diff options
| author | Chocobozzz <me@florianbigard.com> | 2023-06-20 14:17:34 +0200 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2023-06-20 14:17:34 +0200 |
| commit | e915cde30ec47258a2beeec5ca748c928b59858c (patch) | |
| tree | f5692ab20c534a61487f3bd471bb6105ed58d88a /server/controllers/api/runners/manage-runners.ts | |
| parent | 923e41fa4f342019298b46e407ea1f0207f74205 (diff) | |
| download | PeerTube-e915cde30ec47258a2beeec5ca748c928b59858c.tar.gz PeerTube-e915cde30ec47258a2beeec5ca748c928b59858c.tar.zst PeerTube-e915cde30ec47258a2beeec5ca748c928b59858c.zip | |
Fix runner api rate limit bypass
Diffstat (limited to 'server/controllers/api/runners/manage-runners.ts')
| -rw-r--r-- | server/controllers/api/runners/manage-runners.ts | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/server/controllers/api/runners/manage-runners.ts b/server/controllers/api/runners/manage-runners.ts index eb08c4b1d..be7ebc0b3 100644 --- a/server/controllers/api/runners/manage-runners.ts +++ b/server/controllers/api/runners/manage-runners.ts | |||
| @@ -2,6 +2,7 @@ import express from 'express' | |||
| 2 | import { logger, loggerTagsFactory } from '@server/helpers/logger' | 2 | import { logger, loggerTagsFactory } from '@server/helpers/logger' |
| 3 | import { generateRunnerToken } from '@server/helpers/token-generator' | 3 | import { generateRunnerToken } from '@server/helpers/token-generator' |
| 4 | import { | 4 | import { |
| 5 | apiRateLimiter, | ||
| 5 | asyncMiddleware, | 6 | asyncMiddleware, |
| 6 | authenticate, | 7 | authenticate, |
| 7 | ensureUserHasRight, | 8 | ensureUserHasRight, |
| @@ -19,15 +20,18 @@ const lTags = loggerTagsFactory('api', 'runner') | |||
| 19 | const manageRunnersRouter = express.Router() | 20 | const manageRunnersRouter = express.Router() |
| 20 | 21 | ||
| 21 | manageRunnersRouter.post('/register', | 22 | manageRunnersRouter.post('/register', |
| 23 | apiRateLimiter, | ||
| 22 | asyncMiddleware(registerRunnerValidator), | 24 | asyncMiddleware(registerRunnerValidator), |
| 23 | asyncMiddleware(registerRunner) | 25 | asyncMiddleware(registerRunner) |
| 24 | ) | 26 | ) |
| 25 | manageRunnersRouter.post('/unregister', | 27 | manageRunnersRouter.post('/unregister', |
| 28 | apiRateLimiter, | ||
| 26 | asyncMiddleware(getRunnerFromTokenValidator), | 29 | asyncMiddleware(getRunnerFromTokenValidator), |
| 27 | asyncMiddleware(unregisterRunner) | 30 | asyncMiddleware(unregisterRunner) |
| 28 | ) | 31 | ) |
| 29 | 32 | ||
| 30 | manageRunnersRouter.delete('/:runnerId', | 33 | manageRunnersRouter.delete('/:runnerId', |
| 34 | apiRateLimiter, | ||
| 31 | authenticate, | 35 | authenticate, |
| 32 | ensureUserHasRight(UserRight.MANAGE_RUNNERS), | 36 | ensureUserHasRight(UserRight.MANAGE_RUNNERS), |
| 33 | asyncMiddleware(deleteRunnerValidator), | 37 | asyncMiddleware(deleteRunnerValidator), |
| @@ -35,6 +39,7 @@ manageRunnersRouter.delete('/:runnerId', | |||
| 35 | ) | 39 | ) |
| 36 | 40 | ||
| 37 | manageRunnersRouter.get('/', | 41 | manageRunnersRouter.get('/', |
| 42 | apiRateLimiter, | ||
| 38 | authenticate, | 43 | authenticate, |
| 39 | ensureUserHasRight(UserRight.MANAGE_RUNNERS), | 44 | ensureUserHasRight(UserRight.MANAGE_RUNNERS), |
| 40 | paginationValidator, | 45 | paginationValidator, |