From 3c574eeff6c4390ef260363200f58e15af36161d Mon Sep 17 00:00:00 2001
From: stringadmin <stringadmin@omniai.dev>
Date: Tue, 2 Jun 2026 17:00:05 +0800
Subject: [PATCH] fix: rate limiting + upload-binary body-parser bypass + OSS
 upload route - Increase global rate limit 100->300 req/min - Add /api/ai/chat
 dedicated limiter 60 req/min - Add req._body=true middleware to skip JSON
 parser for upload-binary - Add busboy binary upload route + MIME type
 extensions

---
 src/index.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/index.js b/src/index.js
index 4621773..2a1533d 100644
--- a/src/index.js
+++ b/src/index.js
@@ -57,10 +57,10 @@ async function main() {
   // CORS
   app.use(cors(buildCorsOptions()))
 
-  // Rate limiting: global (100 req/min per IP)
+  // Rate limiting: global (300 req/min per IP)
   const globalLimiter = rateLimit({
     windowMs: 60 * 1000,
-    max: 100,
+    max: 300,
     standardHeaders: true,
     legacyHeaders: false,
     message: { error: '请求过于频繁，请稍后再试' },
@@ -90,6 +90,19 @@ async function main() {
   app.use('/api/ai/image', aiGenerationLimiter)
   app.use('/api/ai/video', aiGenerationLimiter)
 
+  // Rate limiting: AI chat endpoint (60 req/min per IP — ecommerce flows need ~7 sequential calls)
+  const aiChatLimiter = rateLimit({
+    windowMs: 60 * 1000,
+    max: 60,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: 'AI对话请求过于频繁，请稍后再试' },
+  })
+  app.use('/api/ai/chat', aiChatLimiter)
+
+
+  // Skip JSON body-parser for binary upload routes (busboy handles multipart parsing)
+  app.use('/api/oss/upload-binary', (req, res, next) => { req._body = true; next(); })
   // JSON body limit: 5MB globally (upload routes override locally)
   app.use('/api/oss/upload', express.json({ limit: '200mb' }))
   app.use(express.json({ limit: process.env.JSON_BODY_LIMIT || '5mb' }))