feat(files): per-IP rate limit on public share endpoints

Author: TheodoreSpeaks

apps/sim/app/api/files/public/[token]/content/route.ts

@@ -4,6 +4,7 @@ import { getPublicFileContentContract } from '@/lib/api/contracts/public-shares'
 import { parseRequest } from '@/lib/api/server'
 import { loadServableDocArtifact } from '@/lib/copilot/tools/server/files/doc-compile'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { enforcePublicFileRateLimit } from '@/lib/public-shares/rate-limit'
 import { resolveActiveShareByToken } from '@/lib/public-shares/share-manager'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
 import { createErrorResponse, createFileResponse, FileNotFoundError } from '@/app/api/files/utils'
@@ -26,6 +27,9 @@ const logger = createLogger('PublicFileContentAPI')
 export const GET = withRouteHandler(
   async (request: NextRequest, context: { params: Promise<{ token: string }> }) => {
     try {
+      const limited = await enforcePublicFileRateLimit(request, 'content')
+      if (limited) return limited
+
       const parsed = await parseRequest(getPublicFileContentContract, request, context)
       if (!parsed.success) return parsed.response
       const { token } = parsed.data.params

apps/sim/app/api/files/public/[token]/route.test.ts

@@ -4,14 +4,20 @@
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const { mockResolveActiveShareByToken } = vi.hoisted(() => ({
+const { mockResolveActiveShareByToken, mockEnforceRateLimit } = vi.hoisted(() => ({
   mockResolveActiveShareByToken: vi.fn(),
+  mockEnforceRateLimit: vi.fn(),
 }))
 
 vi.mock('@/lib/public-shares/share-manager', () => ({
   resolveActiveShareByToken: mockResolveActiveShareByToken,
 }))
 
+vi.mock('@/lib/public-shares/rate-limit', () => ({
+  enforcePublicFileRateLimit: mockEnforceRateLimit,
+}))
+
+import { NextResponse } from 'next/server'
 import { GET } from '@/app/api/files/public/[token]/route'
 
 const params = (token = 'tok_1') => ({ params: Promise.resolve({ token }) })
@@ -20,6 +26,16 @@ const request = (token = 'tok_1') => new NextRequest(`http://localhost/api/files
 describe('GET /api/files/public/[token]', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    mockEnforceRateLimit.mockResolvedValue(null) // allow by default
+  })
+
+  it('returns 429 when the per-IP rate limit is exceeded', async () => {
+    mockEnforceRateLimit.mockResolvedValueOnce(
+      NextResponse.json({ error: 'Too many requests. Please try again later.' }, { status: 429 })
+    )
+    const res = await GET(request(), params())
+    expect(res.status).toBe(429)
+    expect(mockResolveActiveShareByToken).not.toHaveBeenCalled()
   })
 
   it('returns 404 for an unknown or inactive token', async () => {

apps/sim/app/api/files/public/[token]/route.ts

@@ -5,6 +5,7 @@ import { NextResponse } from 'next/server'
 import { getPublicFileContract } from '@/lib/api/contracts/public-shares'
 import { parseRequest } from '@/lib/api/server'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { enforcePublicFileRateLimit } from '@/lib/public-shares/rate-limit'
 import { resolveActiveShareByToken } from '@/lib/public-shares/share-manager'
 
 export const dynamic = 'force-dynamic'
@@ -19,6 +20,9 @@ const logger = createLogger('PublicFileMetadataAPI')
 export const GET = withRouteHandler(
   async (request: NextRequest, context: { params: Promise<{ token: string }> }) => {
     try {
+      const limited = await enforcePublicFileRateLimit(request, 'metadata')
+      if (limited) return limited
+
       const parsed = await parseRequest(getPublicFileContract, request, context)
       if (!parsed.success) return parsed.response
       const { token } = parsed.data.params

apps/sim/lib/public-shares/rate-limit.ts

@@ -0,0 +1,45 @@
+import { NextResponse } from 'next/server'
+import { RateLimiter, type TokenBucketConfig } from '@/lib/core/rate-limiter'
+import { getClientIp } from '@/lib/core/utils/request'
+
+const rateLimiter = new RateLimiter()
+
+/** Metadata reads are cheap (one indexed lookup) — generous per-IP budget. */
+const METADATA_RATE_LIMIT: TokenBucketConfig = {
+  maxTokens: 120,
+  refillRate: 120,
+  refillIntervalMs: 60_000,
+}
+
+/** Content reads stream bytes from storage (S3 egress) — tighter per-IP budget. */
+const CONTENT_RATE_LIMIT: TokenBucketConfig = {
+  maxTokens: 60,
+  refillRate: 60,
+  refillIntervalMs: 60_000,
+}
+
+/**
+ * Per-IP rate limit for the unauthenticated public share endpoints, returning a
+ * `429` response when exceeded (or `null` to proceed). The token is unguessable,
+ * so this defends a *known* link against hammering (DoS / S3 egress) rather than
+ * enumeration. Fails open on storage errors (availability over strictness),
+ * matching the chat public route.
+ */
+export async function enforcePublicFileRateLimit(
+  request: { headers: { get(name: string): string | null } },
+  scope: 'metadata' | 'content'
+): Promise<NextResponse | null> {
+  const ip = getClientIp(request)
+  const config = scope === 'content' ? CONTENT_RATE_LIMIT : METADATA_RATE_LIMIT
+  const result = await rateLimiter.checkRateLimitDirect(`public-file:${scope}:${ip}`, config)
+  if (result.allowed) return null
+
+  const headers =
+    result.retryAfterMs != null
+      ? { 'Retry-After': String(Math.ceil(result.retryAfterMs / 1000)) }
+      : undefined
+  return NextResponse.json(
+    { error: 'Too many requests. Please try again later.' },
+    { status: 429, headers }
+  )
+}