From 613137ff99442885c5fe679b2cc1172adfc5a283 Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Thu, 10 Jul 2025 21:22:54 +0000
Subject: feat: Add API ratelimits

---
 packages/trpc/routers/apiKeys.ts | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'packages/trpc/routers/apiKeys.ts')

diff --git a/packages/trpc/routers/apiKeys.ts b/packages/trpc/routers/apiKeys.ts
index eb52189b..d4e01aa5 100644
--- a/packages/trpc/routers/apiKeys.ts
+++ b/packages/trpc/routers/apiKeys.ts
@@ -11,7 +11,12 @@ import {
   logAuthenticationError,
   validatePassword,
 } from "../auth";
-import { authedProcedure, publicProcedure, router } from "../index";
+import {
+  authedProcedure,
+  createRateLimitMiddleware,
+  publicProcedure,
+  router,
+} from "../index";
 
 const zApiKeySchema = z.object({
   id: z.string(),
@@ -70,6 +75,13 @@ export const apiKeysAppRouter = router({
   // Exchange the username and password with an API key.
   // Homemade oAuth. This is used by the extension.
   exchange: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "apiKey.exchange",
+        windowMs: 15 * 60 * 1000,
+        maxRequests: 10,
+      }),
+    ) // 10 requests per 15 minutes
     .input(
       z.object({
         keyName: z.string(),
@@ -97,6 +109,13 @@ export const apiKeysAppRouter = router({
       return await generateApiKey(input.keyName, user.id);
     }),
   validate: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "apiKey.validate",
+        windowMs: 60 * 1000,
+        maxRequests: 30,
+      }),
+    ) // 30 requests per minute
     .input(z.object({ apiKey: z.string() }))
     .output(z.object({ success: z.boolean() }))
     .mutation(async ({ input, ctx }) => {
-- 
cgit v1.2.3-70-g09d2