Add rate limits

Co-authored-by: mrjvs <mistrjvs@gmail.com>
2025-09-13 18:13:26 +00:00 · 2023-11-04 14:52:11 +00:00
parent 616778ab6d
commit 78b4dbd705
12 changed files with 216 additions and 11 deletions
--- a/src/routes/auth/login.ts
+++ b/src/routes/auth/login.ts
@@ -25,7 +25,13 @@ export const loginAuthRouter = makeRouter((app) => {
  app.post(
    '/auth/login/start',
    { schema: { body: startSchema } },
-    handle(async ({ em, body }) => {
+    handle(async ({ em, body, limiter, req }) => {
+      await limiter?.assertAndBump(req, {
+        id: 'login_challenge_tokens',
+        max: 20,
+        window: '10m',
+      });
+
      const user = await em.findOne(User, { publicKey: body.publicKey });

      if (user == null) {
@@ -46,7 +52,13 @@ export const loginAuthRouter = makeRouter((app) => {
    app.post(
      '/auth/login/complete',
      { schema: { body: completeSchema } },
-      handle(async ({ em, body, req }) => {
+      handle(async ({ em, body, req, limiter }) => {
+        await limiter?.assertAndBump(req, {
+          id: 'login_complete',
+          max: 20,
+          window: '10m',
+        });
+
        await assertChallengeCode(
          em,
          body.challenge.code,
--- a/src/routes/auth/manage.ts
+++ b/src/routes/auth/manage.ts
@@ -32,7 +32,12 @@ export const manageAuthRouter = makeRouter((app) => {
  app.post(
    '/auth/register/start',
    { schema: { body: startSchema } },
-    handle(async ({ em, body }) => {
+    handle(async ({ em, body, limiter, req }) => {
+      await limiter?.assertAndBump(req, {
+        id: 'register_challenge_tokens',
+        max: 10,
+        window: '10m',
+      });
      await assertCaptcha(body.captchaToken);

      const challenge = new ChallengeCode();
@@ -50,7 +55,13 @@ export const manageAuthRouter = makeRouter((app) => {
  app.post(
    '/auth/register/complete',
    { schema: { body: completeSchema } },
-    handle(async ({ em, body, req }) => {
+    handle(async ({ em, body, req, limiter }) => {
+      await limiter?.assertAndBump(req, {
+        id: 'register_complete',
+        max: 10,
+        window: '10m',
+      });
+
      await assertChallengeCode(
        em,
        body.challenge.code,
--- a/src/routes/metrics.ts
+++ b/src/routes/metrics.ts
@@ -29,7 +29,14 @@ export const metricsRouter = makeRouter((app) => {
        body: metricsProviderInputSchema,
      },
    },
-    handle(async ({ em, body }) => {
+    handle(async ({ em, body, req, limiter }) => {
+      await limiter?.assertAndBump(req, {
+        id: 'provider_metrics',
+        max: 300,
+        inc: body.items.length,
+        window: '30m',
+      });
+
      const entities = body.items.map((v) => {
        const metric = new ProviderMetric();
        em.assign(metric, {