문자인증등 과도한 요청 방지 기능 추가-issue-27

과도한 요청 방지 기능 추가

package.json

@@ -33,6 +33,7 @@
     "@nestjs/platform-express": "^8.0.0",
     "@nestjs/platform-socket.io": "^8.4.7",
     "@nestjs/swagger": "^5.0.9",
+    "@nestjs/throttler": "^3.0.0",
     "@nestjs/typeorm": "^8.1.4",
     "@nestjs/websockets": "^8.4.7",
     "@redis/client": "^1.2.0",
@@ -57,6 +58,7 @@
     "rxjs": "^7.2.0",
     "swagger-ui-express": "^4.4.0",
     "typeorm": "^0.3.7",
+    "uuid": "^8.3.2",
     "winston": "^3.8.1"
   },
   "lint-staged": {
@@ -74,6 +76,7 @@
     "@types/jsonwebtoken": "^8.5.8",
     "@types/node": "^16.0.0",
     "@types/supertest": "^2.0.11",
+    "@types/uuid": "^8.3.4",
     "@typescript-eslint/eslint-plugin": "^5.0.0",
     "@typescript-eslint/parser": "^5.0.0",
     "codecov": "^3.8.3",

src/app.module.ts

@@ -14,6 +14,7 @@ import { APP_FILTER } from '@nestjs/core';
 import { DatabaseModule } from './database/database.module';
 import { UsersModule } from './users/users.module';
 import { SmsModule } from './sms/sms.module';
+import { ThrottlerModule } from '@nestjs/throttler';
 
 @Module({
   imports: [
@@ -66,7 +67,11 @@ import { SmsModule } from './sms/sms.module';
     SocketModule,
     DatabaseModule.forRoot({ isTest: false }),
     UsersModule,
-    SmsModule
+    SmsModule,
+    ThrottlerModule.forRoot({
+      ttl: process.env.NODE_ENV === 'prod' ? 300 : 60,
+      limit: 3
+    })
   ],
 
   providers: [

src/auth/auth.controller.ts

@@ -21,19 +21,25 @@ import { ResponseRequestValidationDto } from './dtos/RequestValidation.response.
 import { RequestValidateNumberDto } from './dtos/ValidateNumber.request.dto';
 import { ResponseValidateNumberDto } from './dtos/ValidateNumber.response.dto';
 import { RegisterTokenGuard } from './guards/RegisterToken.guard';
+import { ThrottlerBehindProxyGuard } from './guards/TrottlerBehindProxy.guard';
 
 @ApiTags('auth')
 @Controller('auth')
 export class AuthController {
   constructor(private readonly authService: AuthService) {}
 
+  @UseGuards(ThrottlerBehindProxyGuard)
   @ApiOperation({ summary: '휴대전화번호 인증번호를 요청한다.' })
   @ApiBody({ type: RequestPhoneNumberDto })
   @ApiResponse({
     status: 200,
     description: '요청 성공시',
     type: ResponseRequestValidationDto
   })
+  @ApiResponse({
+    status: 429,
+    description: '과도한 요청을 보낼시에'
+  })
   @Post('message/send')
   async requestPhoneValidationNumber(
     @Body() requestPhoneNumberDto: RequestPhoneNumberDto
@@ -82,6 +88,7 @@ export class AuthController {
     );
   }
 
+  @UseGuards(ThrottlerBehindProxyGuard)
   @ApiOperation({ summary: '슬랙 인증번호를 발송한다 (관리자 용 )' })
   @ApiResponse({
     status: 200,
@@ -92,6 +99,10 @@ export class AuthController {
     status: 400,
     description: '슬랙에 들어와있는 유저가 아닐때 , 어드민 유저가 아닐 때'
   })
+  @ApiResponse({
+    status: 429,
+    description: '과도한 요청을 보낼시에'
+  })
   @ApiBody({ type: RequestAdminSendValidationNumberDto })
   @Post('/slack/send')
   async slackSendValidationNumber(

src/auth/guards/TrottlerBehindProxy.guard.ts

@@ -0,0 +1,29 @@
+// throttler-behind-proxy.guard.ts
+// 고스락 백엔드 서버는 nginx 뒤에 프록시 형태로 연결되어있기 때문에
+// X-Forwarded-For 헤더값을 통해서
+// 요청한 사람의 원래 ip 주소를 가져와야합니다.
+import { ThrottlerGuard } from '@nestjs/throttler';
+import { Injectable } from '@nestjs/common';
+import { Request } from 'express';
+import { v4 } from 'uuid';
+
+@Injectable()
+export class ThrottlerBehindProxyGuard extends ThrottlerGuard {
+  protected getTracker(req: Request): string {
+    if (process.env.NODE_ENV === 'prod') {
+      const clientProxyIps = req.headers['x-forwarded-for'];
+      if (!clientProxyIps) {
+        return v4();
+      }
+      if (Array.isArray(clientProxyIps)) {
+        return clientProxyIps[0];
+      } else {
+        return clientProxyIps;
+      }
+    } else {
+      return req.ips.length ? req.ips[0] : req.ip; // individualize IP extraction to meet your own needs
+    }
+  }
+}
+
+// app.controller.ts