IP based rate limit

Author: nsarrazin

src/routes/conversation/[id]/+server.ts

@@ -46,10 +46,21 @@ export async function POST({ request, fetch, locals, params, getClientAddress })
 		throw error(429, "Exceeded number of messages before login");
 	}
 
-	const nEvents = await collections.messageEvents.countDocuments({ userId });
+	if (RATE_LIMIT !== "") {
+		let nEvents = 0;
+		if (locals.user?._id) {
+			// if logged in do rate limiting based on user id
+			nEvents = await collections.messageEvents.countDocuments({ userId });
+		} else {
+			// do rate limiting based on session id but also ip address
+			const nEventsIp = await collections.messageEvents.countDocuments({ ip: getClientAddress() });
+			const nEventsSession = await collections.messageEvents.countDocuments({ userId });
+			nEvents = Math.max(nEventsIp, nEventsSession);
+		}
 
-	if (RATE_LIMIT != "" && nEvents > parseInt(RATE_LIMIT)) {
-		throw error(429, ERROR_MESSAGES.rateLimited);
+		if (nEvents > parseInt(RATE_LIMIT)) {
+			throw error(429, ERROR_MESSAGES.rateLimited);
+		}
 	}
 
 	const model = models.find((m) => m.id === conv.model);