added account-based ratelimiting

js/user.js

@@ -16,16 +16,14 @@ async function bioChanger() {
   document.getElementById("bio").disabled = !document.getElementById("bio").disabled
   document.getElementById("changeBio").innerText = (document.getElementById("bio").disabled && "Change Bio") || "Submit"
   if(document.getElementById("bio").disabled) {
+    let response = await sendBio(document.getElementById("bio").value)
+    console.log(response);
     document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 0px solid black; color:white;}'
   }
   else
   {
     document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 2px solid gray; color:white;}'
   }
-  if(document.getElementById("bio").disabled) {
-    let response = await sendBio(document.getElementById("bio").value)
-    console.log(response);
-  }
 }
 
 async function sendBio(str) {

server.js

@@ -170,18 +170,46 @@ function getunsigned(req,res) {
 }
 
 var API_CALLS = {}
+var API_CALLS_ACCOUNT = {}
 var USER_CALLS = {}
 var SESSIONS = {}
 var REVERSE_SESSIONS = {}
 function clear_api_calls() {
   API_CALLS = {}
 }
+function clear_account_api_calls() {
+  API_CALLS_ACCOUNT = {}
+}
 function clear_user_calls() {
   USER_CALLS = {}
 }
 setInterval(clear_api_calls, config.rate_limits.api.reset_time)
+setInterval(clear_account_api_calls, config.rate_limits.api.reset_time)
 setInterval(clear_user_calls, config.rate_limits.user.reset_time)
 
+function increaseAccountAPICall(req,res) {
+  let cookie = req.cookies.AUTH_COOKIE
+  if(!cookie){
+    return true;
+  }
+  let unsigned = unsign(cookie,req,res)
+  if(!unsigned) {
+
+    return true;//if there's no account, why not just ignore it
+  }
+  unsigned = decodeURIComponent(unsigned)
+  if(!unsigned)return false;
+  let values = unsigned.split(" ")
+  let username = values[0]
+  if(API_CALLS_ACCOUNT[username]==undefined)API_CALLS_ACCOUNT[username]=0
+  if(API_CALLS_ACCOUNT[username] >= config.rate_limits.api.max_per_account) {
+    res.status(429)
+    res.send("You are sending way too many api calls!")
+    return false;
+  }
+  return true
+}
+
 function increaseAPICall(req,res,next) {
   let ip = req.socket.remoteAddress
   if(API_CALLS[ip]==undefined)API_CALLS[ip]=0
@@ -214,6 +242,9 @@ function increaseAPICall(req,res,next) {
     return false
   }
   API_CALLS[ip]++;
+
+  if(!increaseAccountAPICall(req,res))return false; //can't forget account-based ratelimits
+
   if(next)next()
   return true
 }
@@ -517,7 +548,9 @@ router.get("/*", (request, response, next) => {
 
 
 router.post("/register",async function(req,res) {
-  if(!increaseAPICall(req,res))return;
+  for (let i = 0; i < 10; i++) { //don't want people spam registering
+    if(!increaseAPICall(req,res))return;
+  }
   res.status(200)
   let username = req.body.user.toString()
   username = username.replace(/\s/gi,"")

server_config.json

@@ -13,7 +13,8 @@
     "api": {
       "reset_time": 10000,
       "max_without_session": 20,
-      "max_with_session": 60
+      "max_with_session": 60,
+      "max_per_account": 30
     },
     "user": {
       "reset_time": 30000,