From b965f77f4a3ff4dc7d2ed2af1933590d59b214f4 Mon Sep 17 00:00:00 2001 From: DynamoFox Date: Mon, 22 Aug 2022 11:50:58 +0200 Subject: [PATCH] Rate limit the /auth/login route of ETAPI --- src/etapi/auth.js | 4 ++-- src/etapi/etapi.openapi.yaml | 2 ++ src/etapi/etapi_utils.js | 4 ++-- src/routes/routes.js | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/etapi/auth.js b/src/etapi/auth.js index ad2cf1274..921c91d94 100644 --- a/src/etapi/auth.js +++ b/src/etapi/auth.js @@ -3,8 +3,8 @@ const eu = require("./etapi_utils"); const passwordEncryptionService = require("../services/password_encryption"); const etapiTokenService = require("../services/etapi_tokens"); -function register(router) { - eu.NOT_AUTHENTICATED_ROUTE(router, 'post', '/etapi/auth/login', (req, res, next) => { +function register(router, loginMiddleware) { + eu.NOT_AUTHENTICATED_ROUTE(router, 'post', '/etapi/auth/login', loginMiddleware, (req, res, next) => { const {password, tokenName} = req.body; if (!passwordEncryptionService.verifyPassword(password)) { diff --git a/src/etapi/etapi.openapi.yaml b/src/etapi/etapi.openapi.yaml index 1644e90bb..47e8d22a8 100644 --- a/src/etapi/etapi.openapi.yaml +++ b/src/etapi/etapi.openapi.yaml @@ -602,6 +602,8 @@ paths: authToken: type: string example: Bc4bFn0Ffiok_4NpbVCDnFz7B2WU+pdhW8B5Ne3DiR5wXrEyqdjgRIsk= + '429': + description: Client IP has been blacklisted because too many requests (possibly failed authentications) were made within a short time frame, try again later default: description: unexpected error content: diff --git a/src/etapi/etapi_utils.js b/src/etapi/etapi_utils.js index e07fbb4da..43bd0eee0 100644 --- a/src/etapi/etapi_utils.js +++ b/src/etapi/etapi_utils.js @@ -66,8 +66,8 @@ function route(router, method, path, routeHandler) { router[method](path, checkEtapiAuth, (req, res, next) => processRequest(req, res, routeHandler, next, method, path)); } -function NOT_AUTHENTICATED_ROUTE(router, method, path, routeHandler) { - router[method](path, (req, res, next) => processRequest(req, res, routeHandler, next, method, path)); +function NOT_AUTHENTICATED_ROUTE(router, method, path, middleware, routeHandler) { + router[method](path, ...middleware, (req, res, next) => processRequest(req, res, routeHandler, next, method, path)); } function getAndCheckNote(noteId) { diff --git a/src/routes/routes.js b/src/routes/routes.js index b957139fe..f4cf9bdeb 100644 --- a/src/routes/routes.js +++ b/src/routes/routes.js @@ -416,7 +416,7 @@ function register(app) { shareRoutes.register(router); - etapiAuthRoutes.register(router); + etapiAuthRoutes.register(router, [loginRateLimiter]); etapiAppInfoRoutes.register(router); etapiAttributeRoutes.register(router); etapiBranchRoutes.register(router);