@stamhoofd/backend 2.15.0 → 2.17.0

package/.env.template.json

@@ -61,5 +61,6 @@
     "NOLT_SSO_SECRET_KEY": "",
     "INTERNAL_SECRET_KEY": "",
     "CRONS_DISABLED": false,
-    "WHITELISTED_EMAIL_DESTINATIONS": ["*"]
+    "WHITELISTED_EMAIL_DESTINATIONS": ["*"],
+    "CACHE_PATH": "<fill in a safe path exlusive for Stamhoofd to store cached files>"
 }

package/index.ts

@@ -9,8 +9,8 @@ import { Version } from '@stamhoofd/structures';
 import { sleep } from "@stamhoofd/utility";
 
 import { areCronsRunning, crons, stopCronScheduling } from './src/crons';
-import { ContextMiddleware } from "./src/middleware/ContextMiddleware";
 import { resumeEmails } from "./src/helpers/EmailResumer";
+import { ContextMiddleware } from "./src/middleware/ContextMiddleware";
 
 process.on("unhandledRejection", (error: Error) => {
     console.error("unhandledRejection");
@@ -80,6 +80,13 @@ const start = async () => {
     // Add CORS headers
     routerServer.addResponseMiddleware(CORSMiddleware)
 
+    // Register Excel loaders
+    await import('./src/excel-loaders/members');
+    await import('./src/excel-loaders/payments');
+
+    // Register Email Recipient loaders
+    await import('./src/email-recipient-loaders/members');
+
     routerServer.listen(STAMHOOFD.PORT ?? 9090);
 
     resumeEmails().catch(console.error);
@@ -106,6 +113,13 @@ const start = async () => {
         stopCronScheduling();
         clearInterval(cronInterval)
 
+        if (STAMHOOFD.environment === 'development') {
+            setTimeout(() => {
+                console.error("Forcing exit after 5 seconds")
+                process.exit(1);
+            }, 5000);
+        }
+
         try {
             await routerServer.close()
             console.log("HTTP server stopped");

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.15.0",
+    "version": "2.17.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -32,17 +32,19 @@
     },
     "dependencies": {
         "@mollie/api-client": "3.7.0",
-        "@simonbackx/simple-database": "1.24.0",
-        "@simonbackx/simple-endpoints": "1.13.0",
+        "@simonbackx/simple-database": "1.25.0",
+        "@simonbackx/simple-encoding": "2.15.0",
+        "@simonbackx/simple-endpoints": "1.14.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "^2.13.0",
-        "@stamhoofd/backend-middleware": "^2.13.0",
-        "@stamhoofd/email": "^2.13.0",
-        "@stamhoofd/models": "^2.13.0",
-        "@stamhoofd/queues": "^2.13.0",
-        "@stamhoofd/sql": "^2.13.0",
-        "@stamhoofd/structures": "^2.15.0",
-        "@stamhoofd/utility": "^2.13.0",
+        "@stamhoofd/backend-i18n": "^2.17.0",
+        "@stamhoofd/backend-middleware": "^2.17.0",
+        "@stamhoofd/email": "^2.17.0",
+        "@stamhoofd/models": "^2.17.0",
+        "@stamhoofd/queues": "^2.17.0",
+        "@stamhoofd/sql": "^2.17.0",
+        "@stamhoofd/structures": "^2.17.0",
+        "@stamhoofd/utility": "^2.17.0",
+        "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
         "cookie": "^0.5.0",
@@ -58,5 +60,5 @@
         "postmark": "4.0.2",
         "stripe": "^16.6.0"
     },
-    "gitHead": "e5b597cd9e149990b2eefb31d61480f4c0333b35"
+    "gitHead": "5f940486646acd12e23e96a750bc12ca2be4df44"
 }

package/src/email-recipient-loaders/members.ts

@@ -0,0 +1,61 @@
+import { Email } from "@stamhoofd/models";
+import { SQL } from "@stamhoofd/sql";
+import { EmailRecipientFilterType, LimitedFilteredRequest, PaginatedResponse, mergeFilters } from "@stamhoofd/structures";
+import { GetMembersEndpoint } from "../endpoints/global/members/GetMembersEndpoint";
+
+Email.recipientLoaders.set(EmailRecipientFilterType.Members, {
+    fetch: async (query: LimitedFilteredRequest) => {
+        const result = await GetMembersEndpoint.buildData(query)
+
+        return new PaginatedResponse({
+            results: result.results.members.flatMap(m => m.getEmailRecipients(['member'])),
+            next: result.next
+        });
+    },
+
+    count: async (query: LimitedFilteredRequest) => {
+        query.filter = mergeFilters([query.filter, {
+            'email': {
+                $neq: null
+            }
+        }])
+        const q = await GetMembersEndpoint.buildQuery(query)
+        return await q.count();
+    }
+});
+
+Email.recipientLoaders.set(EmailRecipientFilterType.MemberParents, {
+    fetch: async (query: LimitedFilteredRequest) => {
+        const result = await GetMembersEndpoint.buildData(query)
+
+        return new PaginatedResponse({
+            results: result.results.members.flatMap(m => m.getEmailRecipients(['parents'])),
+            next: result.next
+        });
+    },
+
+    count: async (query: LimitedFilteredRequest) => {
+        const q = await GetMembersEndpoint.buildQuery(query)
+        return await q.sum(
+            SQL.jsonLength(SQL.column('details'), '$.value.parents[*].email')
+        );
+    }
+});
+
+Email.recipientLoaders.set(EmailRecipientFilterType.MemberUnverified, {
+    fetch: async (query: LimitedFilteredRequest) => {
+        const result = await GetMembersEndpoint.buildData(query)
+
+        return new PaginatedResponse({
+            results: result.results.members.flatMap(m => m.getEmailRecipients(['unverified'])),
+            next: result.next
+        });
+    },
+
+    count: async (query: LimitedFilteredRequest) => {
+        const q = await GetMembersEndpoint.buildQuery(query)
+        return await q.sum(
+            SQL.jsonLength(SQL.column('details'), '$.value.unverifiedEmails')
+        );
+    }
+});

package/src/endpoints/admin/memberships/GetChargeMembershipsSummaryEndpoint.ts

@@ -1,5 +1,5 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { SQL, SQLAlias, SQLSum, SQLCount, SQLDistinct, SQLSelectAs } from '@stamhoofd/sql';
+import { SQL, SQLAlias, SQLCount, SQLDistinct, SQLSelectAs, SQLSum } from '@stamhoofd/sql';
 import { ChargeMembershipsSummary, ChargeMembershipsTypeSummary } from '@stamhoofd/structures';
 import { Context } from '../../../helpers/Context';
 

package/src/endpoints/admin/organizations/GetOrganizationsEndpoint.ts

@@ -3,199 +3,21 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Organization } from '@stamhoofd/models';
-import { SQL, SQLConcat, SQLFilterDefinitions, SQLNow, SQLNull, SQLOrderBy, SQLOrderByDirection, SQLScalar, SQLSortDefinitions, SQLWhereEqual, SQLWhereOr, SQLWhereSign, baseSQLFilterCompilers, compileToSQLFilter, compileToSQLSorter, createSQLColumnFilterCompiler, createSQLExpressionFilterCompiler, createSQLRelationFilterCompiler } from "@stamhoofd/sql";
+import { SQL, compileToSQLFilter, compileToSQLSorter } from "@stamhoofd/sql";
 import { CountFilteredRequest, LimitedFilteredRequest, Organization as OrganizationStruct, PaginatedResponse, PermissionLevel, StamhoofdFilter, getSortFilter } from '@stamhoofd/structures';
 
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 import { Context } from '../../../helpers/Context';
+import { organizationFilterCompilers } from '../../../sql-filters/organizations';
+import { organizationSorters } from '../../../sql-sorters/organizations';
 
 type Params = Record<string, never>;
 type Query = LimitedFilteredRequest;
 type Body = undefined;
 type ResponseBody = PaginatedResponse<OrganizationStruct[], LimitedFilteredRequest>
 
-export const filterCompilers: SQLFilterDefinitions = {
-    ...baseSQLFilterCompilers,
-    id: createSQLExpressionFilterCompiler(
-        SQL.column('organizations', 'id')
-    ),
-    uri: createSQLExpressionFilterCompiler(
-        SQL.column('organizations', 'uri')
-    ),
-    name: createSQLExpressionFilterCompiler(
-        SQL.column('organizations', 'name')
-    ),
-    active: createSQLExpressionFilterCompiler(
-        SQL.column('organizations', 'active')
-    ),
-    city: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('organizations', 'address'), '$.value.city'),
-        {isJSONValue: true}
-    ),
-    country: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('organizations', 'address'), '$.value.country'),
-        {isJSONValue: true}
-    ),
-    umbrellaOrganization: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('organizations', 'meta'), '$.value.umbrellaOrganization'),
-        {isJSONValue: true}
-    ),
-    type: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('organizations', 'meta'), '$.value.type'),
-        {isJSONValue: true}
-    ),
-    tags: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('organizations', 'meta'), '$.value.tags'),
-        {isJSONValue: true, isJSONObject: true}
-    ),
-    packages: createSQLRelationFilterCompiler(
-        SQL.select().from(
-            SQL.table('stamhoofd_packages')
-        ).where(
-            SQL.column('organizationId'),
-            SQL.column('organizations', 'id'),
-        )
-        .andWhere(
-            SQL.column('validAt'),
-            SQLWhereSign.NotEqual,
-            new SQLNull()
-        ).andWhere(
-            new SQLWhereOr([
-                new SQLWhereEqual(
-                    SQL.column('validUntil'),
-                    SQLWhereSign.Equal,
-                    new SQLNull()
-                ),
-                new SQLWhereEqual(
-                    SQL.column('validUntil'),
-                    SQLWhereSign.Greater,
-                    new SQLNow()
-                )
-            ])
-        ).andWhere(
-            new SQLWhereOr([
-                new SQLWhereEqual(
-                    SQL.column('removeAt'),
-                    SQLWhereSign.Equal,
-                    new SQLNull()
-                ),
-                new SQLWhereEqual(
-                    SQL.column('removeAt'),
-                    SQLWhereSign.Greater,
-                    new SQLNow()
-                )
-            ])
-        ),
-
-        // const pack1 = await STPackage.where({ organizationId, validAt: { sign: "!=", value: null }, removeAt: { sign: ">", value: new Date() }})
-        // const pack2 = await STPackage.where({ organizationId, validAt: { sign: "!=", value: null }, removeAt: null })
-        {
-            ...baseSQLFilterCompilers,
-            "type": createSQLExpressionFilterCompiler(
-                SQL.jsonValue(SQL.column('meta'), '$.value.type'),
-                {isJSONValue: true}
-            )
-        }
-    ),
-    members: createSQLRelationFilterCompiler(
-        SQL.select().from(
-            SQL.table('members')
-        ).join(
-            SQL.join(
-                SQL.table('registrations')
-            ).where(
-                SQL.column('members', 'id'),
-                SQL.column('registrations', 'memberId')
-            )
-        ).where(
-            SQL.column('registrations', 'organizationId'),
-            SQL.column('organizations', 'id'),
-        ),
-
-        {
-            ...baseSQLFilterCompilers,
-            name: createSQLExpressionFilterCompiler(
-                new SQLConcat(
-                    SQL.column('firstName'),
-                    new SQLScalar(' '),
-                    SQL.column('lastName'),
-                )
-            ),
-            "firstName": createSQLColumnFilterCompiler('firstName'),
-            "lastName": createSQLColumnFilterCompiler('lastName'),
-            "email": createSQLColumnFilterCompiler('email')
-        }
-    ),
-}
-
-const sorters: SQLSortDefinitions<Organization> = {
-    'id': {
-        getValue(a) {
-            return a.id
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.column('id'),
-                direction
-            })
-        }
-    },
-    'name': {
-        getValue(a) {
-            return a.name
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.column('name'),
-                direction
-            })
-        }
-    },
-    'uri': {
-        getValue(a) {
-            return a.uri
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.column('uri'),
-                direction
-            })
-        }
-    },
-    'type': {
-        getValue(a) {
-            return a.meta.type
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.jsonValue(SQL.column('meta'), '$.value.type'),
-                direction
-            })
-        }
-    },
-    'city': {
-        getValue(a) {
-            return a.address.city
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.jsonValue(SQL.column('address'), '$.value.city'),
-                direction
-            })
-        }
-    },
-    'country': {
-        getValue(a) {
-            return a.address.country
-        },
-        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
-            return new SQLOrderBy({
-                column: SQL.jsonValue(SQL.column('address'), '$.value.country'),
-                direction
-            })
-        }
-    }
-}
+const sorters = organizationSorters
+const filterCompilers = organizationFilterCompilers
 
 export class GetOrganizationsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
     queryDecoder = LimitedFilteredRequest as Decoder<LimitedFilteredRequest>

package/src/endpoints/global/files/ExportToExcelEndpoint.ts

@@ -0,0 +1,163 @@
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+import { Decoder, EncodableObject } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Email } from '@stamhoofd/email';
+import { ArchiverWriterAdapter, exportToExcel, XlsxTransformerSheet, XlsxWriter } from '@stamhoofd/excel-writer';
+import { getEmailBuilderForTemplate, Platform, RateLimiter } from '@stamhoofd/models';
+import { EmailTemplateType, ExcelExportRequest, ExcelExportResponse, ExcelExportType, LimitedFilteredRequest, PaginatedResponse, Recipient, Replacement } from '@stamhoofd/structures';
+import { sleep } from "@stamhoofd/utility";
+import { Context } from '../../../helpers/Context';
+import { fetchToAsyncIterator } from '../../../helpers/fetchToAsyncIterator';
+import { FileCache } from '../../../helpers/FileCache';
+
+type Params = { type: string };
+type Query = undefined;
+type Body = ExcelExportRequest;
+type ResponseBody = ExcelExportResponse;
+
+type ExcelExporter<T extends EncodableObject> = {
+    fetch(request: LimitedFilteredRequest): Promise<PaginatedResponse<T[], LimitedFilteredRequest>>
+    sheets: XlsxTransformerSheet<T, unknown>[]
+}
+
+export const limiter = new RateLimiter({
+    limits: [
+        {   
+            // Max 200 per day
+            limit: 200,
+            duration: 60 * 1000 * 60 * 24
+        }
+    ]
+});
+
+export class ExportToExcelEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = ExcelExportRequest as Decoder<ExcelExportRequest>
+
+    // Other endpoints can register exports here
+    static loaders: Map<ExcelExportType, ExcelExporter<EncodableObject>> = new Map()
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/export/excel/@type", {type: String});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        const {user} = await Context.authenticate()
+
+        if (user.isApiUser) {
+            throw new SimpleError({
+                code: "not_allowed",
+                message: "API users are not allowed to export to Excel. The Excel export endpoint has a side effect of sending e-mails. Please use normal API endpoints to get the data you need.",
+                statusCode: 403
+            })
+        }
+
+        const loader = ExportToExcelEndpoint.loaders.get(request.params.type as ExcelExportType);
+        
+        if (!loader) {
+            throw new SimpleError({
+                code: "invalid_type",
+                message: "Invalid type " + request.params.type,
+                statusCode: 400
+            })
+        }
+
+        limiter.track(user.id, 1);
+        let sendEmail = false;
+
+        await Platform.getSharedStruct();
+
+        const result = await Promise.race([
+            this.job(loader, request.body, request.params.type).then(async (url: string) => {
+                if (sendEmail) {
+                    const builder = await getEmailBuilderForTemplate(organization, {
+                        template: {
+                            type: EmailTemplateType.ExcelExportSucceeded
+                        },
+                        recipients: [
+                            user.createRecipient(Replacement.create({
+                                token: 'downloadUrl',
+                                value: url
+                            }))
+                        ],
+                        from: Email.getInternalEmailFor(Context.i18n)
+                    })
+            
+                    if (builder) {
+                        Email.schedule(builder)
+                    }
+
+                }
+
+                return url;
+            }).catch(async (error) => {
+                if (sendEmail) {
+                    const builder = await getEmailBuilderForTemplate(organization, {
+                        template: {
+                            type: EmailTemplateType.ExcelExportFailed
+                        },
+                        recipients: [
+                            user.createRecipient()
+                        ],
+                        from: Email.getInternalEmailFor(Context.i18n)
+                    })
+            
+                    if (builder) {
+                        Email.schedule(builder)
+                    }
+                }
+                throw error
+            }),
+            sleep(3000)
+        ])
+
+        if (typeof result === 'string') {
+            return new Response(ExcelExportResponse.create({
+                url: result
+            }))
+        }
+        
+        // We'll send an e-mail
+        // Let the job know to send an e-mail when it is done
+        sendEmail = true;
+
+        return new Response(ExcelExportResponse.create({
+            url: null
+        }))
+    }
+
+    async job(loader: ExcelExporter<EncodableObject>, request: ExcelExportRequest, type: string): Promise<string> {
+        // Estimate how long it will take.
+        // If too long, we'll schedule it and write it to Digitalocean Spaces
+        // Otherwise we'll just return the file directly
+        const {file, stream} = await FileCache.getWriteStream('.xlsx');
+
+        const zipWriterAdapter = new ArchiverWriterAdapter(stream);
+        const writer = new XlsxWriter(zipWriterAdapter);
+
+        // Limit to pages of 100
+        request.filter.limit = 100;
+
+        await exportToExcel({
+            definitions: loader.sheets,
+            writer,
+            dataGenerator: fetchToAsyncIterator(request.filter, loader),
+            filter: request.workbookFilter
+        })
+
+        console.log('Done writing excel file')
+
+        const url = 'https://'+ STAMHOOFD.domains.api + '/file-cache?file=' + encodeURIComponent(file) + '&name=' + encodeURIComponent(type)
+        return url;
+    }
+}

package/src/endpoints/global/files/GetFileCache.ts

@@ -0,0 +1,69 @@
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+import { AutoEncoder, Decoder, field, StringDecoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { Readable } from 'node:stream';
+import { Context } from '../../../helpers/Context';
+import { FileCache } from '../../../helpers/FileCache';
+import { Formatter } from '@stamhoofd/utility';
+import { RateLimiter } from '@stamhoofd/models';
+
+type Params = Record<never, never>;
+class Query extends AutoEncoder {
+    @field({ decoder: StringDecoder})
+    file: string
+
+    @field({ decoder: StringDecoder, optional: true })
+    name?: string
+}
+
+type Body = undefined;
+type ResponseBody = Readable;
+
+export const limiter = new RateLimiter({
+    limits: [
+        {   
+            // Max 200 per day
+            limit: 200,
+            duration: 60 * 1000 * 60 * 24
+        }
+    ]
+});
+
+export class GetFileCache extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = Query as Decoder<Query>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/file-cache", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        await Context.setOptionalOrganizationScope();
+
+        limiter.track(request.request.getIP(), 1);
+
+        // Return readable stream
+        const {stream, contentLength, extension} = await FileCache.read(request.query.file, 1);
+
+        const response = new Response(stream);
+        response.headers['Content-Type'] = 'application/octet-stream';
+
+        if (request.query.name) {
+            const slug = Formatter.fileSlug(request.query.name) + extension;
+            response.headers['Content-Disposition'] = `attachment; filename="${slug}"`;
+        } else {
+            response.headers['Content-Disposition'] = `attachment; filename="bestand${extension}"`;
+        }
+        response.headers['Content-Length'] = contentLength.toString();
+
+        return response;
+    }
+}

package/src/endpoints/global/files/UploadFile.ts

@@ -9,6 +9,7 @@ import { promises as fs } from "fs";
 import { v4 as uuidv4 } from "uuid";
 
 import { Context } from '../../../helpers/Context';
+import { limiter } from './UploadImage';
 
 type Params = Record<string, never>;
 type Query = {};
@@ -50,7 +51,7 @@ export class UploadFile extends Endpoint<Params, Query, Body, ResponseBody> {
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         await Context.setOptionalOrganizationScope()
-        await Context.authenticate();
+        const {user} = await Context.authenticate();
 
         if (!Context.auth.canUpload()) {
             throw Context.auth.error()
@@ -68,6 +69,8 @@ export class UploadFile extends Endpoint<Params, Query, Body, ResponseBody> {
             throw new Error("Not supported without real request")
         }
 
+        limiter.track(user.id, 1);
+
         const form = formidable({ maxFileSize: 20 * 1024 * 1024, maxFields: 1, keepExtensions: true });
         const file = await new Promise<FormidableFile>((resolve, reject) => {
             if (!request.request.request) {

package/src/endpoints/global/files/UploadImage.ts

@@ -2,7 +2,7 @@
 import { Decoder, ObjectData } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Image } from '@stamhoofd/models';
+import { Image, RateLimiter } from '@stamhoofd/models';
 import { Image as ImageStruct, ResolutionRequest } from '@stamhoofd/structures';
 import formidable from 'formidable';
 import { promises as fs } from "fs";
@@ -31,6 +31,16 @@ interface FormidableFile {
   mimetype: string | null;
 }
 
+export const limiter = new RateLimiter({
+    limits: [
+        {   
+            // Max 50 per hour
+            limit: 50,
+            duration: 60 * 1000 * 60
+        }
+    ]
+});
+
 export class UploadImage extends Endpoint<Params, Query, Body, ResponseBody> {    
     protected doesMatch(request: Request): [true, Params] | [false] {
         if (request.method != "POST") {
@@ -48,7 +58,7 @@ export class UploadImage extends Endpoint<Params, Query, Body, ResponseBody> {
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         await Context.setOptionalOrganizationScope()
-        await Context.authenticate();
+        const {user} = await Context.authenticate();
 
         if (!Context.auth.canUpload()) {
             throw Context.auth.error()
@@ -66,6 +76,8 @@ export class UploadImage extends Endpoint<Params, Query, Body, ResponseBody> {
             throw new Error("Not supported without real request")
         }
 
+        limiter.track(user.id, 1);
+
         const form = formidable({ 
             maxFileSize: 5 * 1024 * 1024, 
             keepExtensions: true,