From 613137ff99442885c5fe679b2cc1172adfc5a283 Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Thu, 10 Jul 2025 21:22:54 +0000
Subject: feat: Add API ratelimits

---
 packages/trpc/routers/invites.ts | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'packages/trpc/routers/invites.ts')

diff --git a/packages/trpc/routers/invites.ts b/packages/trpc/routers/invites.ts
index 5f7897c5..0a98f36a 100644
--- a/packages/trpc/routers/invites.ts
+++ b/packages/trpc/routers/invites.ts
@@ -7,7 +7,12 @@ import { invites, users } from "@karakeep/db/schema";
 
 import { generatePasswordSalt, hashPassword } from "../auth";
 import { sendInviteEmail } from "../email";
-import { adminProcedure, publicProcedure, router } from "../index";
+import {
+  adminProcedure,
+  createRateLimitMiddleware,
+  publicProcedure,
+  router,
+} from "../index";
 import { createUserRaw } from "./users";
 
 export const invitesAppRouter = router({
@@ -113,6 +118,13 @@ export const invitesAppRouter = router({
     }),
 
   get: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "invites.get",
+        windowMs: 60 * 1000,
+        maxRequests: 10,
+      }),
+    )
     .input(
       z.object({
         token: z.string(),
@@ -153,6 +165,13 @@ export const invitesAppRouter = router({
     }),
 
   accept: publicProcedure
+    .use(
+      createRateLimitMiddleware({
+        name: "invites.accept",
+        windowMs: 60 * 1000,
+        maxRequests: 10,
+      }),
+    )
     .input(
       z.object({
         token: z.string(),
-- 
cgit v1.3-1-g0d28