openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docfast/src/middleware/usage.ts
OpenClaw 8a86e34f91
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m52s
Details
fix: critical and high-severity security fixes 
- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception
- CRITICAL: XSS in billing success - use data-attribute instead of JS string
- HIGH: Webhook signature bypass - refuse unverified webhooks (500)
- HIGH: Filename header injection - sanitize Content-Disposition filename
- HIGH: Verification code timing attack - use crypto.timingSafeEqual()
- HIGH: Remove duplicate unreachable 404 handler
- HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check
- HIGH: Replace console.warn with structured logger
2026-02-16 18:56:21 +00:00

99 lines
3.1 KiB
TypeScript
Raw Blame History

import { isProKey } from "../services/keys.js";
import logger from "../services/logger.js";
import pool from "../services/db.js";
const FREE_TIER_LIMIT = 100;
const PRO_TIER_LIMIT = 5000;
// In-memory cache, periodically synced to PostgreSQL
let usage = new Map<string, { count: number; monthKey: string }>();
function getMonthKey(): string {
const d = new Date();
return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
}
export async function loadUsageData(): Promise<void> {
try {
const result = await pool.query("SELECT key, count, month_key FROM usage");
usage = new Map();
for (const row of result.rows) {
usage.set(row.key, { count: row.count, monthKey: row.month_key });
}
logger.info(`Loaded usage data for ${usage.size} keys from PostgreSQL`);
} catch (error) {
logger.info("No existing usage data found, starting fresh");
usage = new Map();
}
}
async function saveUsageEntry(key: string, record: { count: number; monthKey: string }): Promise<void> {
try {
await pool.query(
`INSERT INTO usage (key, count, month_key) VALUES ($1, $2, $3)
ON CONFLICT (key) DO UPDATE SET count = $2, month_key = $3`,
[key, record.count, record.monthKey]
);
} catch (error) {
logger.error({ err: error }, "Failed to save usage data");
}
}
export function usageMiddleware(req: any, res: any, next: any): void {
const keyInfo = req.apiKeyInfo;
const key = keyInfo?.key || "unknown";
const monthKey = getMonthKey();
if (isProKey(key)) {
const record = usage.get(key);
if (record && record.monthKey === monthKey && record.count >= PRO_TIER_LIMIT) {
res.status(429).json({
error: "Pro tier limit reached (5,000/month). Contact support for higher limits.",
limit: PRO_TIER_LIMIT,
used: record.count,
});
return;
}
trackUsage(key, monthKey);
next();
return;
}
const record = usage.get(key);
if (record && record.monthKey === monthKey && record.count >= FREE_TIER_LIMIT) {
res.status(429).json({
error: "Free tier limit reached",
limit: FREE_TIER_LIMIT,
used: record.count,
upgrade: "Upgrade to Pro for 5,000 PDFs/month: https://docfast.dev/pricing",
});
return;
}
trackUsage(key, monthKey);
next();
}
function trackUsage(key: string, monthKey: string): void {
const record = usage.get(key);
if (!record || record.monthKey !== monthKey) {
const newRecord = { count: 1, monthKey };
usage.set(key, newRecord);
saveUsageEntry(key, newRecord).catch((err) => logger.error({ err }, "Failed to save usage entry"));
} else {
record.count++;
saveUsageEntry(key, record).catch((err) => logger.error({ err }, "Failed to save usage entry"));
}
}
export function getUsageStats(apiKey?: string): Record<string, { count: number; month: string }> {
const stats: Record<string, { count: number; month: string }> = {};
if (apiKey) {
const record = usage.get(apiKey);
if (record) {
const masked = apiKey.slice(0, 8) + "...";
stats[masked] = { count: record.count, month: record.monthKey };
}
}
return stats;
}
Reference in a new issue View git blame Copy permalink