dec0dOS/zero-ui
1
1
Fork 0
mirror of https://github.com/dec0dOS/zero-ui.git synced 2024-09-20 06:56:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: login limiter, make it opt it by default

Browse source
This commit is contained in:
dec0dOS 2023-10-16 17:47:32 +01:00
parent f17067f832
commit 213c9499f2
2 changed files with 17 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -165,11 +165,12 @@ Advanced manual setups are also supported. Check the following environment varia
| ZU_DEFAULT_USERNAME | unset (`docker-compose.yml`: admin) | Default username that will be set on the first run |
| ZU_DEFAULT_PASSWORD | unset (`docker-compose.yml`: zero-ui) | Default password that will be set on the first run |
| ZU_DATAPATH | `data/db.json` | ZeroUI data storage path |
| ZU_DISABLE_AUTH | unset | If set to true, automatically log in all users. This is useful if ZeroUI is protected by an authentication proxy. Note that when this value is changed, the localStorage of instances of logged-in panels should be cleared |
| ZU_DISABLE_AUTH | `false` | If set to true, automatically log in all users. This is useful if ZeroUI is protected by an authentication proxy. Note that when this value is changed, the localStorage of instances of logged-in panels should be cleared |
| ZU_LAST_SEEN_FETCH | `true`| Enables [Last Seen feature](https://github.com/dec0dOS/zero-ui/issues/40) |
| ZU_LAST_SEEN_SCHEDULE | `*/5 * * * *` | Last Seen cron-like schedule |
| ZU_LOGIN_LIMIT | `false` | Enable rate limiter for /login endpoint |
| ZU_LOGIN_LIMIT_WINDOW | 30 | The duration of the IP ban in minutes |
| ZT_LOGIN_LIMIT_ATTEMPTS | 50 | Login attemps before ban |
| ZU_LOGIN_LIMIT_ATTEMPTS | 50 | Login attemps before ban |
ZeroUI could be deployed as a regular nodejs web application, but it requires a ZeroTier controller that is installed with the `zerotier-one` package. For more info about the network controller, you could read [here](https://github.com/zerotier/ZeroTierOne/tree/master/controller/#readme).

16
backend/routes/auth.js
View file

@ -1,18 +1,30 @@
import express from "express";
import rateLimit from "express-rate-limit";
const router = express.Router();
import * as auth from "../services/auth.js";
const loginLimiter = rateLimit({
windowMs: (Number(process.env.ZU_LOGIN_LIMIT_WINDOW) || 30) * 60 * 1000, // 30 minutes
max: Number(process.env.ZT_LOGIN_LIMIT_ATTEMPTS) || 50, // limit each IP to 50 requests per windowMs
max: Number(process.env.ZU_LOGIN_LIMIT_ATTEMPTS) || 50, // limit each IP to 50 requests per windowMs
message: {
status: 429,
error: "Too many login attempts, please try again in 15 minutes.",
},
});
const loginLimiterWrapper = (req, res, next) => {
if (
process.env.NODE_ENV === "production" &&
process.env.ZU_LOGIN_LIMIT === "true"
) {
return loginLimiter(req, res, next);
} else {
return next();
}
};
router.get("/login", async function (req, res) {
if (process.env.ZU_DISABLE_AUTH === "true") {
res.send({ enabled: false });
@ -21,7 +33,7 @@ router.get("/login", async function (req, res) {
}
});
router.post("/login", loginLimiter, async function (req, res) {
router.post("/login", loginLimiterWrapper, async function (req, res) {
if (req.body.username && req.body.password) {
auth.authorize(req.body.username, req.body.password, function (err, user) {
if (user) {