From 490b595a01c5824ff63ffb87f0efdfca95f4bf3b Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 29 Mar 2018 10:58:24 +0200 Subject: Prevent brute force login attack --- server/controllers/api/users.ts | 14 ++++++++++++-- server/controllers/api/videos/index.ts | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) (limited to 'server/controllers/api') diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index 583376c38..5e96d789e 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts @@ -2,12 +2,13 @@ import * as express from 'express' import 'multer' import { extname, join } from 'path' import * as uuidv4 from 'uuid/v4' +import * as RateLimit from 'express-rate-limit' import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared' import { retryTransactionWrapper } from '../../helpers/database-utils' import { processImage } from '../../helpers/image-utils' import { logger } from '../../helpers/logger' import { createReqFiles, getFormattedObjects } from '../../helpers/utils' -import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, sequelizeTypescript } from '../../initializers' +import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, RATES_LIMIT, sequelizeTypescript } from '../../initializers' import { updateActorAvatarInstance } from '../../lib/activitypub' import { sendUpdateActor } from '../../lib/activitypub/send' import { Emailer } from '../../lib/emailer' @@ -43,6 +44,11 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token' import { VideoModel } from '../../models/video/video' const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR }) +const loginRateLimiter = new RateLimit({ + windowMs: RATES_LIMIT.LOGIN.WINDOW_MS, + max: RATES_LIMIT.LOGIN.MAX, + delayMs: 0 +}) const usersRouter = express.Router() @@ -136,7 +142,11 @@ usersRouter.post('/:id/reset-password', asyncMiddleware(resetUserPassword) ) -usersRouter.post('/token', token, success) +usersRouter.post('/token', + loginRateLimiter, + token, + success +) // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route // --------------------------------------------------------------------------- diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts index c0a8ac118..552e5edac 100644 --- a/server/controllers/api/videos/index.ts +++ b/server/controllers/api/videos/index.ts @@ -353,7 +353,7 @@ function getVideo (req: express.Request, res: express.Response) { async function viewVideo (req: express.Request, res: express.Response) { const videoInstance = res.locals.video - const ip = req.headers['x-real-ip'] as string || req.ip + const ip = req.ip const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid) if (exists) { logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid) -- cgit v1.2.3