From 9806fc3b3c76b13a91b39b447da0dca3982855f1 Mon Sep 17 00:00:00 2001 From: Lukian Date: Mon, 21 Apr 2025 20:58:46 +0200 Subject: [PATCH] improved rate limits --- back/api/auth.js | 17 +++++++++++++++-- back/api/channels.js | 17 +++++++++++++++-- back/api/emojis.js | 15 ++++++++++++++- 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/back/api/auth.js b/back/api/auth.js index 04aae8a..2132668 100644 --- a/back/api/auth.js +++ b/back/api/auth.js @@ -4,6 +4,8 @@ const jwt = require('jsonwebtoken'); const { getConnection, getUserByUsername, addUser, setUserPfp, setUserUsername, setUserPassword } = require('../libs/mysql'); const { checkAuth } = require('../libs/middlewares'); const multer = require('multer') +const rateLimit = require("express-rate-limit"); +const slowDown = require("express-slow-down"); const fs = require('node:fs'); const upload = multer({ dest: 'data/pfps/' }) @@ -12,9 +14,20 @@ upload.limits = { files: 1, }; +const limiter = rateLimit({ + windowMs: 3 * 1000, + max: 2, +}); + +const speedLimiter = slowDown({ + windowMs: 1 * 1000, + delayAfter: 2, + delayMs: () => 5000, +}); + const router = express.Router(); -router.post('/login', async (req, res) => { +router.post('/login', speedLimiter, limiter, async (req, res) => { const { username, password } = req.body; if (!username || !password) { @@ -35,7 +48,7 @@ router.post('/login', async (req, res) => { res.status(401).send({ error: 'Invalid username or password' }); }); -router.post('/register', async (req, res) => { +router.post('/register', speedLimiter, limiter, async (req, res) => { const { username, password } = req.body; const connection = await getConnection(); diff --git a/back/api/channels.js b/back/api/channels.js index ad353e8..5de87fa 100644 --- a/back/api/channels.js +++ b/back/api/channels.js @@ -16,8 +16,21 @@ const { deleteChannelMessages, deleteChannel } = require('../libs/mysql'); +const rateLimit = require("express-rate-limit"); +const slowDown = require("express-slow-down"); const { checkAuth } = require('../libs/middlewares'); +const limiter = rateLimit({ + windowMs: 1 * 1000, + max: 2, +}); + +const speedLimiter = slowDown({ + windowMs: 1 * 1000, + delayAfter: 2, + delayMs: () => 5000, +}); + const router = express.Router(); router.get('/', async (req, res) => { @@ -123,7 +136,7 @@ router.get('/:name/messages', async (req, res) => { res.send(messages); }); -router.post('/:name/messages/send', checkAuth, async (req, res) => { +router.post('/:name/messages/send', speedLimiter, limiter, checkAuth, async (req, res) => { const { message } = req.body; const name = req.params.name; const user = req.user; @@ -205,7 +218,7 @@ router.post('/:name/messages/delete', checkAuth, async (req, res) => { res.send({ message: 'Message deleted' }); }); -router.post('/add', checkAuth, async (req, res) => { +router.post('/add', speedLimiter, limiter, checkAuth, async (req, res) => { const { name, description } = req.body; const user = req.user; diff --git a/back/api/emojis.js b/back/api/emojis.js index dafd00b..f63424a 100644 --- a/back/api/emojis.js +++ b/back/api/emojis.js @@ -2,9 +2,22 @@ const express = require('express'); const { getConnection, getEmojis, addEmoji, getEmojiByName, deleteEmoji } = require('../libs/mysql'); const { checkAuth } = require("../libs/middlewares") const multer = require('multer'); +const rateLimit = require("express-rate-limit"); +const slowDown = require("express-slow-down"); const fs = require('node:fs'); const path = require('node:path'); +const limiter = rateLimit({ + windowMs: 60 * 1000, + max: 3, +}); + +const speedLimiter = slowDown({ + windowMs: 1 * 1000, + delayAfter: 2, + delayMs: () => 5000, +}); + const router = express.Router(); const upload = multer({ dest: 'data/emojis/' }) @@ -20,7 +33,7 @@ router.get('/', async (req, res) => { res.send(emojis); }); -router.post('/add', upload.single("emoji"), checkAuth, async (req, res) => { +router.post('/add', speedLimiter, limiter, upload.single("emoji"), checkAuth, async (req, res) => { const { name } = req.body; const file = req.file;