mirror of
				https://codeberg.org/yeentown/barkey.git
				synced 2025-10-26 19:14:12 +00:00 
			
		
		
		
	rate limit all password checks - fixes #540
all of these endpoints require the caller to already be logged in, so it's not really much of a security problem, but it's still safer to limit any endpoints that can be used to guess the current password
This commit is contained in:
		
							parent
							
								
									7dfe9087b2
								
							
						
					
					
						commit
						cced87da7f
					
				
					 8 changed files with 56 additions and 0 deletions
				
			
		|  | @ -14,12 +14,19 @@ import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/model | |||
| import { WebAuthnService } from '@/core/WebAuthnService.js'; | ||||
| import { ApiError } from '@/server/api/error.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	secure: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	errors: { | ||||
| 		incorrectPassword: { | ||||
| 			message: 'Incorrect password.', | ||||
|  |  | |||
|  | @ -12,12 +12,19 @@ import { DI } from '@/di-symbols.js'; | |||
| import { WebAuthnService } from '@/core/WebAuthnService.js'; | ||||
| import { ApiError } from '@/server/api/error.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	secure: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	errors: { | ||||
| 		userNotFound: { | ||||
| 			message: 'User not found.', | ||||
|  |  | |||
|  | @ -14,12 +14,19 @@ import { DI } from '@/di-symbols.js'; | |||
| import type { Config } from '@/config.js'; | ||||
| import { ApiError } from '@/server/api/error.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	secure: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	errors: { | ||||
| 		incorrectPassword: { | ||||
| 			message: 'Incorrect password.', | ||||
|  |  | |||
|  | @ -13,10 +13,17 @@ import { GlobalEventService } from '@/core/GlobalEventService.js'; | |||
| import { DI } from '@/di-symbols.js'; | ||||
| import { ApiError } from '@/server/api/error.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	secure: true, | ||||
| 
 | ||||
| 	errors: { | ||||
|  |  | |||
|  | @ -13,12 +13,19 @@ import { GlobalEventService } from '@/core/GlobalEventService.js'; | |||
| import { DI } from '@/di-symbols.js'; | ||||
| import { ApiError } from '@/server/api/error.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	secure: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	errors: { | ||||
| 		incorrectPassword: { | ||||
| 			message: 'Incorrect password.', | ||||
|  |  | |||
|  | @ -10,10 +10,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js'; | |||
| import type { UserProfilesRepository } from '@/models/_.js'; | ||||
| import { DI } from '@/di-symbols.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	secure: true, | ||||
| } as const; | ||||
| 
 | ||||
|  |  | |||
|  | @ -11,10 +11,17 @@ import { Endpoint } from '@/server/api/endpoint-base.js'; | |||
| import { DeleteAccountService } from '@/core/DeleteAccountService.js'; | ||||
| import { DI } from '@/di-symbols.js'; | ||||
| import { UserAuthService } from '@/core/UserAuthService.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	secure: true, | ||||
| } as const; | ||||
| 
 | ||||
|  |  | |||
|  | @ -11,10 +11,17 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js'; | |||
| import generateUserToken from '@/misc/generate-native-user-token.js'; | ||||
| import { GlobalEventService } from '@/core/GlobalEventService.js'; | ||||
| import { DI } from '@/di-symbols.js'; | ||||
| import ms from 'ms'; | ||||
| 
 | ||||
| export const meta = { | ||||
| 	requireCredential: true, | ||||
| 
 | ||||
| 	limit: { | ||||
| 		duration: ms('1hour'), | ||||
| 		max: 10, | ||||
| 		minInterval: ms('1sec'), | ||||
| 	}, | ||||
| 
 | ||||
| 	secure: true, | ||||
| } as const; | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue