rate limit all password checks - fixes #540

all of these endpoints require the caller to already be logged in, so
it's not really much of a security problem, but it's still safer to
limit any endpoints that can be used to guess the current password
This commit is contained in:
dakkar 2024-07-12 11:15:58 +01:00
parent 7dfe9087b2
commit cced87da7f
8 changed files with 56 additions and 0 deletions

View file

@ -14,12 +14,19 @@ import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/model
import { WebAuthnService } from '@/core/WebAuthnService.js'; import { WebAuthnService } from '@/core/WebAuthnService.js';
import { ApiError } from '@/server/api/error.js'; import { ApiError } from '@/server/api/error.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
secure: true, secure: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
errors: { errors: {
incorrectPassword: { incorrectPassword: {
message: 'Incorrect password.', message: 'Incorrect password.',

View file

@ -12,12 +12,19 @@ import { DI } from '@/di-symbols.js';
import { WebAuthnService } from '@/core/WebAuthnService.js'; import { WebAuthnService } from '@/core/WebAuthnService.js';
import { ApiError } from '@/server/api/error.js'; import { ApiError } from '@/server/api/error.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
secure: true, secure: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
errors: { errors: {
userNotFound: { userNotFound: {
message: 'User not found.', message: 'User not found.',

View file

@ -14,12 +14,19 @@ import { DI } from '@/di-symbols.js';
import type { Config } from '@/config.js'; import type { Config } from '@/config.js';
import { ApiError } from '@/server/api/error.js'; import { ApiError } from '@/server/api/error.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
secure: true, secure: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
errors: { errors: {
incorrectPassword: { incorrectPassword: {
message: 'Incorrect password.', message: 'Incorrect password.',

View file

@ -13,10 +13,17 @@ import { GlobalEventService } from '@/core/GlobalEventService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { ApiError } from '@/server/api/error.js'; import { ApiError } from '@/server/api/error.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
secure: true, secure: true,
errors: { errors: {

View file

@ -13,12 +13,19 @@ import { GlobalEventService } from '@/core/GlobalEventService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { ApiError } from '@/server/api/error.js'; import { ApiError } from '@/server/api/error.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
secure: true, secure: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
errors: { errors: {
incorrectPassword: { incorrectPassword: {
message: 'Incorrect password.', message: 'Incorrect password.',

View file

@ -10,10 +10,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserProfilesRepository } from '@/models/_.js'; import type { UserProfilesRepository } from '@/models/_.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
secure: true, secure: true,
} as const; } as const;

View file

@ -11,10 +11,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
import { DeleteAccountService } from '@/core/DeleteAccountService.js'; import { DeleteAccountService } from '@/core/DeleteAccountService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { UserAuthService } from '@/core/UserAuthService.js'; import { UserAuthService } from '@/core/UserAuthService.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
secure: true, secure: true,
} as const; } as const;

View file

@ -11,10 +11,17 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
import generateUserToken from '@/misc/generate-native-user-token.js'; import generateUserToken from '@/misc/generate-native-user-token.js';
import { GlobalEventService } from '@/core/GlobalEventService.js'; import { GlobalEventService } from '@/core/GlobalEventService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import ms from 'ms';
export const meta = { export const meta = {
requireCredential: true, requireCredential: true,
limit: {
duration: ms('1hour'),
max: 10,
minInterval: ms('1sec'),
},
secure: true, secure: true,
} as const; } as const;