From c1340a6ac35f924161e6ec2a1d728e20c89e55c8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 4 Jul 2019 16:42:40 +0200 Subject: Add rate limit to registration and API endpoints --- server/controllers/api/index.ts | 10 ++++++++++ server/controllers/api/users/index.ts | 18 +++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) (limited to 'server/controllers') diff --git a/server/controllers/api/index.ts b/server/controllers/api/index.ts index 60a84036e..ea2615e28 100644 --- a/server/controllers/api/index.ts +++ b/server/controllers/api/index.ts @@ -1,4 +1,5 @@ import * as express from 'express' +import * as RateLimit from 'express-rate-limit' import { configRouter } from './config' import { jobsRouter } from './jobs' import { oauthClientsRouter } from './oauth-clients' @@ -12,6 +13,7 @@ import * as cors from 'cors' import { searchRouter } from './search' import { overviewsRouter } from './overviews' import { videoPlaylistRouter } from './video-playlist' +import { CONFIG } from '../../initializers/config' const apiRouter = express.Router() @@ -21,6 +23,14 @@ apiRouter.use(cors({ credentials: true })) +// FIXME: https://github.com/nfriedly/express-rate-limit/issues/138 +// @ts-ignore +const apiRateLimiter = RateLimit({ + windowMs: CONFIG.RATES_LIMIT.API.WINDOW_MS, + max: CONFIG.RATES_LIMIT.API.MAX +}) +apiRouter.use(apiRateLimiter) + apiRouter.use('/server', serverRouter) apiRouter.use('/oauth-clients', oauthClientsRouter) apiRouter.use('/config', configRouter) diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index c1d72087c..63747a0a9 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts @@ -3,7 +3,7 @@ import * as RateLimit from 'express-rate-limit' import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared' import { logger } from '../../../helpers/logger' import { getFormattedObjects } from '../../../helpers/utils' -import { RATES_LIMIT, WEBSERVER } from '../../../initializers/constants' +import { WEBSERVER } from '../../../initializers/constants' import { Emailer } from '../../../lib/emailer' import { Redis } from '../../../lib/redis' import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user' @@ -53,14 +53,21 @@ const auditLogger = auditLoggerFactory('users') // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138 // @ts-ignore const loginRateLimiter = RateLimit({ - windowMs: RATES_LIMIT.LOGIN.WINDOW_MS, - max: RATES_LIMIT.LOGIN.MAX + windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, + max: CONFIG.RATES_LIMIT.LOGIN.MAX +}) + +// @ts-ignore +const signupRateLimiter = RateLimit({ + windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS, + max: CONFIG.RATES_LIMIT.SIGNUP.MAX, + skipFailedRequests: true }) // @ts-ignore const askSendEmailLimiter = new RateLimit({ - windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS, - max: RATES_LIMIT.ASK_SEND_EMAIL.MAX + windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS, + max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX }) const usersRouter = express.Router() @@ -114,6 +121,7 @@ usersRouter.post('/', ) usersRouter.post('/register', + signupRateLimiter, asyncMiddleware(ensureUserRegistrationAllowed), ensureUserRegistrationAllowedForIP, asyncMiddleware(usersRegisterValidator), -- cgit v1.2.3