Merge pull request #2976 from omnivore-app/fix/api-tweak-rate-limits

Add a longer rate limit window on createaccount/reset password, reduce api rate limit hits
2023-10-20 12:14:33 +08:00
parent b27ff99bff a23b67b70b
commit acd96728e7
2 changed files with 14 additions and 1 deletions
--- a/packages/api/src/routers/auth/auth_router.ts
+++ b/packages/api/src/routers/auth/auth_router.ts
@ -46,6 +46,7 @@ import {
 } from './google_auth'
 import { createWebAuthToken } from './jwt_helpers'
 import { createMobileAccountCreationResponse } from './mobile/account_creation'
+import rateLimit from 'express-rate-limit'

 export interface SignupRequest {
  email: string
@ -80,6 +81,15 @@ export const isValidSignupRequest = (obj: any): obj is SignupRequest => {
  )
 }

+// The hourly limiter is used on the create account,
+// and reset password endpoints
+// this limits users to five operations per an hour
+const hourlyLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 5,
+  skip: (req) => env.dev.isLocal,
+})
+
 export function authRouter() {
  const router = express.Router()

@ -108,6 +118,7 @@ export function authRouter() {
  )
  router.post(
    '/create-account',
+    hourlyLimiter,
    cors<express.Request>(corsConfig),
    async (req, res) => {
      const { name, bio, username } = req.body
@ -480,6 +491,7 @@ export function authRouter() {

  router.post(
    '/email-signup',
+    hourlyLimiter,
    cors<express.Request>(corsConfig),
    async (req: express.Request, res: express.Response) => {
      if (!isValidSignupRequest(req.body)) {
@ -599,6 +611,7 @@ export function authRouter() {

  router.post(
    '/forgot-password',
+    hourlyLimiter,
    cors<express.Request>(corsConfig),
    async (req: express.Request, res: express.Response) => {
      const email = req.body.email?.trim() as string // trim whitespace
--- a/packages/api/src/server.ts
+++ b/packages/api/src/server.ts
@ -68,7 +68,7 @@ export const createApp = (): {
      const token = getTokenByRequest(req)
      try {
        const claims = await getClaimsByToken(token)
-        return claims ? 100 : 15
+        return claims ? 60 : 15
      } catch (e) {
        console.log('non-authenticated request')
        return 15