From a5aca4fadad1425847e735b3905e3e40fba3cdf7 Mon Sep 17 00:00:00 2001
From: yuuki <>
Date: Fri, 24 Jan 2025 12:09:41 +0900
Subject: [PATCH] =?UTF-8?q?Flask-Limiter=E3=82=92=E4=BD=BF=E7=94=A8?=
 =?UTF-8?q?=E3=81=97=E3=81=A6=E5=89=8A=E9=99=A4=E3=81=AB=E5=88=B6=E9=99=90?=
 =?UTF-8?q?=E3=82=92=E6=8E=9B=E3=81=91=E3=82=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app.py           | 32 ++++++++++++++++++++++++++------
 requirements.txt |  1 +
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/app.py b/app.py
index 9c49a44..a489558 100644
--- a/app.py
+++ b/app.py
@@ -19,8 +19,7 @@ import traceback
 import pprint
 import pathlib
 import shutil
-from random import randint
-import datetime
+from flask_limiter import Limiter
 
 import flask
 import nkf
@@ -46,6 +45,30 @@ def take_config(name, required=False):
         return None
 
 app = Flask(__name__)
+
+def get_remote_address() -> str:
+    return flask.request.headers.get("CF-Connecting-IP") or flask.request.headers.get("X-Forwarded-For") or flask.request.remote_addr or "127.0.0.1"
+
+limiter = Limiter(
+    get_remote_address,
+    app=app,
+    # default_limits=[],
+    # storage_uri="memory://",
+    # Redis
+    storage_uri=os.environ.get("REDIS_URI", "redis://127.0.0.1:6379/"),
+    # Redis cluster
+    # storage_uri="redis+cluster://localhost:7000,localhost:7001,localhost:70002",
+    # Memcached
+    # storage_uri="memcached://localhost:11211",
+    # Memcached Cluster
+    # storage_uri="memcached://localhost:11211,localhost:11212,localhost:11213",
+    # MongoDB
+    # storage_uri="mongodb://localhost:27017",
+    # Etcd
+    # storage_uri="etcd://localhost:2379",
+    strategy="fixed-window", # or "moving-window"
+)
+
 client = MongoClient(host=os.environ.get("TAIKO_WEB_MONGO_HOST") or take_config('MONGO', required=True)['host'])
 basedir = take_config('BASEDIR') or '/'
 
@@ -827,11 +850,8 @@ def upload_file():
     return flask.jsonify({'success': True})
 
 @app.route("/api/delete", methods=["POST"])
+@limiter.limit("1 per day")
 def delete():
-    rand = randint(1, 100)
-    if rand != 100:
-        return f"{rand} は 100 ではありません。", 403
-
     id = flask.request.get_json().get('id')
     client["taiko"]["songs"].delete_one({ "id": id })
 
diff --git a/requirements.txt b/requirements.txt
index abf6fe8..65611d9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,5 +11,6 @@ redis==5.2.1
 requests==2.32.3
 websockets==14.2
 nkf==1.0.4
+Flask-Limiter==3.10.1
 git+https://github.com/yuukiwww/tjaf.git@d59e854b074012f6a31bd4c65b53edb6148b0ac7
 git+https://github.com/jcrist/msgspec.git@29390b0385cda4ba76a0aaf4ede5d54ae9ff35ff