From 059dca905cbb6dddd6002038baf5461eb465ad28 Mon Sep 17 00:00:00 2001
From: DynamoFox <magnacacuti@gmail.com>
Date: Sat, 19 Nov 2022 18:45:26 +0100
Subject: [PATCH] Rate limit some more ETAPI auth routes; loginRateLimiter now
 doesn't count successful auth to ETAPI routes

---
 src/routes/routes.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/routes/routes.js b/src/routes/routes.js
index 2342dedb2..9a46fa3f5 100644
--- a/src/routes/routes.js
+++ b/src/routes/routes.js
@@ -235,7 +235,8 @@ function register(app) {
 
     const loginRateLimiter = rateLimit({
         windowMs: 15 * 60 * 1000, // 15 minutes
-        max: 10 // limit each IP to 10 requests per windowMs
+        max: 10, // limit each IP to 10 requests per windowMs
+        skipSuccessfulRequests: true // successful auth to rate-limited ETAPI routes isn't counted. However successful auth to /login is still counted!
     });
 
     route(POST, '/login', [loginRateLimiter], loginRoute.login);
@@ -390,7 +391,7 @@ function register(app) {
     apiRoute(GET, '/api/script/relation/:noteId/:relationName', scriptRoute.getRelationBundles);
 
     // no CSRF since this is called from android app
-    route(POST, '/api/sender/login', [], loginApiRoute.token, apiResultHandler);
+    route(POST, '/api/sender/login', [loginRateLimiter], loginApiRoute.token, apiResultHandler);
     route(POST, '/api/sender/image', [auth.checkEtapiToken, uploadMiddlewareWithErrorHandling], senderRoute.uploadImage, apiResultHandler);
     route(POST, '/api/sender/note', [auth.checkEtapiToken], senderRoute.saveNote, apiResultHandler);
 
@@ -410,7 +411,7 @@ function register(app) {
     apiRoute(POST, '/api/login/protected/touch', loginApiRoute.touchProtectedSession);
     apiRoute(POST, '/api/logout/protected', loginApiRoute.logoutFromProtectedSession);
 
-    route(POST, '/api/login/token', [], loginApiRoute.token, apiResultHandler);
+    route(POST, '/api/login/token', [loginRateLimiter], loginApiRoute.token, apiResultHandler);
 
     // in case of local electron, local calls are allowed unauthenticated, for server they need auth
     const clipperMiddleware = utils.isElectron() ? [] : [auth.checkEtapiToken];