From a9b0cb68c8a34e64cc66b7f33086a38188458256 Mon Sep 17 00:00:00 2001
From: "Kyle J. Burda" <47502769+kylejb@users.noreply.github.com>
Date: Sat, 2 Nov 2024 10:01:09 -0400
Subject: [PATCH] security(server): add rate limiting to guard against DoS

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 server/package.json  | 3 ++-
 server/src/server.ts | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/package.json b/server/package.json
index 8aa5a81..2e0da7d 100644
--- a/server/package.json
+++ b/server/package.json
@@ -8,7 +8,8 @@
         "dotenv": "^16.4.5",
         "express": "^5.0.0",
         "fast-xml-parser": "^4.5.0",
-        "luxon": "^3.5.0"
+        "luxon": "^3.5.0",
+        "express-rate-limit": "^7.4.1"
     },
     "devDependencies": {
         "@types/express": "^5.0.0",
diff --git a/server/src/server.ts b/server/src/server.ts
index f0e658d..a5ae9c3 100644
--- a/server/src/server.ts
+++ b/server/src/server.ts
@@ -3,6 +3,7 @@ import { json } from 'body-parser';
 import express, { Express, Request, Response } from 'express';
 import { XMLParser } from 'fast-xml-parser';
 import path from 'path';
+import rateLimit from 'express-rate-limit';
 
 import { cleanTableData } from './cleanTableData';
 import { SpotTheStationResponse } from './types';
@@ -15,6 +16,13 @@ export class Server {
         this.app = app;
         this.app.disable('x-powered-by'); // security
 
+        const limiter = rateLimit({
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 100, // limit each IP to 100 requests per windowMs
+        });
+
+        this.app.use(limiter);
+
         this.app.use(express.static(path.resolve('../dist/web')));
 
         this.app.use(json());