Skip to content

Security: No rate limiting on POST /session, POST /production, GET /reauth, POST /share endpoints #256

Description

@LucasMaupin

Summary

Only the WHIP and WHEP POST routes have @fastify/rate-limit configured. The following endpoints, which allocate backend resources (SMB endpoints, DB sessions, OSC tokens), are unprotected:

Route Risk
POST /api/v1/productions/:productionId/lines/:lineId/session No limit — each call allocates an SMB conference endpoint and creates a DB session. Resource exhaustion attack possible.
POST /api/v1/productions No limit — unrestricted production creation fills the DB.
GET /api/v1/reauth No limit — generates OSC service tokens. Token farming / brute-force risk.
POST /api/v1/productions/:productionId/share No limit — unrestricted share token generation.

Rate limiting was configured globally with global: false (src/api.ts) so only explicitly opted-in routes benefit.

Affected Files

  • src/api_productions.ts — POST /session (line ~652), POST /productions (line ~60)
  • src/api_re_auth.ts — GET /reauth
  • src/api_share.ts — POST /share

Severity

High

Fix

Add rate limit config to each route:

config: {
  rateLimit: {
    max: 10,        // adjust per expected legitimate use
    timeWindow: '1 minute',
  },
},

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions