From b6867d1b74297c38f02713fdc86f9d3e5104fe2b Mon Sep 17 00:00:00 2001
From: Amit Moryossef <amitmoryossef@gmail.com>
Date: Mon, 21 Oct 2024 22:39:46 +0200
Subject: [PATCH] fix(ratelimit): use ip hash instead of ip

---
 functions/src/middlewares/unkey-ratelimit.middleware.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/functions/src/middlewares/unkey-ratelimit.middleware.ts b/functions/src/middlewares/unkey-ratelimit.middleware.ts
index 13b7dd20..c8930c41 100644
--- a/functions/src/middlewares/unkey-ratelimit.middleware.ts
+++ b/functions/src/middlewares/unkey-ratelimit.middleware.ts
@@ -3,6 +3,7 @@ import * as httpErrors from 'http-errors';
 import * as requestIp from 'request-ip';
 import {NextFunction, Request, Response} from 'express';
 import {defineString} from 'firebase-functions/params';
+import {createHash} from 'crypto';
 
 export function rateLimitHeaders(res: Response, ratelimitResponse: RatelimitResponse, duration?: Duration) {
   res.setHeader('X-RateLimit-Limit', ratelimitResponse.limit.toString());
@@ -14,13 +15,15 @@ export function rateLimitHeaders(res: Response, ratelimitResponse: RatelimitResp
 }
 
 export function unkeyRatelimit(namespace: string, limit: number, duration: Duration) {
-  const unkeyRootKey = defineString('UNKEY_ROOT_KEY');
+  const unkeyRootKey = defineString('UNKEY_ROOT_KEY').value();
 
   return async function (req: Request, res: Response, next: NextFunction) {
-    const identifier = requestIp.getClientIp(req) ?? 'unknown';
+    const rawIdentifier = requestIp.getClientIp(req) ?? 'unknown';
+    const saltedIdentifier = rawIdentifier + unkeyRootKey;
+    const identifier = createHash('sha256').update(saltedIdentifier).digest('hex');
 
     const rateLimit = new Ratelimit({
-      rootKey: unkeyRootKey.value(),
+      rootKey: unkeyRootKey,
       namespace,
       limit,
       duration,