improved rate limits

back/api/auth.js

@@ -4,6 +4,8 @@ const jwt = require('jsonwebtoken');
 const { getConnection, getUserByUsername, addUser, setUserPfp, setUserUsername, setUserPassword } = require('../libs/mysql');
 const { checkAuth } = require('../libs/middlewares');
 const multer  = require('multer')
+const rateLimit = require("express-rate-limit");
+const slowDown = require("express-slow-down");
 const fs = require('node:fs');
 
 const upload = multer({ dest: 'data/pfps/' })
@@ -12,9 +14,20 @@ upload.limits = {
     files: 1,
 };
 
+const limiter = rateLimit({
+    windowMs: 3 * 1000,
+    max: 2,
+});
+  
+const speedLimiter = slowDown({
+    windowMs: 1 * 1000,
+    delayAfter: 2,
+    delayMs: () => 5000,
+});
+
 const router = express.Router();
 
-router.post('/login', async (req, res) => {
+router.post('/login', speedLimiter, limiter, async (req, res) => {
     const { username, password } = req.body;
 
     if (!username || !password) {
@@ -35,7 +48,7 @@ router.post('/login', async (req, res) => {
     res.status(401).send({ error: 'Invalid username or password' });
 });
 
-router.post('/register', async (req, res) => {
+router.post('/register', speedLimiter, limiter, async (req, res) => {
     const { username, password } = req.body;
     const connection = await getConnection();
 

back/api/channels.js

@@ -16,8 +16,21 @@ const {
     deleteChannelMessages,
     deleteChannel
 } = require('../libs/mysql');
+const rateLimit = require("express-rate-limit");
+const slowDown = require("express-slow-down");
 const { checkAuth } = require('../libs/middlewares');
 
+const limiter = rateLimit({
+    windowMs: 1 * 1000,
+    max: 2,
+});
+
+const speedLimiter = slowDown({
+    windowMs: 1 * 1000,
+    delayAfter: 2,
+    delayMs: () => 5000,
+});
+
 const router = express.Router();
 
 router.get('/', async (req, res) => {
@@ -123,7 +136,7 @@ router.get('/:name/messages', async (req, res) => {
     res.send(messages);
 });
 
-router.post('/:name/messages/send', checkAuth, async (req, res) => {
+router.post('/:name/messages/send', speedLimiter, limiter, checkAuth, async (req, res) => {
     const { message } = req.body;
     const name = req.params.name;
     const user = req.user;
@@ -205,7 +218,7 @@ router.post('/:name/messages/delete', checkAuth, async (req, res) => {
     res.send({ message: 'Message deleted' });
 });
 
-router.post('/add', checkAuth, async (req, res) => {
+router.post('/add', speedLimiter, limiter, checkAuth, async (req, res) => {
     const { name, description } = req.body;
     const user = req.user;
 

back/api/emojis.js

@@ -2,9 +2,22 @@ const express = require('express');
 const { getConnection, getEmojis, addEmoji, getEmojiByName, deleteEmoji } = require('../libs/mysql');
 const { checkAuth } = require("../libs/middlewares")
 const multer = require('multer');
+const rateLimit = require("express-rate-limit");
+const slowDown = require("express-slow-down");
 const fs = require('node:fs');
 const path = require('node:path');
 
+const limiter = rateLimit({
+    windowMs: 60 * 1000,
+    max: 3,
+});
+  
+const speedLimiter = slowDown({
+    windowMs: 1 * 1000,
+    delayAfter: 2,
+    delayMs: () => 5000,
+});
+
 const router = express.Router();
 
 const upload = multer({ dest: 'data/emojis/' })
@@ -20,7 +33,7 @@ router.get('/', async (req, res) => {
     res.send(emojis);
 });
 
-router.post('/add', upload.single("emoji"), checkAuth, async (req, res) => {
+router.post('/add', speedLimiter, limiter, upload.single("emoji"), checkAuth, async (req, res) => {
     const { name } = req.body;
     const file = req.file;