Summary
Only the WHIP and WHEP POST routes have @fastify/rate-limit configured. The following endpoints, which allocate backend resources (SMB endpoints, DB sessions, OSC tokens), are unprotected:
| Route |
Risk |
POST /api/v1/productions/:productionId/lines/:lineId/session |
No limit — each call allocates an SMB conference endpoint and creates a DB session. Resource exhaustion attack possible. |
POST /api/v1/productions |
No limit — unrestricted production creation fills the DB. |
GET /api/v1/reauth |
No limit — generates OSC service tokens. Token farming / brute-force risk. |
POST /api/v1/productions/:productionId/share |
No limit — unrestricted share token generation. |
Rate limiting was configured globally with global: false (src/api.ts) so only explicitly opted-in routes benefit.
Affected Files
src/api_productions.ts — POST /session (line ~652), POST /productions (line ~60)
src/api_re_auth.ts — GET /reauth
src/api_share.ts — POST /share
Severity
High
Fix
Add rate limit config to each route:
config: {
rateLimit: {
max: 10, // adjust per expected legitimate use
timeWindow: '1 minute',
},
},
Related
Summary
Only the WHIP and WHEP
POSTroutes have@fastify/rate-limitconfigured. The following endpoints, which allocate backend resources (SMB endpoints, DB sessions, OSC tokens), are unprotected:POST /api/v1/productions/:productionId/lines/:lineId/sessionPOST /api/v1/productionsGET /api/v1/reauthPOST /api/v1/productions/:productionId/shareRate limiting was configured globally with
global: false(src/api.ts) so only explicitly opted-in routes benefit.Affected Files
src/api_productions.ts— POST/session(line ~652), POST/productions(line ~60)src/api_re_auth.ts— GET/reauthsrc/api_share.ts— POST/shareSeverity
High
Fix
Add rate limit config to each route:
Related