Add rate limiting

Aayush-Agnihotri · Aayush-Agnihotri · commit debb5f2cf713 · 2026-03-17T21:48:53.000-04:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -10,6 +10,7 @@
     "@types/node": "^24.10.13",
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.3.1",
     "google-auth-library": "^10.5.0",
     "google-spreadsheet": "^5.2.0",
     "moment-timezone": "^0.6.0",
diff --git a/src/api/routes.ts b/src/api/routes.ts
@@ -1,11 +1,24 @@
 import express, { Express } from "express";
+import rateLimit from "express-rate-limit";
 import slackbot from "../slackbot";
 import { logWithTime } from "../utils/timeUtils";
 
 export const registerApiRoutes = (app: Express) => {
   app.use(express.json());
 
-  app.post("/api/send-message", async (req, res) => {
+  // Set up rate limiting
+  const apiLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 15, // Limit each IP to 15 requests per `window` (here, per 15 minutes)
+    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+    message: {
+      success: false,
+      error: "Too many requests, please try again later.",
+    },
+  });
+
+  app.post("/api/send-message", apiLimiter, async (req, res) => {
     const authHeader = req.headers.authorization;
     const apiSecret = process.env.API_SECRET;
 
