Add rate limiter

[hsjoberg]

https://github.com/fastify/fastify-rate-limit

[sesam]

Rate limiting means paying in memory usage to prevent putting too much pressure on underlying services, and/or to ensure that some few users misbehaving does not prevent other well-behaved users from accessing the service.

In case some dunder endpoints are more expensive for the backend to process, it might make sense to handle limiting per each endpoint. But that also means higher memory usage.

Use the smallest acceptable timeWindow to minimize memory usage. If multiple external IPs are sending too many requests, it will typically be necessary to do rate-limiting on a dedicated machine.

[hsjoberg]

@sesam Thanks for your comments on this one.

Yes the rationale was to prevent DoS-attacks. Although this defense is of course pretty weak, and should be addressed at higher levels such as the ISP, it's at least something.

As /register will add a database record, I don't want it to be wide open to attacks. Although it's pretty easy just "prune" all old timed out requests (request expires after 10 minutes), so not a big deal really.

In case some dunder endpoints are more expensive for the backend to process, it might make sense to handle limiting per each endpoint. But that also means higher memory usage.

Register is probably a lot more expensive than the rest, but I would suggest to just Rate-limit everything.