Merge pull request #65 from viniciuscosmome/feat/rate-limit

Feat/rate limit

package.json

@@ -41,6 +41,7 @@
     "@nestjs/core": "^9.0.0",
     "@nestjs/platform-express": "^9.0.0",
     "@nestjs/swagger": "^7.0.0",
+    "@nestjs/throttler": "^5.1.1",
     "@prisma/client": "^4.11.0",
     "bcrypt": "^5.1.0",
     "class-transformer": "^0.5.1",

src/app.module.ts

@@ -1,7 +1,14 @@
 import { Module } from '@nestjs/common';
+import { ThrottlerModule } from '@nestjs/throttler';
+import { throttlerConfig } from './config/throttler';
 import { AccountModule, TaskModule, GoalModule } from './modules';
 
 @Module({
-  imports: [AccountModule, TaskModule, GoalModule],
+  imports: [
+    ThrottlerModule.forRoot(throttlerConfig),
+    AccountModule,
+    TaskModule,
+    GoalModule,
+  ],
 })
 export class AppModule {}

src/config/throttler.ts

@@ -0,0 +1,17 @@
+import { ThrottlerOptions, ThrottlerModuleOptions } from '@nestjs/throttler';
+
+export const throttlers: Array<ThrottlerOptions> = [
+  {
+    ttl: 1000,
+    limit: 3,
+  },
+  {
+    ttl: 10000,
+    limit: 20,
+  },
+];
+
+export const throttlerConfig: ThrottlerModuleOptions = {
+  throttlers: throttlers,
+  errorMessage: 'Você fez muitas requisições em um curto periodo de tempo.',
+};

src/modules/Account/account.controller.ts

@@ -9,6 +9,7 @@ import {
   Req,
 } from '@nestjs/common';
 import { ApiTags, ApiBearerAuth } from '@nestjs/swagger';
+import { ThrottlerGuard } from '@nestjs/throttler';
 import {
   CreateAccountControllerInput,
   AccessAccountControllerInput,
@@ -22,7 +23,7 @@ import { SessionService } from '../Session/session.service';
 import { Permissions, RequirePermissions, RolesGuard } from 'src/guards';
 import { CREDENTIALS_KEY } from 'src/utils/constants';
 
-@UseGuards(RolesGuard)
+@UseGuards(ThrottlerGuard, RolesGuard)
 @Controller('auth')
 export class AccountController {
   constructor(

src/modules/Goal/goal.controller.ts

@@ -15,7 +15,9 @@ import { Permissions, RequirePermissions, RolesGuard } from 'src/guards';
 import { Request } from 'express';
 import { CREDENTIALS_KEY } from 'src/utils/constants';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
+import { ThrottlerGuard } from '@nestjs/throttler';
 
+@UseGuards(ThrottlerGuard)
 @Controller('goals')
 export class GoalController {
   constructor(private goalService: GoalService) {}

src/modules/Task/task.controller.ts

@@ -13,16 +13,18 @@ import {
   Query,
 } from '@nestjs/common';
 import { ApiTags, ApiBearerAuth } from '@nestjs/swagger';
+import { ThrottlerGuard } from '@nestjs/throttler';
 import { TaskService } from './task.service';
 import {
   CreateTaskInput,
-  FindATaskControllerDto,
+  TaskIdDto,
   FindTasksControllerDto,
   UpdateTaskInput,
 } from './task.dtos';
 import { CREDENTIALS_KEY } from 'src/utils/constants';
 import { RequirePermissions, Permissions, RolesGuard } from 'src/guards';
 
+@UseGuards(ThrottlerGuard)
 @Controller('tasks')
 export class TaskController {
   constructor(private taskService: TaskService) {}
@@ -44,22 +46,22 @@ export class TaskController {
 
   @ApiTags('Tasks')
   @ApiBearerAuth()
-  @Put(':id')
+  @Put('/:id')
   @UseGuards(RolesGuard)
   @RequirePermissions([Permissions['302']])
   async updateById(
-    @Param('id') id: number,
+    @Param() input: TaskIdDto,
     @Body() updateTaskInput: UpdateTaskInput,
     @Req() req: Request
   ) {
     const cred = req[CREDENTIALS_KEY];
 
-    const accountId = await this.taskService.getAccountById(id);
+    const accountId = await this.taskService.getAccountById(input.id);
 
     // Authorization
     if (accountId != cred.accountId) throw new ForbiddenException();
 
-    const updatedTask = await this.taskService.updateById(id, {
+    const updatedTask = await this.taskService.updateById(input.id, {
       ...updateTaskInput,
       accountId: cred.accountId,
     });
@@ -69,19 +71,19 @@ export class TaskController {
 
   @ApiTags('Tasks')
   @ApiBearerAuth()
-  @Delete(':id')
+  @Delete('/:id')
   @UseGuards(RolesGuard)
   @RequirePermissions([Permissions['303']])
   @HttpCode(200)
-  async deleteById(@Param('id') id: number, @Req() req: Request) {
+  async deleteById(@Param() input: TaskIdDto, @Req() req: Request) {
     const cred = req[CREDENTIALS_KEY];
 
-    const accountId = await this.taskService.getAccountById(id);
+    const accountId = await this.taskService.getAccountById(input.id);
 
     // Authorization
     if (accountId != cred.accountId) throw new ForbiddenException();
 
-    await this.taskService.deleteById(id);
+    await this.taskService.deleteById(input.id);
     return;
   }
 
@@ -106,14 +108,11 @@ export class TaskController {
 
   @ApiTags('Tasks')
   @ApiBearerAuth()
-  @Get('/:taskId')
+  @Get('/:id')
   @HttpCode(200)
   @UseGuards(RolesGuard)
   @RequirePermissions([Permissions['301']])
-  async getATaskInfo(
-    @Param() input: FindATaskControllerDto,
-    @Req() request: Request
-  ) {
+  async getATaskInfo(@Param() input: TaskIdDto, @Req() request: Request) {
     const { accountId } = request[CREDENTIALS_KEY];
 
     return await this.taskService.findTaskByid({

src/modules/Task/task.dtos.ts

@@ -93,7 +93,7 @@ export class FindTasksControllerDto {
   year: number;
 }
 
-export class FindATaskControllerDto {
+export class TaskIdDto {
   @ApiProperty()
   @IsNotEmpty()
   @Transform((params) => Number(params.value))

src/modules/Task/task.repository.ts

@@ -51,13 +51,20 @@ export class TaskRepository {
   }
 
   async findAccountByTaskId(id: number) {
-    const task = await this.prisma.task.findUnique({
-      where: {
-        id: id,
-      },
-    });
+    const accountId = await this.prisma.task
+      .findUnique({
+        where: {
+          id: id,
+        },
+        select: {
+          accountId: true,
+        },
+      })
+      .then((result) => {
+        return result?.accountId;
+      });
 
-    return task.accountId;
+    return accountId;
   }
 
   async findTasks(filters: FindTasksRepositoryInput['filters']) {