From 8438d44ac3aba97849e54d8acc56f4eee50475b7 Mon Sep 17 00:00:00 2001
From: Brendan Chen <me@bchen.dev>
Date: Tue, 26 Aug 2025 11:34:29 -0700
Subject: [PATCH] Use the Express.js rate limiter middleware if not disabled

---
 src/index.ts | 57 +++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index d7d44c0..9a53aaa 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -6,6 +6,8 @@ import { InterchangeSystem, InterchangeSystemBuilderArguments } from "./entities
 import { ChapmanApiBasedParkingRepositoryLoader } from "./loaders/parking/ChapmanApiBasedParkingRepositoryLoader";
 import express from "express";
 import { expressMiddleware } from "@as-integrations/express5";
+import { RATE_LIMITS_DISABLED } from "./environment";
+import rateLimit from "express-rate-limit";
 
 const typeDefs = readFileSync("./schema.graphqls", "utf8");
 
@@ -36,24 +38,43 @@ async function main() {
   ));
 
   const app = express();
-  app.use(
-    "/",
-    express.json(),
-    expressMiddleware(server, {
-      context: async () => {
-        return {
-          systems,
-          findSystemById: (id: string) => {
-            const system = systems.find((system) => system.id === id);
-            if (!system) {
-              return null;
-            }
-            return system;
-          },
-        }
-      },
-    })
-  );
+  const options = {
+    context: async () => {
+      return {
+        systems,
+        findSystemById: (id: string) => {
+          const system = systems.find((system) => system.id === id);
+          if (!system) {
+            return null;
+          }
+          return system;
+        },
+      }
+    },
+  };
+
+  if (RATE_LIMITS_DISABLED) {
+    app.use(
+      "/",
+      express.json(),
+      expressMiddleware(server, options)
+    );
+  } else {
+    const limiter = rateLimit({
+      windowMs: 60 * 1000, // Every minute
+      limit: 20000,
+      standardHeaders: 'draft-8', // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header
+      legacyHeaders: false, // Disable the `X-RateLimit-*` headers.
+      ipv6Subnet: 60, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive
+    });
+    app.use(
+      "/",
+      express.json(),
+      limiter,
+      expressMiddleware(server, options),
+    );
+  }
+
 
   const port = process.env.PORT ? parseInt(process.env.PORT) : 4000;
   app.listen(port, () => {