mirror of
https://codeberg.org/yeentown/barkey
synced 2024-11-28 22:33:02 +00:00
rate limit all password checks - fixes #540
all of these endpoints require the caller to already be logged in, so it's not really much of a security problem, but it's still safer to limit any endpoints that can be used to guess the current password
This commit is contained in:
parent
7dfe9087b2
commit
cced87da7f
8 changed files with 56 additions and 0 deletions
|
@ -14,12 +14,19 @@ import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/model
|
||||||
import { WebAuthnService } from '@/core/WebAuthnService.js';
|
import { WebAuthnService } from '@/core/WebAuthnService.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
incorrectPassword: {
|
incorrectPassword: {
|
||||||
message: 'Incorrect password.',
|
message: 'Incorrect password.',
|
||||||
|
|
|
@ -12,12 +12,19 @@ import { DI } from '@/di-symbols.js';
|
||||||
import { WebAuthnService } from '@/core/WebAuthnService.js';
|
import { WebAuthnService } from '@/core/WebAuthnService.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
userNotFound: {
|
userNotFound: {
|
||||||
message: 'User not found.',
|
message: 'User not found.',
|
||||||
|
|
|
@ -14,12 +14,19 @@ import { DI } from '@/di-symbols.js';
|
||||||
import type { Config } from '@/config.js';
|
import type { Config } from '@/config.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
incorrectPassword: {
|
incorrectPassword: {
|
||||||
message: 'Incorrect password.',
|
message: 'Incorrect password.',
|
||||||
|
|
|
@ -13,10 +13,17 @@ import { GlobalEventService } from '@/core/GlobalEventService.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
|
|
|
@ -13,12 +13,19 @@ import { GlobalEventService } from '@/core/GlobalEventService.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
incorrectPassword: {
|
incorrectPassword: {
|
||||||
message: 'Incorrect password.',
|
message: 'Incorrect password.',
|
||||||
|
|
|
@ -10,10 +10,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
|
||||||
import type { UserProfilesRepository } from '@/models/_.js';
|
import type { UserProfilesRepository } from '@/models/_.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
} as const;
|
} as const;
|
||||||
|
|
||||||
|
|
|
@ -11,10 +11,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
|
||||||
import { DeleteAccountService } from '@/core/DeleteAccountService.js';
|
import { DeleteAccountService } from '@/core/DeleteAccountService.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
import { UserAuthService } from '@/core/UserAuthService.js';
|
import { UserAuthService } from '@/core/UserAuthService.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
} as const;
|
} as const;
|
||||||
|
|
||||||
|
|
|
@ -11,10 +11,17 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
|
||||||
import generateUserToken from '@/misc/generate-native-user-token.js';
|
import generateUserToken from '@/misc/generate-native-user-token.js';
|
||||||
import { GlobalEventService } from '@/core/GlobalEventService.js';
|
import { GlobalEventService } from '@/core/GlobalEventService.js';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
|
import ms from 'ms';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
requireCredential: true,
|
requireCredential: true,
|
||||||
|
|
||||||
|
limit: {
|
||||||
|
duration: ms('1hour'),
|
||||||
|
max: 10,
|
||||||
|
minInterval: ms('1sec'),
|
||||||
|
},
|
||||||
|
|
||||||
secure: true,
|
secure: true,
|
||||||
} as const;
|
} as const;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue