diff options
author | Chocobozzz <me@florianbigard.com> | 2022-05-30 11:33:38 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-05-30 11:39:44 +0200 |
commit | e5a781ec25191c0dbb4a991f25307732d798619d (patch) | |
tree | a407404628bfeaefea24757b768a25166ca74739 /server | |
parent | f823637d1810351f87835db38145ef99df63e403 (diff) | |
download | PeerTube-e5a781ec25191c0dbb4a991f25307732d798619d.tar.gz PeerTube-e5a781ec25191c0dbb4a991f25307732d798619d.tar.zst PeerTube-e5a781ec25191c0dbb4a991f25307732d798619d.zip |
Bypass rate limits for admins and moderators
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/api/index.ts | 4 | ||||
-rw-r--r-- | server/controllers/api/users/index.ts | 8 | ||||
-rw-r--r-- | server/controllers/api/users/token.ts | 5 | ||||
-rw-r--r-- | server/middlewares/index.ts | 1 | ||||
-rw-r--r-- | server/middlewares/rate-limiter.ts | 31 | ||||
-rw-r--r-- | server/tests/api/server/reverse-proxy.ts | 11 |
6 files changed, 50 insertions, 10 deletions
diff --git a/server/controllers/api/index.ts b/server/controllers/api/index.ts index 5f49336b1..d1d4ef765 100644 --- a/server/controllers/api/index.ts +++ b/server/controllers/api/index.ts | |||
@@ -1,6 +1,6 @@ | |||
1 | import cors from 'cors' | 1 | import cors from 'cors' |
2 | import express from 'express' | 2 | import express from 'express' |
3 | import RateLimit from 'express-rate-limit' | 3 | import { buildRateLimiter } from '@server/middlewares' |
4 | import { HttpStatusCode } from '../../../shared/models' | 4 | import { HttpStatusCode } from '../../../shared/models' |
5 | import { badRequest } from '../../helpers/express-utils' | 5 | import { badRequest } from '../../helpers/express-utils' |
6 | import { CONFIG } from '../../initializers/config' | 6 | import { CONFIG } from '../../initializers/config' |
@@ -29,7 +29,7 @@ apiRouter.use(cors({ | |||
29 | credentials: true | 29 | credentials: true |
30 | })) | 30 | })) |
31 | 31 | ||
32 | const apiRateLimiter = RateLimit({ | 32 | const apiRateLimiter = buildRateLimiter({ |
33 | windowMs: CONFIG.RATES_LIMIT.API.WINDOW_MS, | 33 | windowMs: CONFIG.RATES_LIMIT.API.WINDOW_MS, |
34 | max: CONFIG.RATES_LIMIT.API.MAX | 34 | max: CONFIG.RATES_LIMIT.API.MAX |
35 | }) | 35 | }) |
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index e13e31aaf..46e80d56d 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
@@ -1,5 +1,4 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import RateLimit from 'express-rate-limit' | ||
3 | import { tokensRouter } from '@server/controllers/api/users/token' | 2 | import { tokensRouter } from '@server/controllers/api/users/token' |
4 | import { Hooks } from '@server/lib/plugins/hooks' | 3 | import { Hooks } from '@server/lib/plugins/hooks' |
5 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' | 4 | import { OAuthTokenModel } from '@server/models/oauth/oauth-token' |
@@ -17,9 +16,11 @@ import { Notifier } from '../../../lib/notifier' | |||
17 | import { Redis } from '../../../lib/redis' | 16 | import { Redis } from '../../../lib/redis' |
18 | import { buildUser, createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user' | 17 | import { buildUser, createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user' |
19 | import { | 18 | import { |
19 | adminUsersSortValidator, | ||
20 | asyncMiddleware, | 20 | asyncMiddleware, |
21 | asyncRetryTransactionMiddleware, | 21 | asyncRetryTransactionMiddleware, |
22 | authenticate, | 22 | authenticate, |
23 | buildRateLimiter, | ||
23 | ensureUserHasRight, | 24 | ensureUserHasRight, |
24 | ensureUserRegistrationAllowed, | 25 | ensureUserRegistrationAllowed, |
25 | ensureUserRegistrationAllowedForIP, | 26 | ensureUserRegistrationAllowedForIP, |
@@ -32,7 +33,6 @@ import { | |||
32 | usersListValidator, | 33 | usersListValidator, |
33 | usersRegisterValidator, | 34 | usersRegisterValidator, |
34 | usersRemoveValidator, | 35 | usersRemoveValidator, |
35 | adminUsersSortValidator, | ||
36 | usersUpdateValidator | 36 | usersUpdateValidator |
37 | } from '../../../middlewares' | 37 | } from '../../../middlewares' |
38 | import { | 38 | import { |
@@ -54,13 +54,13 @@ import { myVideoPlaylistsRouter } from './my-video-playlists' | |||
54 | 54 | ||
55 | const auditLogger = auditLoggerFactory('users') | 55 | const auditLogger = auditLoggerFactory('users') |
56 | 56 | ||
57 | const signupRateLimiter = RateLimit({ | 57 | const signupRateLimiter = buildRateLimiter({ |
58 | windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS, | 58 | windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS, |
59 | max: CONFIG.RATES_LIMIT.SIGNUP.MAX, | 59 | max: CONFIG.RATES_LIMIT.SIGNUP.MAX, |
60 | skipFailedRequests: true | 60 | skipFailedRequests: true |
61 | }) | 61 | }) |
62 | 62 | ||
63 | const askSendEmailLimiter = RateLimit({ | 63 | const askSendEmailLimiter = buildRateLimiter({ |
64 | windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS, | 64 | windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS, |
65 | max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX | 65 | max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX |
66 | }) | 66 | }) |
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 258b50fe9..012a49791 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts | |||
@@ -1,18 +1,17 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import RateLimit from 'express-rate-limit' | ||
3 | import { logger } from '@server/helpers/logger' | 2 | import { logger } from '@server/helpers/logger' |
4 | import { CONFIG } from '@server/initializers/config' | 3 | import { CONFIG } from '@server/initializers/config' |
5 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' | 4 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' |
6 | import { handleOAuthToken } from '@server/lib/auth/oauth' | 5 | import { handleOAuthToken } from '@server/lib/auth/oauth' |
7 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | 6 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' |
8 | import { Hooks } from '@server/lib/plugins/hooks' | 7 | import { Hooks } from '@server/lib/plugins/hooks' |
9 | import { asyncMiddleware, authenticate, openapiOperationDoc } from '@server/middlewares' | 8 | import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' |
10 | import { buildUUID } from '@shared/extra-utils' | 9 | import { buildUUID } from '@shared/extra-utils' |
11 | import { ScopedToken } from '@shared/models/users/user-scoped-token' | 10 | import { ScopedToken } from '@shared/models/users/user-scoped-token' |
12 | 11 | ||
13 | const tokensRouter = express.Router() | 12 | const tokensRouter = express.Router() |
14 | 13 | ||
15 | const loginRateLimiter = RateLimit({ | 14 | const loginRateLimiter = buildRateLimiter({ |
16 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, | 15 | windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, |
17 | max: CONFIG.RATES_LIMIT.LOGIN.MAX | 16 | max: CONFIG.RATES_LIMIT.LOGIN.MAX |
18 | }) | 17 | }) |
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts index d2ed079b6..b40f864ce 100644 --- a/server/middlewares/index.ts +++ b/server/middlewares/index.ts | |||
@@ -4,6 +4,7 @@ export * from './activitypub' | |||
4 | export * from './async' | 4 | export * from './async' |
5 | export * from './auth' | 5 | export * from './auth' |
6 | export * from './pagination' | 6 | export * from './pagination' |
7 | export * from './rate-limiter' | ||
7 | export * from './robots' | 8 | export * from './robots' |
8 | export * from './servers' | 9 | export * from './servers' |
9 | export * from './sort' | 10 | export * from './sort' |
diff --git a/server/middlewares/rate-limiter.ts b/server/middlewares/rate-limiter.ts new file mode 100644 index 000000000..bc9513969 --- /dev/null +++ b/server/middlewares/rate-limiter.ts | |||
@@ -0,0 +1,31 @@ | |||
1 | import { UserRole } from '@shared/models' | ||
2 | import RateLimit from 'express-rate-limit' | ||
3 | import { optionalAuthenticate } from './auth' | ||
4 | |||
5 | const whitelistRoles = new Set([ UserRole.ADMINISTRATOR, UserRole.MODERATOR ]) | ||
6 | |||
7 | function buildRateLimiter (options: { | ||
8 | windowMs: number | ||
9 | max: number | ||
10 | skipFailedRequests?: boolean | ||
11 | }) { | ||
12 | return RateLimit({ | ||
13 | windowMs: options.windowMs, | ||
14 | max: options.max, | ||
15 | skipFailedRequests: options.skipFailedRequests, | ||
16 | |||
17 | handler: (req, res, next, options) => { | ||
18 | return optionalAuthenticate(req, res, () => { | ||
19 | if (res.locals.authenticated === true && whitelistRoles.has(res.locals.oauth.token.User.role)) { | ||
20 | return next() | ||
21 | } | ||
22 | |||
23 | return res.status(options.statusCode).send(options.message) | ||
24 | }) | ||
25 | } | ||
26 | }) | ||
27 | } | ||
28 | |||
29 | export { | ||
30 | buildRateLimiter | ||
31 | } | ||
diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts index fa2063536..0a1565faf 100644 --- a/server/tests/api/server/reverse-proxy.ts +++ b/server/tests/api/server/reverse-proxy.ts | |||
@@ -7,6 +7,7 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ | |||
7 | 7 | ||
8 | describe('Test application behind a reverse proxy', function () { | 8 | describe('Test application behind a reverse proxy', function () { |
9 | let server: PeerTubeServer | 9 | let server: PeerTubeServer |
10 | let userAccessToken: string | ||
10 | let videoId: string | 11 | let videoId: string |
11 | 12 | ||
12 | before(async function () { | 13 | before(async function () { |
@@ -34,6 +35,8 @@ describe('Test application behind a reverse proxy', function () { | |||
34 | server = await createSingleServer(1, config) | 35 | server = await createSingleServer(1, config) |
35 | await setAccessTokensToServers([ server ]) | 36 | await setAccessTokensToServers([ server ]) |
36 | 37 | ||
38 | userAccessToken = await server.users.generateUserAndToken('user') | ||
39 | |||
37 | const { uuid } = await server.videos.upload() | 40 | const { uuid } = await server.videos.upload() |
38 | videoId = uuid | 41 | videoId = uuid |
39 | }) | 42 | }) |
@@ -93,7 +96,7 @@ describe('Test application behind a reverse proxy', function () { | |||
93 | it('Should rate limit logins', async function () { | 96 | it('Should rate limit logins', async function () { |
94 | const user = { username: 'root', password: 'fail' } | 97 | const user = { username: 'root', password: 'fail' } |
95 | 98 | ||
96 | for (let i = 0; i < 19; i++) { | 99 | for (let i = 0; i < 18; i++) { |
97 | await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 100 | await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) |
98 | } | 101 | } |
99 | 102 | ||
@@ -141,6 +144,12 @@ describe('Test application behind a reverse proxy', function () { | |||
141 | await server.videos.get({ id: videoId, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 }) | 144 | await server.videos.get({ id: videoId, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 }) |
142 | }) | 145 | }) |
143 | 146 | ||
147 | it('Should rate limit API calls with a user but not with an admin', async function () { | ||
148 | await server.videos.get({ id: videoId, token: userAccessToken, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 }) | ||
149 | |||
150 | await server.videos.get({ id: videoId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 }) | ||
151 | }) | ||
152 | |||
144 | after(async function () { | 153 | after(async function () { |
145 | await cleanupTests([ server ]) | 154 | await cleanupTests([ server ]) |
146 | }) | 155 | }) |