fix: rate limiting + upload-binary body-parser bypass + OSS upload route - Increase global rate limit 100->300 req/min - Add /api/ai/chat dedicated limiter 60 req/min - Add req._body=true middleware to skip JSON parser for upload-binary - Add busboy binary upload route + MIME type extensions

src/index.js

@@ -57,10 +57,10 @@ async function main() {
   // CORS
   app.use(cors(buildCorsOptions()))
 
-  // Rate limiting: global (100 req/min per IP)
+  // Rate limiting: global (300 req/min per IP)
   const globalLimiter = rateLimit({
     windowMs: 60 * 1000,
-    max: 100,
+    max: 300,
     standardHeaders: true,
     legacyHeaders: false,
     message: { error: '请求过于频繁，请稍后再试' },
@@ -90,6 +90,19 @@ async function main() {
   app.use('/api/ai/image', aiGenerationLimiter)
   app.use('/api/ai/video', aiGenerationLimiter)
 
+  // Rate limiting: AI chat endpoint (60 req/min per IP — ecommerce flows need ~7 sequential calls)
+  const aiChatLimiter = rateLimit({
+    windowMs: 60 * 1000,
+    max: 60,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: 'AI对话请求过于频繁，请稍后再试' },
+  })
+  app.use('/api/ai/chat', aiChatLimiter)
+
+
+  // Skip JSON body-parser for binary upload routes (busboy handles multipart parsing)
+  app.use('/api/oss/upload-binary', (req, res, next) => { req._body = true; next(); })
   // JSON body limit: 5MB globally (upload routes override locally)
   app.use('/api/oss/upload', express.json({ limit: '200mb' }))
   app.use(express.json({ limit: process.env.JSON_BODY_LIMIT || '5mb' }))