Set trmnl ip cache to 24 hours, re-enable rate limiting, allow trmnl worker ips max auth rate limit as authenticated

asubowo · asubowo · commit 9022267fd874 · 2026-01-08T20:15:44.000-05:00
diff --git a/src/auth/trmnlAuth.ts b/src/auth/trmnlAuth.ts
@@ -8,7 +8,7 @@ let cachedIPs: Set<string> | null = null
 let cachedAtMs = 0
 let inFlight: Promise<Set<string>> | null = null
 
-const TRMNL_TTL_IPS_MS = 10 * 60 * 1000 // 10 minute cache
+const TRMNL_TTL_IPS_MS = 24 * 60 * 60 * 1000 // 24hr cache
 
 // Disallow TRMNL worker IP bypass by default
 const TRMNL_IP_ALLOW_BYPASS: boolean = (process.env.TRMNL_IP_AUTH_ALLOW_PRIVATE === 'true')
@@ -98,6 +98,7 @@ export const trmnlAuthByIP: RequestHandler = async (req: Request, res: Response,
     if (TRMNL_IP_ALLOW_BYPASS) {
       logger.warn('[AUTH] Bypassing TRMNL worker IP check')
       next()
+      return
     }
 
     // NOTE: Some worker IPs can be ipv6 based. No normalization is done here.
@@ -118,7 +119,7 @@ export const trmnlAuthByIP: RequestHandler = async (req: Request, res: Response,
   }
 }
 
-async function getTRMNLIPs(): Promise<Set<string>> {
+export async function getTRMNLIPs(): Promise<Set<string>> {
   const now = Date.now()
 
   if (cachedIPs && now - cachedAtMs < TRMNL_TTL_IPS_MS) {
diff --git a/src/server.ts b/src/server.ts
@@ -60,7 +60,7 @@ server.set('trust proxy', 1)
 
 logger.info('Setting up middleware...')
 server.use(helmet())
-//server.use(rateLimiter)
+server.use(rateLimiter)
 server.use(express.json())
 // Declare regular REST API routing
 logger.info('Initializing routes...')
diff --git a/src/utils/rateLimiter.ts b/src/utils/rateLimiter.ts
@@ -1,7 +1,21 @@
 import rateLimit, { RateLimitRequestHandler } from 'express-rate-limit'
 import { logger } from './logger.js'
 import { Request, Response } from 'express'
+import { getTRMNLIPs } from '../auth/trmnlAuth.js'
 
+let ips: Set<string> = new Set()
+
+async function refreshTRMNLIPs() {
+  ips = await getTRMNLIPs()
+}
+
+function isTrmnlWorkerIp(ip: string) {
+  return ips.has(ip)
+}
+
+// warm up trmnl worker ips and refresh every 24 hours
+refreshTRMNLIPs()
+setInterval(() => void refreshTRMNLIPs(), 24 * 60 * 60 * 1000).unref()
 
 function getClientIp(req: Request): string {
   const h = req.headers['cf-connecting-ip']
@@ -20,6 +34,10 @@ export const rateLimiter: RateLimitRequestHandler = rateLimit({
   limit: (req: Request): number => {
     const ip = getClientIp(req)
     const sub = getAuthSub(req)
+    if (isTrmnlWorkerIp(ip)) {
+      logger.info(`Rate limit check for TRMNL IP: ${ip}`)
+      return 60
+    }
     logger.info(`Rate limit check for ${sub ? 'authenticated' : 'anon'} - ${ip}`)
     return sub ? 60 : 5
   },

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ let cachedIPs: Set<string> \| null = null`
`8`	`8`	`let cachedAtMs = 0`
`9`	`9`	`let inFlight: Promise<Set<string>> \| null = null`
`10`	`10`
`11`		`-const TRMNL_TTL_IPS_MS = 10 * 60 * 1000 // 10 minute cache`
	`11`	`+const TRMNL_TTL_IPS_MS = 24 * 60 * 60 * 1000 // 24hr cache`
`12`	`12`
`13`	`13`	`// Disallow TRMNL worker IP bypass by default`
`14`	`14`	`const TRMNL_IP_ALLOW_BYPASS: boolean = (process.env.TRMNL_IP_AUTH_ALLOW_PRIVATE === 'true')`
`@@ -98,6 +98,7 @@ export const trmnlAuthByIP: RequestHandler = async (req: Request, res: Response,`
`98`	`98`	`if (TRMNL_IP_ALLOW_BYPASS) {`
`99`	`99`	`logger.warn('[AUTH] Bypassing TRMNL worker IP check')`
`100`	`100`	`next()`
	`101`	`+ return`
`101`	`102`	`}`
`102`	`103`
`103`	`104`	`// NOTE: Some worker IPs can be ipv6 based. No normalization is done here.`
`@@ -118,7 +119,7 @@ export const trmnlAuthByIP: RequestHandler = async (req: Request, res: Response,`
`118`	`119`	`}`
`119`	`120`	`}`
`120`	`121`
`121`		`-async function getTRMNLIPs(): Promise<Set<string>> {`
	`122`	`+export async function getTRMNLIPs(): Promise<Set<string>> {`
`122`	`123`	`const now = Date.now()`
`123`	`124`
`124`	`125`	`if (cachedIPs && now - cachedAtMs < TRMNL_TTL_IPS_MS) {`