Improvements:

chrishubert · chrishubert · commit dcf880059d33 · 2023-04-23T07:47:30.000+07:00
- Max Attachment Size
- Rate Limiting
diff --git a/.env.example b/.env.example
@@ -3,6 +3,7 @@ PORT=3000 # OPTIONAL
 API_KEY=your_global_api_key_here # OPTIONAL
 BASE_WEBHOOK_URL=http://localhost:3000/localCallbackExample # MANDATORY
 ENABLE_LOCAL_CALLBACK_EXAMPLE=TRUE # OPTIONAL, NOT RECOMMENDED FOR PRODUCTION
+MAX_ATTACHMENT_SIZE=10000000 # IN BYTES
 
 # Session File Storage
 SESSIONS_PATH=./sessions # OPTIONAL
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/assets/basic_start.gif b/assets/basic_start.gif
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -11,5 +11,6 @@ services:
       # - API_KEY=your_global_api_key_here  # OPTIONAL
       - BASE_WEBHOOK_URL=http://localhost:3000/localCallbackExample
       - ENABLE_LOCAL_CALLBACK_EXAMPLE=TRUE # OPTIONAL, NOT RECOMMENDED FOR PRODUCTION
+      - MAX_ATTACHMENT_SIZE=5000000 # IN BYTES
     volumes:
       - ./sessions:/usr/src/app/sessions # Mount the local ./sessions/ folder to the container's /usr/src/app/sessions folder
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -11,6 +11,7 @@
     "axios": "^1.3.5",
     "dotenv": "^16.0.3",
     "express": "^4.18.2",
+    "express-rate-limit": "^6.7.0",
     "qrcode-terminal": "^0.12.0",
     "whatsapp-web.js": "^1.19.5"
   },
diff --git a/server.js b/server.js
@@ -1,15 +1,16 @@
-const app = require("./src/app");
-require("dotenv").config();
+const app = require('./src/app')
+const { baseWebhookURL } = require('./src/config')
+require('dotenv').config()
 
 // Start the server
-const port = process.env.PORT || 3000;
+const port = process.env.PORT || 3000
 
 // Check if BASE_WEBHOOK_URL environment variable is available
-if (!process.env.BASE_WEBHOOK_URL) {
-  console.error("BASE_WEBHOOK_URL environment variable is not available. Exiting...");
-  process.exit(1); // Terminate the application with an error code
+if (!baseWebhookURL) {
+  console.error('BASE_WEBHOOK_URL environment variable is not available. Exiting...')
+  process.exit(1) // Terminate the application with an error code
 }
 
 app.listen(port, () => {
-  console.log(`Server running on port ${port}`);
-});
+  console.log(`Server running on port ${port}`)
+})
diff --git a/src/app.js b/src/app.js
@@ -1,14 +1,14 @@
 require('./routes')
 const { restoreSessions } = require('./sessions')
 const { routes } = require('./routes')
-
-// Import required modules
 const app = require('express')()
 const bodyParser = require('body-parser')
+const { maxAttachmentSize } = require('./config')
 
-// Initialize Express app
+// Initialize Express app (file limit is 100mb from WhatsApp)
 app.disable('x-powered-by')
-app.use(bodyParser.json({ limit: '100mb' }))
+app.use(bodyParser.json({ limit: maxAttachmentSize }))
+app.use(bodyParser.urlencoded({ limit: maxAttachmentSize, extended: true }))
 app.use('/', routes)
 
 restoreSessions()
diff --git a/src/config.js b/src/config.js
@@ -6,10 +6,12 @@ const sessionFolderPath = process.env.SESSIONS_PATH || './sessions'
 const enableLocalCallbackExample = process.env.ENABLE_LOCAL_CALLBACK_EXAMPLE === 'TRUE'
 const globalApiKey = process.env.API_KEY
 const baseWebhookURL = process.env.BASE_WEBHOOK_URL
+const maxAttachmentSize = process.env.MAX_ATTACHMENT_SIZE || 10000000
 
 module.exports = {
   sessionFolderPath,
   enableLocalCallbackExample,
   globalApiKey,
-  baseWebhookURL
+  baseWebhookURL,
+  maxAttachmentSize
 }
diff --git a/src/middleware.js b/src/middleware.js
@@ -1,6 +1,7 @@
 const { globalApiKey } = require('./config')
 const { sendErrorResponse } = require('./utils')
 const { validateSession } = require('./sessions')
+const rateLimiter = require('express-rate-limit')
 
 // Middleware for securing endpoints with API key
 const apikeyMiddleware = (req, res, next) => {
@@ -21,7 +22,14 @@ const sessionValidationMiddleware = async (req, res, next) => {
   next()
 }
 
+const rateLimiterMiddleware = rateLimiter({
+  max: 100,
+  windowMS: 1000, // 10 seconds
+  message: "You can't make any more requests at the moment. Try again later"
+})
+
 module.exports = {
   sessionValidationMiddleware,
-  apikeyMiddleware
+  apikeyMiddleware,
+  rateLimiterMiddleware
 }
diff --git a/src/routes.js b/src/routes.js
@@ -2,7 +2,7 @@ const { MessageMedia } = require('whatsapp-web.js')
 const fs = require('fs')
 const routes = require('express').Router()
 const qrcode = require('qrcode-terminal')
-const { apikeyMiddleware, sessionValidationMiddleware } = require('./middleware')
+const { apikeyMiddleware, sessionValidationMiddleware, rateLimiterMiddleware } = require('./middleware')
 const { sessionFolderPath, enableLocalCallbackExample } = require('./config')
 const { sessions, setupSession, deleteSession, validateSession } = require('./sessions')
 const { sendErrorResponse } = require('./utils')
@@ -18,7 +18,7 @@ routes.get('/ping', (req, res) => {
 
 // API basic callback
 if (enableLocalCallbackExample) {
-  routes.post('/localCallbackExample', apikeyMiddleware, (req, res) => {
+  routes.post('/localCallbackExample', [apikeyMiddleware, rateLimiterMiddleware], (req, res) => {
     try {
       const { sessionId, dataType, data } = req.body
       if (dataType === 'qr') { qrcode.generate(data.qr, { small: true }) }
diff --git a/src/sessions.js b/src/sessions.js
@@ -1,7 +1,7 @@
 const { Client, LocalAuth } = require('whatsapp-web.js')
 const fs = require('fs')
 const sessions = new Map()
-const { sessionFolderPath } = require('./config')
+const { sessionFolderPath, maxAttachmentSize } = require('./config')
 const { triggerWebhook } = require('./utils')
 
 // Function to validate if the session is ready
@@ -111,8 +111,12 @@ async function setupSession (sessionId) {
     client.on('message', async (message) => {
       triggerWebhook(sessionId, 'message', { message })
       if (message.hasMedia) {
-        const media = await message.downloadMedia()
-        triggerWebhook(sessionId, 'media', { media })
+        if (message._data && message._data.size && message._data.size < maxAttachmentSize) {
+          const media = await message.downloadMedia()
+          triggerWebhook(sessionId, 'media', { media })
+        } else {
+          console.log('Attachment too large')
+        }
       }
     })
 
@@ -153,6 +157,9 @@ async function setupSession (sessionId) {
 
 // Function to check if folder is writeable
 const deleteSessionFolder = (sessionId) => {
+  if (!/^[a-zA-Z0-9]+$/.test(sessionId)) {
+    throw new Error('Invalid sessionId')
+  }
   fs.rmSync(`${sessionFolderPath}/session-${sessionId}`, { recursive: true, force: true }, async err => {
     console.log(err)
     await new Promise(resolve => setTimeout(resolve, 200))
diff --git a/tests/api.test.js b/tests/api.test.js
@@ -29,6 +29,9 @@ describe('API health checks', () => {
       .send({ sessionId: '1', dataType: 'testDataType', data: 'testData' })
     expect(response.status).toBe(200)
     expect(response.body).toEqual({ success: true })
+
+    await new Promise(resolve => setTimeout(resolve, 1000))
+
     expect(fs.existsSync('./sessions_test/message_log.txt')).toBe(true)
     expect(fs.readFileSync('./sessions_test/message_log.txt', 'utf-8')).toEqual('(1) testDataType: "testData"\r\n')
   })
