diff --git a/packages/api/src/routers/auth/auth_router.ts b/packages/api/src/routers/auth/auth_router.ts index 333391d62..3b38048a3 100644 --- a/packages/api/src/routers/auth/auth_router.ts +++ b/packages/api/src/routers/auth/auth_router.ts @@ -46,6 +46,7 @@ import { } from './google_auth' import { createWebAuthToken } from './jwt_helpers' import { createMobileAccountCreationResponse } from './mobile/account_creation' +import rateLimit from 'express-rate-limit' export interface SignupRequest { email: string @@ -80,6 +81,14 @@ export const isValidSignupRequest = (obj: any): obj is SignupRequest => { ) } +// The hourly limiter is used on the create account, +// and reset password endpoints +// this limits users to five operations per an hour +const hourlyLimiter = rateLimit({ + windowMs: 60 * 60 * 1000, + max: 5, +}) + export function authRouter() { const router = express.Router() @@ -108,6 +117,7 @@ export function authRouter() { ) router.post( '/create-account', + hourlyLimiter, cors(corsConfig), async (req, res) => { const { name, bio, username } = req.body @@ -480,6 +490,7 @@ export function authRouter() { router.post( '/email-signup', + hourlyLimiter, cors(corsConfig), async (req: express.Request, res: express.Response) => { if (!isValidSignupRequest(req.body)) { @@ -599,6 +610,7 @@ export function authRouter() { router.post( '/forgot-password', + hourlyLimiter, cors(corsConfig), async (req: express.Request, res: express.Response) => { const email = req.body.email?.trim() as string // trim whitespace diff --git a/packages/api/src/server.ts b/packages/api/src/server.ts index 9e41af64d..b40a82bb8 100755 --- a/packages/api/src/server.ts +++ b/packages/api/src/server.ts @@ -68,7 +68,7 @@ export const createApp = (): { const token = getTokenByRequest(req) try { const claims = await getClaimsByToken(token) - return claims ? 100 : 15 + return claims ? 60 : 15 } catch (e) { console.log('non-authenticated request') return 15