#Gj){?2K`(4*Cr
z+kJoE9eOss#%1h$tRN{GTpNI69-D@hxIWi)|CRB<=c<0#ckgCZgr|G&9z$w#W^GAd
z^`g0O-StDm?}z{T@!;czgUc6MdY$avaqSx$Uq1fH;?mxGcWw`h?pyN}-GFtwPo%V%
zdwJRGbNw!zUzz@Oa-{BL@v^u2-YXw{eBPJ69$b9KueQ{s>Sl*;mX{9u%D=AW6PFp|
zpP4;>`n_eZjM^Qa#hanSI?I#R4c|HDVED>yZ4!DPTec!Qa`P)Y7Wp38b!UsukB{7w
zFH{y~AAK0OAhOi(r&ABhjA_k7yxV@?waungb<1y87C!sMn!u^FB+Pr@r01r7e!AmT
zzlNLEDf<VxMvZQ}cwo!dD<8ZYxncc-i1#nGZdbT3=8ZwcBRAan;Pm1?;aB%J{WkOV
zl$=$|`mPHXO%tB5E}m*btdtzCr-vblvKI{qwUV<*PisRHWgn^swFOjKSfcDltHZ1`
zF+xxJ@I*O)Qo^m|ZPwFHP>H0PtaJd>WK*I{qOG8&Me3<dM4}u_xe-?C5~ZgjpoWsc
zY^AfHD$I#;I2|-w<p^pQX_X_X4D~2Fj@n9HqpUKSs!^xZor^jnW#76DF|SH_u`b>c
z)rjJvU#^>x(9EqaF4`)aZn3|y?xxWEVQ~o!k8Fh<KNx`N@?Bdi4w`pvTqZQx5MbWH
z{Zmn)6pp4jBRWy^@Sc^pn`sBdSYSSEMgT?vczfZlxam*;A9%e1d@TC|+5y@FIsl#l
z@Sctv8b3t%?ZHnpfh&e~n2ZO`0AvFA@UjAu0hm-@!6uCci~;bem;i_e@VU&3689g`
z3D6nP1;96mEI>9O2f(LaECr14OTaA(M}!c$05bsB8xaD)bx?!@OaS%>o=Cz6;0tIC
zc#DTe8Is0cF|e!II<}IJbB95(v~R@Em23{1g`1RSB3~!CV;+D9<iPOYykz45yf_@j
zuq+WY`-=U^zQ-j|3;^INr(GiY0JEQQ@zs3KF5x(EJP?;aEg1OFg2m1pW)o<E;{fs?
zRqPa$X%i`7)G2@M8x_Y9v8i%A#T1zyY78>=q}JBfavYhhNiv^mtRb=$ZMPbH9WU(U
z9^GzipZs&NBB5(!F9*>rX!W5E$w_huO-VM$G@6^76y|su?tSUh(bT)g42pa{*w)1H
zx*u??wK`_{>E|J_cQ%3aDF!)(I;SN0I$pxND+gUHIKMp|28N)0kPxTn)szr<f%c?S
z``TafRjaaY%<p~feu}0QY(%IdXl!bd>_BT%4bn*aQ$z5a`#m)&-0|KYnepSJ`>$o*
zLyKTzF!$?t@i$#^@vpO*d>5igf><I|dVX}UJW3lz8>A;48g1~+##00Ll&Wrl{U7``
z+VdwUn{3mIrbp1)Muss-@-xaA6QZat^yZj>*^W1Uy?fTAhR`FmXcA<E)5C=0wI7?V
z>^ODH`Mf64-0OI*J08c13^j%rIpG`+ddKq_5$TC}1XEmwry3jMuer2>+N2qL?LP&o
zuAJ>U>3sCU7Fzc~My!RUG&Id1SJ5QY>uGjcNTuVyfm^SaJ~+H*xu@L}IKlD9!0|p;
zB)rC*2**DLza`3rP>+q@E3&6C1VIQDj=u_yH#~alX$<GQ`8VS@VIa*A-#`!BKZE&!
zsjqa}6k}FoHw?w458X&hQi?n%I^Em%DQRX;lTlQVZU}e$xwtau=IRqmFA94aVi?E2
zjiQ7@RiZe3I&9;Xux*A1eVo2nS>r{iV}lvZ8|&Tr@js1A#qaB$`z?!C0Q6zcT`$@_
zHn_FpCr79Dmsadr88gf7IcS8oB)1H2<(e0D%jo7&gk6g>=K$`|T%2>Uk9$&ihEc)A
zeq~0m&va<GKx0-!*kL)Xc|!#6VklwN^i#%EciS(UfTGNjtbn}S$+;zUxtSaF!A~#(
z0|Ng=DL`A^#*&=!yrR;8@tNZ%X3>Vy)^*+mofV(QEVO+59l!}ikH)uap=BXN8b(LR
zK#~*unoTYSb8>M25`p!oRe_rh3&t46(iXPhL&NqFfXI_Ov>FQioH#pJsm?NGf8)Oc
D5N&@M

delta 3879
zcmeHKdvH`&89(RdwKvHoOA;WL&7)=Hk)(M)c9Tu^rU|s*vOx-A6ChzXVUsL`JWL2s
zun9`FjM8c5b85?o4l^C;Mw~XTr80=3)v+4eVh1{fnVQnt8DfnMG96Qgg1_(Xu0_Sp
z_=o=G+4;`5zw`QD=X~d$SH7ftc}_l2yfSpqbISkSrNtknf4ijf=Z#0i2iJb_XwLD@
zo5!xTT~B#<WUnyF#&J(>!B-v%10npq`-cKPAs+7EVKlX&P8MQppgTN5A3u>h>Q#hT
zfX02p{yrYI5!ej88axHu7U2Wkg@L|dyQq*tBpHho4)pi;ihF=FfYZTwUVMc2`TF_;
zSa3r`=$^iT-aXxcz7_F8EXKG@@Khm4m)eG4f)Fa&3cy)rV5qRWx4%PlnS@9L&W^Ot
z0kf`Yz^p^Z=Y5_2AtBCTGLMTv#q*mfD04?&iwlq5-P^mL4SoSrSjvEJxW^AX56td(
z3FDZ*h{_6n8kjBVM#X&B{vmks6L+qI2ySl#=k;nLJRjTw+yb*SA(SzV4k@`cm(Yfu
zv8bc}*}?rCd%9S?sH3Mao{f3TLRS>$l14a};ZbnbG8UX|cV~pkVopn%i?xSZ;w(}I
zC=jp9rznW}GR>fFro04QeuDz2rzn`9tG5vxJ0>eMnP5`~5!%lJNk;N41x&h}rJzYy
zi(`aXW%QJ)HaSFjsxDuo0BZE3E}$9IKFUkf)yY^P8lq$4ZZM)k)uA@PjTLB*qd}}O
zLU~ELe47GEy6QyeH={?;V3JLKoo3K;h4PYhSxtdtT^&StS<4uj#LVy04BGyPHr6PH
zSfdgOn00jk+o2Y13Y9|tQ#6A%iHNXGhK15affQXmf;QG9h6YVG^_M_AD}nV=7r?i?
zuA!yc4pd|Gu@v|+)$k?iWXiMXvW5bvAEls0SAUEs@K{NMW?Nh=VpB$i2@bUi|LV~W
z?V;5O1sCY@b(&eAtIM!!*i+C0Glqd2v|Dw^=O~z_E5A2We!5d_#a?N|pk$g%wW;3(
z3JbYzwkdC<&>t|wf(^DNEIGv%Hwd(a*HNZYX(Gd^BwJ|bBB!#+LKBOeDq%aZGh+>N
z-vwfG5pt})0*8s6WjIwG1Y-3RV`K>E?+#c00#stm8%)8xv}hkYbQcgi6pjEo3B>X;
z=sMgx4fG&T9EVL=o=!V8r_z>A6Pi<fGCjH(5kBSBbjn}iR8z6NIaW{ti?sk%8cSbK
zwZ%ORR7-^xhk6PB*vDa!3l|FEG|*(CT`r^vt5Y3E8#_+$9#Y<3NcmY#C2JAw%&HlM
z<M{v^<xY-`Ar?j2nd7i<sxk_5Y-o`M;`VG1m;Z$Gyd0#w_p|P;#t{&o0mXt=g1Fqt
zv9;OZMq$o#OBs<rJD0weok^#%GuLv14Wxjo8KB&avy?gzjy3zuD0gy6aXGmgxEUKj
zux{92M!6ejT@2CxhO?A)paeRevzSihm_~WVCJ>iT<7@{qgJDk#4@S9@bN?0)+tUtW
zNj?ylPvN76`#QqoM3gi9-)seB3NFT8p|`S%{~!Ik?t=eP^i%#Z`l0Hj&n%$I3Ky-c
zFw@Zrm#n1A6&`vMsIJl_ZFHp4LyuLOX%?uOs;fL?uQJp3>@Mk`kL(`02GmyVl64fU
z_Rv!{Gns2#Qm57$53RAA=^W7gq&hq_5479il8tl*=-FyBW!JjoY6{ePsHMhCuK+zr
zTAhbX4l{kB&L!8<uYi6CROoc!{@U;KP*1Iy-U4z{p6;Q{I%uuC<a)Xc^fFLgy-RMO
zBlRBI=QM|A>!+ltGV%=*+OX=NByW5y)vq#{F5r4Yk{d&7MNG)DCdra`;i2%}Ox{Qb
zTkBT?+`1hu-0lYP*~L7gL@`GSnce7X0_XE+--rrjY!lsT-JHkAycxua0(XpXff_)#
z+xT7)Eb0MJ4jtOE*htB^>iCP0zo7)K2L7rv4u2~+Cj}3P(+VrWLf3;n2jaZNR&c7i
zA5;(GB#87c9H3>O<)9THPU~Ai+dyp~))|RW5i3dCn(O53z8!=MjBg=P2I8!XJ4jT4
z*yc=-23i8b=c0H%lF;m%VfXTdtO;wxnz4<nK@FYRdSjGz;$+PW@q#RXUCqMSBWyqJ
zQ6nd@m)KkNARUD3%}C&EAA6KN$M)iGHGIJyW}mQs*e~pD#_TI@gP5e-J?ur4ZC={a
zb}_!!H|!r8rl$5R?4DiiZrMg>+RJ4;&9-aS=;wUPefhIzci$LNWNA@J5#L1j(7oHs
zWd${FcUyIA4l_bNar)-^=bQx}$IAB7BK#nf&TV(&EG2n0YxF6x_Cl7r?Z6w4DDsiW
zVjD^KYSK%sUbi*++5NN8rmOwaXWJFoUJj91>m~ZBw_LtPA9@d2BhQAhlm6N9RhR$T
zYK$r?Do1!}+~<~QH0{%5HhttP$5(1$hg$~eK!=tUeM%%Azk20x!n@^|R~FWE&P305
zlv$&1h`Jl+Cx30J?7;wASbPk9+@V>UBWEYSc+JiEtr>rg^ur?sRNARQjH}ZvU!bQu
z%a!>gdbM*MzL>2$G;8!3;cQoabnyezG$ux@*XTI<qtAx--pt!IUHfFZ(O+7Gtye?8
z-Jv0OypMVvo%NT?7CPbA6ub=P{Fw-W+U2%Jp9_y)XsT>jw&P?tP`q(%G}xsf*?hH2
zvqm2s?=}4?`1-f53WT66Y@L^W(xoYv@Yv`&ro?8@NOxIP^o_B6={wJy|4!ZEPl6wP
zja0ldG!Zv4@8=#w3DVpd^t<k|tbd&vwf1NR-Pe<;G-l8PJ^5)<_&(!Q^sE<iQLcIE
zi#-kWa!<*Ui|9&5*I|3*Z{)s|TbaJ_kiNZ?7T6m)7WjcVbYkyPg_;f|gv<xd$NvpJ
CnYlLr

diff --git a/redirect/package.json b/redirect/package.json
index 725a9f3..31b46c7 100644
--- a/redirect/package.json
+++ b/redirect/package.json
@@ -10,7 +10,8 @@
     "@maxmind/geoip2-node": "^5.0.0",
     "@types/pg": "^8.10.2",
     "@types/ua-parser-js": "^0.7.39",
-    "elysia": "latest",
+    "elysia": "^1.1.5",
+    "elysia-rate-limit": "^4.1.0",
     "kysely": "^0.26.3",
     "magic-regexp": "^0.7.0",
     "nanoid": "^5.0.1",
diff --git a/redirect/src/index.ts b/redirect/src/index.ts
index f2dc4d0..a2f65de 100644
--- a/redirect/src/index.ts
+++ b/redirect/src/index.ts
@@ -2,14 +2,28 @@ import { Elysia } from 'elysia'
 import { db } from './database'
 import { cors } from '@elysiajs/cors'
 import { UAParser } from 'ua-parser-js'
+import geoip2 from '@maxmind/geoip2-node'
+import { rateLimit } from 'elysia-rate-limit'
+import { LRUCache } from 'lru-cache'
+
+const WebServiceClient = geoip2.WebServiceClient
 
 const fallback_url = Bun.env.FALLBACK_URL ?? 'https://app.kon.sh'
 const app_url = Bun.env.APP_URL ?? 'kon.sh'
-const geoipupdate_account_id = Bun.env.GEOIPUPDATE_ACCOUNT_ID
-const geoipupdate_license_key = Bun.env.GEOIPUPDATE_LICENSE_KEY
 const hosting_provider = Bun.env.HOSTING_PROVIDER
 
-const app = new Elysia().use(cors())
+const client = new WebServiceClient(
+	Bun.env.GEOIPUPDATE_ACCOUNT_ID || '',
+	Bun.env.GEOIPUPDATE_LICENSE_KEY || '',
+	{ host: 'geolite.info' }
+)
+
+const clickLimiter = new LRUCache({
+	ttl: 60 * 60 * 60 * 1000, // 1 hr
+	ttlAutopurge: true,
+})
+
+const app = new Elysia().use(cors()).use(rateLimit({ duration: 1000 }))
 
 app.get('/', ({ set }) => (set.redirect = fallback_url + '/landing'))
 app.get('/invalid', () => 'Invalid Shortener')
@@ -17,7 +31,7 @@ app.get('/robots.txt', () => Bun.file('public/robots.txt'))
 
 app.get(
 	'/:shortenerCode',
-	async ({ params: { shortenerCode }, set, request }) => {
+	async ({ params: { shortenerCode }, set, request, cookie }) => {
 		try {
 			const request_domain = request.headers.get('host')
 			const domain = request_domain !== app_url ? request_domain : null
@@ -28,21 +42,6 @@ app.get(
 					: 'x-forwarded-for'
 			)
 
-			const WebServiceClient =
-				require('@maxmind/geoip2-node').WebServiceClient
-
-			const client = new WebServiceClient(
-				geoipupdate_account_id,
-				geoipupdate_license_key,
-				{ host: 'geolite.info' }
-			)
-
-			const geolocation = await client.city(ip)
-
-			const user_agent = request.headers.get('User-Agent')
-
-			const ua_parser = new UAParser(user_agent ?? '')
-
 			const query = db
 				.selectFrom('shortener')
 				.selectAll('shortener')
@@ -60,26 +59,15 @@ app.get(
 
 			const shortener = await query.execute()
 
-			console.log('shortener', shortener)
+			const user_agent = request.headers.get('User-Agent')
+
+			const ua_parser = new UAParser(user_agent ?? '')
 
 			if (!shortener.length || !shortener[0].active) {
 				set.redirect = '/invalid'
 				return
 			}
 
-			const visitor_data = {
-				shortener_id: shortener[0].id,
-				country: geolocation.country.names.en as string,
-				country_code: geolocation.country.isoCode as string,
-				city: geolocation.city.names.en as string,
-				device_type: ua_parser.getDevice().type || 'desktop',
-				device_vendor: ua_parser.getDevice().vendor,
-				browser: ua_parser.getBrowser().name,
-				os: ua_parser.getOS().name,
-			}
-
-			await db.insertInto('visitor').values(visitor_data).execute()
-
 			if (
 				ua_parser.getOS().name === 'iOS' &&
 				shortener[0].ios &&
@@ -95,6 +83,28 @@ app.get(
 			} else {
 				set.redirect = shortener[0].link
 			}
+
+			const clickKey = `${ip}_${shortener[0].id}`
+			const clickLimited = clickLimiter.has(clickKey)
+
+			if (clickLimited) return
+
+			clickLimiter.set(clickKey, 1)
+
+			const geolocation = await client.city(ip || '')
+
+			const visitor_data = {
+				shortener_id: shortener[0].id,
+				country: geolocation.country!.names.en,
+				country_code: geolocation.country!.isoCode,
+				city: geolocation.city!.names.en,
+				device_type: ua_parser.getDevice().type || 'desktop',
+				device_vendor: ua_parser.getDevice().vendor,
+				browser: ua_parser.getBrowser().name,
+				os: ua_parser.getOS().name,
+			}
+
+			await db.insertInto('visitor').values(visitor_data).execute()
 		} catch (error) {
 			console.error(error)
 			set.redirect = fallback_url