yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-04 10:19:35 +02:00
Code Issues Releases Wiki Activity

Prevent brute force login attack

Browse source
This commit is contained in:
Chocobozzz 2018-03-29 10:58:24 +02:00
parent 23f4c3d412
commit 490b595a01
No known key found for this signature in database
GPG key ID: 583A612D890159BE
16 changed files with 189 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

14
server/controllers/api/users.ts
View file

@ -2,12 +2,13 @@ import * as express from 'express'
import 'multer'
import { extname, join } from 'path'
import * as uuidv4 from 'uuid/v4'
import * as RateLimit from 'express-rate-limit'
import { UserCreate, UserRight, UserRole, UserUpdate, UserUpdateMe, UserVideoRate as FormattedUserVideoRate } from '../../../shared'
import { retryTransactionWrapper } from '../../helpers/database-utils'
import { processImage } from '../../helpers/image-utils'
import { logger } from '../../helpers/logger'
import { createReqFiles, getFormattedObjects } from '../../helpers/utils'
import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, sequelizeTypescript } from '../../initializers'
import { AVATARS_SIZE, CONFIG, IMAGE_MIMETYPE_EXT, RATES_LIMIT, sequelizeTypescript } from '../../initializers'
import { updateActorAvatarInstance } from '../../lib/activitypub'
import { sendUpdateActor } from '../../lib/activitypub/send'
import { Emailer } from '../../lib/emailer'
@ -43,6 +44,11 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token'
import { VideoModel } from '../../models/video/video'
const reqAvatarFile = createReqFiles([ 'avatarfile' ], IMAGE_MIMETYPE_EXT, { avatarfile: CONFIG.STORAGE.AVATARS_DIR })
const loginRateLimiter = new RateLimit({
windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
max: RATES_LIMIT.LOGIN.MAX,
delayMs: 0
})
const usersRouter = express.Router()
@ -136,7 +142,11 @@ usersRouter.post('/:id/reset-password',
asyncMiddleware(resetUserPassword)
)
usersRouter.post('/token', token, success)
usersRouter.post('/token',
loginRateLimiter,
token,
success
)
// TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
// ---------------------------------------------------------------------------