feat: rate-limit /api/mcp/app-tool-call per user

Adds mcpAppToolCallLimiter (60 req/min per user) to prevent DoS
amplification through the MCP app iframe tool-call proxy. Follows the
same express-rate-limit + limiterCache + logViolation pattern as
toolCallLimiter.
This commit is contained in:
Dustin Healy 2026-06-23 19:22:25 -07:00
parent 3816864392
commit 3de0512e21
2 changed files with 41 additions and 1 deletions

View file

@ -0,0 +1,33 @@
const rateLimit = require('express-rate-limit');
const { limiterCache } = require('@librechat/api');
const { ViolationTypes } = require('librechat-data-provider');
const logViolation = require('~/cache/logViolation');
const { TOOL_CALL_VIOLATION_SCORE: score } = process.env;
const handler = async (req, res) => {
const type = ViolationTypes.TOOL_CALL_LIMIT;
const errorMessage = {
type,
max: 60,
limiter: 'user',
windowInMinutes: 1,
};
await logViolation(req, res, type, errorMessage, score);
res.status(429).json({ message: 'Too many app tool call requests. Try again later' });
};
const limiterOptions = {
windowMs: 60 * 1000,
max: 60,
handler,
keyGenerator: function (req) {
return req.user?.id;
},
store: limiterCache('mcp_app_tool_call_limiter'),
};
const mcpAppToolCallLimiter = rateLimit(limiterOptions);
module.exports = mcpAppToolCallLimiter;

View file

@ -32,6 +32,7 @@ const {
getMCPTools,
} = require('~/server/controllers/mcp');
const { readMCPResource, appToolCall, serveMCPSandbox } = require('~/server/controllers/mcpApps');
const mcpAppToolCallLimiter = require('~/server/middleware/limiters/mcpAppToolCallLimiter');
const {
getOAuthReconnectionManager,
getMCPServersRegistry,
@ -991,7 +992,13 @@ router.post('/resources/read', requireJwtAuth, checkMCPUsePermissions, readMCPRe
* Proxy tool calls from MCP App iframe to MCP server
* @route POST /api/mcp/app-tool-call
*/
router.post('/app-tool-call', requireJwtAuth, checkMCPUsePermissions, appToolCall);
router.post(
'/app-tool-call',
requireJwtAuth,
checkMCPUsePermissions,
mcpAppToolCallLimiter,
appToolCall,
);
/**
* Serve the sandbox proxy HTML for MCP Apps