yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Move rate limiting middleware infront of auth

Browse Source 
Tighten rate limits on attachment, comment, and group creation
This commit is contained in:
Tom Moor
2023-04-18 23:47:11 -04:00
parent fb8d8f8159
commit 54cf3fb8b1
7 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server/routes/api/attachments/attachments.ts
View File

@@ -5,6 +5,7 @@ import { bytesToHumanReadable } from "@shared/utils/files";
import { AttachmentValidation } from "@shared/validations";
import { AuthorizationError, ValidationError } from "@server/errors";
import auth from "@server/middlewares/authentication";
import { rateLimiter } from "@server/middlewares/rateLimiter";
import { transaction } from "@server/middlewares/transaction";
import validate from "@server/middlewares/validate";
import { Attachment, Document, Event } from "@server/models";
@@ -12,6 +13,7 @@ import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
import { authorize } from "@server/policies";
import { presentAttachment } from "@server/presenters";
import { APIContext } from "@server/types";
import { RateLimiterStrategy } from "@server/utils/RateLimiter";
import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
import { assertIn } from "@server/validation";
import * as T from "./schema";
@@ -20,6 +22,7 @@ const router = new Router();
router.post(
"attachments.create",
rateLimiter(RateLimiterStrategy.TenPerMinute),
auth(),
validate(T.AttachmentsCreateSchema),
transaction(),

6
server/routes/api/collections.ts
View File

@@ -150,8 +150,8 @@ router.post("collections.info", auth(), async (ctx: APIContext) => {
router.post(
"collections.import",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
async (ctx: APIContext) => {
const {
attachmentId,
@@ -549,8 +549,8 @@ router.post(
router.post(
"collections.export",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
async (ctx: APIContext) => {
const { id } = ctx.request.body;
const { format = FileOperationFormat.MarkdownZip } = ctx.request.body;
@@ -589,8 +589,8 @@ router.post(
router.post(
"collections.export_all",
auth(),
rateLimiter(RateLimiterStrategy.FivePerHour),
auth(),
async (ctx: APIContext) => {
const { format = FileOperationFormat.MarkdownZip } = ctx.request.body;
const { user } = ctx.state.auth;

3
server/routes/api/comments/comments.ts
View File

@@ -4,12 +4,14 @@ import commentCreator from "@server/commands/commentCreator";
import commentDestroyer from "@server/commands/commentDestroyer";
import commentUpdater from "@server/commands/commentUpdater";
import auth from "@server/middlewares/authentication";
import { rateLimiter } from "@server/middlewares/rateLimiter";
import { transaction } from "@server/middlewares/transaction";
import validate from "@server/middlewares/validate";
import { Document, Comment } from "@server/models";
import { authorize } from "@server/policies";
import { presentComment, presentPolicies } from "@server/presenters";
import { APIContext } from "@server/types";
import { RateLimiterStrategy } from "@server/utils/RateLimiter";
import pagination from "../middlewares/pagination";
import * as T from "./schema";
@@ -17,6 +19,7 @@ const router = new Router();
router.post(
"comments.create",
rateLimiter(RateLimiterStrategy.TenPerMinute),
auth(),
validate(T.CommentsCreateSchema),
transaction(),

3
server/routes/api/groups/groups.ts
View File

@@ -2,6 +2,7 @@ import Router from "koa-router";
import { Op } from "sequelize";
import { MAX_AVATAR_DISPLAY } from "@shared/constants";
import auth from "@server/middlewares/authentication";
import { rateLimiter } from "@server/middlewares/rateLimiter";
import validate from "@server/middlewares/validate";
import { User, Event, Group, GroupUser } from "@server/models";
import { authorize } from "@server/policies";
@@ -12,6 +13,7 @@ import {
presentGroupMembership,
} from "@server/presenters";
import { APIContext } from "@server/types";
import { RateLimiterStrategy } from "@server/utils/RateLimiter";
import pagination from "../middlewares/pagination";
import * as T from "./schema";
@@ -75,6 +77,7 @@ router.post(
router.post(
"groups.create",
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
validate(T.GroupsCreateSchema),
async (ctx: APIContext<T.GroupsCreateReq>) => {

4
server/routes/api/teams/teams.ts
View File

@@ -17,8 +17,8 @@ const router = new Router();
router.post(
"team.update",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
validate(T.TeamsUpdateSchema),
async (ctx: APIContext<T.TeamsUpdateSchemaReq>) => {
const { user } = ctx.state.auth;
@@ -43,8 +43,8 @@ router.post(
router.post(
"teams.create",
auth(),
rateLimiter(RateLimiterStrategy.FivePerHour),
auth(),
async (ctx: APIContext) => {
const { user } = ctx.state.auth;
const { name } = ctx.request.body;

6
server/routes/api/users/users.ts
View File

@@ -348,8 +348,8 @@ router.post("users.activate", auth(), async (ctx: APIContext) => {
router.post(
"users.invite",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
async (ctx: APIContext) => {
const { invites } = ctx.request.body;
assertArray(invites, "invites must be an array");
@@ -420,8 +420,8 @@ router.post(
router.post(
"users.requestDelete",
auth(),
rateLimiter(RateLimiterStrategy.FivePerHour),
auth(),
async (ctx: APIContext) => {
const { user } = ctx.state.auth;
authorize(user, "delete", user);
@@ -441,8 +441,8 @@ router.post(
router.post(
"users.delete",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
auth(),
async (ctx: APIContext) => {
const { id, code = "" } = ctx.request.body;
const actor = ctx.state.auth.user;

2
server/routes/api/views/views.ts
View File

@@ -33,8 +33,8 @@ router.post(
router.post(
"views.create",
auth(),
rateLimiter(RateLimiterStrategy.OneThousandPerHour),
auth(),
validate(T.ViewsCreateSchema),
async (ctx: APIContext<T.ViewsCreateReq>) => {
const { documentId } = ctx.input.body;