From 490b595a01c5824ff63ffb87f0efdfca95f4bf3b Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 29 Mar 2018 10:58:24 +0200
Subject: Prevent brute force login attack

---
 server/controllers/api/users.ts        | 14 ++++++++++++--
 server/controllers/api/videos/index.ts |  2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

(limited to 'server/controllers')

diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index 583376c38..5e96d789e 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -2,12 +2,13 @@ import * as express from 'express'
 import 'multer'
 import { extname, join } from 'path'
 import * as uuidv4 from 'uuid/v4'
+import * as RateLimit from 'express-rate-limit'
 import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared'
 import { retryTransactionWrapper } from '../../helpers/database-utils'
 import { processImage } from '../../helpers/image-utils'
 import { logger } from '../../helpers/logger'
 import { createReqFiles, getFormattedObjects } from '../../helpers/utils'
-import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, sequelizeTypescript } from '../../initializers'
+import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, RATES_LIMIT, sequelizeTypescript } from '../../initializers'
 import { updateActorAvatarInstance } from '../../lib/activitypub'
 import { sendUpdateActor } from '../../lib/activitypub/send'
 import { Emailer } from '../../lib/emailer'
@@ -43,6 +44,11 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token'
 import { VideoModel } from '../../models/video/video'
 
 const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR })
+const loginRateLimiter = new RateLimit({
+  windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
+  max: RATES_LIMIT.LOGIN.MAX,
+  delayMs: 0
+})
 
 const usersRouter = express.Router()
 
@@ -136,7 +142,11 @@ usersRouter.post('/:id/reset-password',
   asyncMiddleware(resetUserPassword)
 )
 
-usersRouter.post('/token', token, success)
+usersRouter.post('/token',
+  loginRateLimiter,
+  token,
+  success
+)
 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
 
 // ---------------------------------------------------------------------------
diff --git a/server/controllers/api/videos/index.ts b/server/controllers/api/videos/index.ts
index c0a8ac118..552e5edac 100644
--- a/server/controllers/api/videos/index.ts
+++ b/server/controllers/api/videos/index.ts
@@ -353,7 +353,7 @@ function getVideo (req: express.Request, res: express.Response) {
 async function viewVideo (req: express.Request, res: express.Response) {
   const videoInstance = res.locals.video
 
-  const ip = req.headers['x-real-ip'] as string || req.ip
+  const ip = req.ip
   const exists = await Redis.Instance.isViewExists(ip, videoInstance.uuid)
   if (exists) {
     logger.debug('View for ip %s and video %s already exists.', ip, videoInstance.uuid)
-- 
cgit v1.2.3