aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-03-29 10:58:24 +0200
committerChocobozzz <me@florianbigard.com>2018-03-29 11:03:30 +0200
commit490b595a01c5824ff63ffb87f0efdfca95f4bf3b (patch)
tree3ad716fbb97a8b4ee946ad907202b82934a33d7c /server/controllers/api
parent23f4c3d412974fa5fda52589d1192e098e260f1a (diff)
downloadPeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.gz
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.zst
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.zip
Prevent brute force login attack
Diffstat (limited to 'server/controllers/api')
-rw-r--r--server/controllers/api/users.ts14
-rw-r--r--server/controllers/api/videos/index.ts2
2 files changed, 13 insertions, 3 deletions
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index 583376c38..5e96d789e 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -2,12 +2,13 @@ import * as express from 'express'
2import 'multer' 2import 'multer'
3import { extname, join } from 'path' 3import { extname, join } from 'path'
4import * as uuidv4 from 'uuid/v4' 4import * as uuidv4 from 'uuid/v4'
5import * as RateLimit from 'express-rate-limit'
5import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared' 6import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared'
6import { retryTransactionWrapper } from '../../helpers/database-utils' 7import { retryTransactionWrapper } from '../../helpers/database-utils'
7import { processImage } from '../../helpers/image-utils' 8import { processImage } from '../../helpers/image-utils'
8import { logger } from '../../helpers/logger' 9import { logger } from '../../helpers/logger'
9import { createReqFiles, getFormattedObjects } from '../../helpers/utils' 10import { createReqFiles, getFormattedObjects } from '../../helpers/utils'
10import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, sequelizeTypescript } from '../../initializers' 11import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, RATES_LIMIT, sequelizeTypescript } from '../../initializers'
11import { updateActorAvatarInstance } from '../../lib/activitypub' 12import { updateActorAvatarInstance } from '../../lib/activitypub'
12import { sendUpdateActor } from '../../lib/activitypub/send' 13import { sendUpdateActor } from '../../lib/activitypub/send'
13import { Emailer } from '../../lib/emailer' 14import { Emailer } from '../../lib/emailer'
@@ -43,6 +44,11 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token'
43import { VideoModel } from '../../models/video/video' 44import { VideoModel } from '../../models/video/video'
44 45
45const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR }) 46const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR })
47const loginRateLimiter = new RateLimit({
48 windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
49 max: RATES_LIMIT.LOGIN.MAX,
50 delayMs: 0
51})
46 52
47const usersRouter = express.Router() 53const usersRouter = express.Router()
48 54
@@ -136,7 +142,11 @@ usersRouter.post('/:id/reset-password',
136 asyncMiddleware(resetUserPassword) 142 asyncMiddleware(resetUserPassword)
137) 143)
138 144
139usersRouter.post('/token', token, success) 145usersRouter.post('/token',
146 loginRateLimiter,
147 token,
148 success
149)
140// TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route 150// TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
141 151
142// --------------------------------------------------------------------------- 152// ---------------------------------------------------------------------------
diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts
index c0a8ac118..552e5edac 100644
--- a/server/controllers/api/videos/index.ts
+++ b/server/controllers/api/videos/index.ts
@@ -353,7 +353,7 @@ function getVideo (req: express.Request, res: express.Response) {
353async function viewVideo (req: express.Request, res: express.Response) { 353async function viewVideo (req: express.Request, res: express.Response) {
354 const videoInstance = res.locals.video 354 const videoInstance = res.locals.video
355 355
356 const ip = req.headers['x-real-ip'] as string || req.ip 356 const ip = req.ip
357 const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid) 357 const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid)
358 if (exists) { 358 if (exists) {
359 logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid) 359 logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid)