Merge pull request #2976 from omnivore-app/fix/api-tweak-rate-limits
Add a longer rate limit window on createaccount/reset password, reduce api rate limit hits
This commit is contained in:
Jackson Harper
@ -46,6 +46,7 @@ import {
|
|||||||
} from './google_auth'
|
} from './google_auth'
|
||||||
import { createWebAuthToken } from './jwt_helpers'
|
import { createWebAuthToken } from './jwt_helpers'
|
||||||
import { createMobileAccountCreationResponse } from './mobile/account_creation'
|
import { createMobileAccountCreationResponse } from './mobile/account_creation'
|
||||||
|
import rateLimit from 'express-rate-limit'
|
||||||
|
|
||||||
export interface SignupRequest {
|
export interface SignupRequest {
|
||||||
email: string
|
email: string
|
||||||
@ -80,6 +81,15 @@ export const isValidSignupRequest = (obj: any): obj is SignupRequest => {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// The hourly limiter is used on the create account,
|
||||||
|
// and reset password endpoints
|
||||||
|
// this limits users to five operations per an hour
|
||||||
|
const hourlyLimiter = rateLimit({
|
||||||
|
windowMs: 60 * 60 * 1000,
|
||||||
|
max: 5,
|
||||||
|
skip: (req) => env.dev.isLocal,
|
||||||
|
})
|
||||||
|
|
||||||
export function authRouter() {
|
export function authRouter() {
|
||||||
const router = express.Router()
|
const router = express.Router()
|
||||||
|
|
||||||
@ -108,6 +118,7 @@ export function authRouter() {
|
|||||||
)
|
)
|
||||||
router.post(
|
router.post(
|
||||||
'/create-account',
|
'/create-account',
|
||||||
|
hourlyLimiter,
|
||||||
cors<express.Request>(corsConfig),
|
cors<express.Request>(corsConfig),
|
||||||
async (req, res) => {
|
async (req, res) => {
|
||||||
const { name, bio, username } = req.body
|
const { name, bio, username } = req.body
|
||||||
@ -480,6 +491,7 @@ export function authRouter() {
|
|||||||
|
|
||||||
router.post(
|
router.post(
|
||||||
'/email-signup',
|
'/email-signup',
|
||||||
|
hourlyLimiter,
|
||||||
cors<express.Request>(corsConfig),
|
cors<express.Request>(corsConfig),
|
||||||
async (req: express.Request, res: express.Response) => {
|
async (req: express.Request, res: express.Response) => {
|
||||||
if (!isValidSignupRequest(req.body)) {
|
if (!isValidSignupRequest(req.body)) {
|
||||||
@ -599,6 +611,7 @@ export function authRouter() {
|
|||||||
|
|
||||||
router.post(
|
router.post(
|
||||||
'/forgot-password',
|
'/forgot-password',
|
||||||
|
hourlyLimiter,
|
||||||
cors<express.Request>(corsConfig),
|
cors<express.Request>(corsConfig),
|
||||||
async (req: express.Request, res: express.Response) => {
|
async (req: express.Request, res: express.Response) => {
|
||||||
const email = req.body.email?.trim() as string // trim whitespace
|
const email = req.body.email?.trim() as string // trim whitespace
|
||||||
|
|||||||
@ -68,7 +68,7 @@ export const createApp = (): {
|
|||||||
const token = getTokenByRequest(req)
|
const token = getTokenByRequest(req)
|
||||||
try {
|
try {
|
||||||
const claims = await getClaimsByToken(token)
|
const claims = await getClaimsByToken(token)
|
||||||
return claims ? 100 : 15
|
return claims ? 60 : 15
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.log('non-authenticated request')
|
console.log('non-authenticated request')
|
||||||
return 15
|
return 15
|
||||||
|
|||||||
Reference in New Issue
Block a user