diff options
author | Chocobozzz <me@florianbigard.com> | 2018-03-29 10:58:24 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-03-29 11:03:30 +0200 |
commit | 490b595a01c5824ff63ffb87f0efdfca95f4bf3b (patch) | |
tree | 3ad716fbb97a8b4ee946ad907202b82934a33d7c /server/controllers/api | |
parent | 23f4c3d412974fa5fda52589d1192e098e260f1a (diff) | |
download | PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.gz PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.zst PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.zip |
Prevent brute force login attack
Diffstat (limited to 'server/controllers/api')
-rw-r--r-- | server/controllers/api/users.ts | 14 | ||||
-rw-r--r-- | server/controllers/api/videos/index.ts | 2 |
2 files changed, 13 insertions, 3 deletions
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index 583376c38..5e96d789e 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts | |||
@@ -2,12 +2,13 @@ import * as express from 'express' | |||
2 | import 'multer' | 2 | import 'multer' |
3 | import { extname, join } from 'path' | 3 | import { extname, join } from 'path' |
4 | import * as uuidv4 from 'uuid/v4' | 4 | import * as uuidv4 from 'uuid/v4' |
5 | import * as RateLimit from 'express-rate-limit' | ||
5 | import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared' | 6 | import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared' |
6 | import { retryTransactionWrapper } from '../../helpers/database-utils' | 7 | import { retryTransactionWrapper } from '../../helpers/database-utils' |
7 | import { processImage } from '../../helpers/image-utils' | 8 | import { processImage } from '../../helpers/image-utils' |
8 | import { logger } from '../../helpers/logger' | 9 | import { logger } from '../../helpers/logger' |
9 | import { createReqFiles, getFormattedObjects } from '../../helpers/utils' | 10 | import { createReqFiles, getFormattedObjects } from '../../helpers/utils' |
10 | import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, sequelizeTypescript } from '../../initializers' | 11 | import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, RATES_LIMIT, sequelizeTypescript } from '../../initializers' |
11 | import { updateActorAvatarInstance } from '../../lib/activitypub' | 12 | import { updateActorAvatarInstance } from '../../lib/activitypub' |
12 | import { sendUpdateActor } from '../../lib/activitypub/send' | 13 | import { sendUpdateActor } from '../../lib/activitypub/send' |
13 | import { Emailer } from '../../lib/emailer' | 14 | import { Emailer } from '../../lib/emailer' |
@@ -43,6 +44,11 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token' | |||
43 | import { VideoModel } from '../../models/video/video' | 44 | import { VideoModel } from '../../models/video/video' |
44 | 45 | ||
45 | const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR }) | 46 | const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR }) |
47 | const loginRateLimiter = new RateLimit({ | ||
48 | windowMs: RATES_LIMIT.LOGIN.WINDOW_MS, | ||
49 | max: RATES_LIMIT.LOGIN.MAX, | ||
50 | delayMs: 0 | ||
51 | }) | ||
46 | 52 | ||
47 | const usersRouter = express.Router() | 53 | const usersRouter = express.Router() |
48 | 54 | ||
@@ -136,7 +142,11 @@ usersRouter.post('/:id/reset-password', | |||
136 | asyncMiddleware(resetUserPassword) | 142 | asyncMiddleware(resetUserPassword) |
137 | ) | 143 | ) |
138 | 144 | ||
139 | usersRouter.post('/token', token, success) | 145 | usersRouter.post('/token', |
146 | loginRateLimiter, | ||
147 | token, | ||
148 | success | ||
149 | ) | ||
140 | // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route | 150 | // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route |
141 | 151 | ||
142 | // --------------------------------------------------------------------------- | 152 | // --------------------------------------------------------------------------- |
diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts index c0a8ac118..552e5edac 100644 --- a/server/controllers/api/videos/index.ts +++ b/server/controllers/api/videos/index.ts | |||
@@ -353,7 +353,7 @@ function getVideo (req: express.Request, res: express.Response) { | |||
353 | async function viewVideo (req: express.Request, res: express.Response) { | 353 | async function viewVideo (req: express.Request, res: express.Response) { |
354 | const videoInstance = res.locals.video | 354 | const videoInstance = res.locals.video |
355 | 355 | ||
356 | const ip = req.headers['x-real-ip'] as string || req.ip | 356 | const ip = req.ip |
357 | const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid) | 357 | const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid) |
358 | if (exists) { | 358 | if (exists) { |
359 | logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid) | 359 | logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid) |