From 07e36cd2d398a6c5196d33db1903af7faa372a82 Mon Sep 17 00:00:00 2001 From: Mystikfluu Date: Thu, 9 Jun 2022 18:58:14 +0200 Subject: [PATCH] added account-based ratelimiting --- js/user.js | 6 ++---- server.js | 35 ++++++++++++++++++++++++++++++++++- server_config.json | 3 ++- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/js/user.js b/js/user.js index 7bf2cbe..327cc1f 100644 --- a/js/user.js +++ b/js/user.js @@ -16,16 +16,14 @@ async function bioChanger() { document.getElementById("bio").disabled = !document.getElementById("bio").disabled document.getElementById("changeBio").innerText = (document.getElementById("bio").disabled && "Change Bio") || "Submit" if(document.getElementById("bio").disabled) { + let response = await sendBio(document.getElementById("bio").value) + console.log(response); document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 0px solid black; color:white;}' } else { document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 2px solid gray; color:white;}' } - if(document.getElementById("bio").disabled) { - let response = await sendBio(document.getElementById("bio").value) - console.log(response); - } } async function sendBio(str) { diff --git a/server.js b/server.js index e55b086..8964113 100644 --- a/server.js +++ b/server.js @@ -170,18 +170,46 @@ function getunsigned(req,res) { } var API_CALLS = {} +var API_CALLS_ACCOUNT = {} var USER_CALLS = {} var SESSIONS = {} var REVERSE_SESSIONS = {} function clear_api_calls() { API_CALLS = {} } +function clear_account_api_calls() { + API_CALLS_ACCOUNT = {} +} function clear_user_calls() { USER_CALLS = {} } setInterval(clear_api_calls, config.rate_limits.api.reset_time) +setInterval(clear_account_api_calls, config.rate_limits.api.reset_time) setInterval(clear_user_calls, config.rate_limits.user.reset_time) +function increaseAccountAPICall(req,res) { + let cookie = req.cookies.AUTH_COOKIE + if(!cookie){ + return true; + } + let unsigned = unsign(cookie,req,res) + if(!unsigned) { + + return true;//if there's no account, why not just ignore it + } + unsigned = decodeURIComponent(unsigned) + if(!unsigned)return false; + let values = unsigned.split(" ") + let username = values[0] + if(API_CALLS_ACCOUNT[username]==undefined)API_CALLS_ACCOUNT[username]=0 + if(API_CALLS_ACCOUNT[username] >= config.rate_limits.api.max_per_account) { + res.status(429) + res.send("You are sending way too many api calls!") + return false; + } + return true +} + function increaseAPICall(req,res,next) { let ip = req.socket.remoteAddress if(API_CALLS[ip]==undefined)API_CALLS[ip]=0 @@ -214,6 +242,9 @@ function increaseAPICall(req,res,next) { return false } API_CALLS[ip]++; + + if(!increaseAccountAPICall(req,res))return false; //can't forget account-based ratelimits + if(next)next() return true } @@ -517,7 +548,9 @@ router.get("/*", (request, response, next) => { router.post("/register",async function(req,res) { - if(!increaseAPICall(req,res))return; + for (let i = 0; i < 10; i++) { //don't want people spam registering + if(!increaseAPICall(req,res))return; + } res.status(200) let username = req.body.user.toString() username = username.replace(/\s/gi,"") diff --git a/server_config.json b/server_config.json index 755a09f..b20760b 100644 --- a/server_config.json +++ b/server_config.json @@ -13,7 +13,8 @@ "api": { "reset_time": 10000, "max_without_session": 20, - "max_with_session": 60 + "max_with_session": 60, + "max_per_account": 30 }, "user": { "reset_time": 30000,