github/zero-ui
1
0
Fork 0
mirror of https://github.com/dec0dOS/zero-ui.git synced 2025-07-06 13:01:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: login limiter, make it opt it by default

Browse source
This commit is contained in:
dec0dOS 2023-10-16 17:47:32 +01:00
parent f17067f832
commit 213c9499f2
2 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
backend/routes/auth.js
View file

@ -1,18 +1,30 @@
import express from "express";
import rateLimit from "express-rate-limit";
const router = express.Router();
import * as auth from "../services/auth.js";
const loginLimiter = rateLimit({
windowMs: (Number(process.env.ZU_LOGIN_LIMIT_WINDOW) || 30) * 60 * 1000, // 30 minutes
max: Number(process.env.ZT_LOGIN_LIMIT_ATTEMPTS) || 50, // limit each IP to 50 requests per windowMs
max: Number(process.env.ZU_LOGIN_LIMIT_ATTEMPTS) || 50, // limit each IP to 50 requests per windowMs
message: {
status: 429,
error: "Too many login attempts, please try again in 15 minutes.",
},
});
const loginLimiterWrapper = (req, res, next) => {
if (
process.env.NODE_ENV === "production" &&
process.env.ZU_LOGIN_LIMIT === "true"
) {
return loginLimiter(req, res, next);
} else {
return next();
}
};
router.get("/login", async function (req, res) {
if (process.env.ZU_DISABLE_AUTH === "true") {
res.send({ enabled: false });
@ -21,7 +33,7 @@ router.get("/login", async function (req, res) {
}
});
router.post("/login", loginLimiter, async function (req, res) {
router.post("/login", loginLimiterWrapper, async function (req, res) {
if (req.body.username && req.body.password) {
auth.authorize(req.body.username, req.body.password, function (err, user) {
if (user) {