added account-based ratelimiting

2022-06-09 18:58:14 +02:00 · 2022-06-09 18:58:14 +02:00 · 07e36cd2d3
commit 07e36cd2d3
parent a01db193dc
3 changed files with 38 additions and 6 deletions
--- a/js/user.js
+++ b/js/user.js
@ -16,16 +16,14 @@ async function bioChanger() {
  document.getElementById("bio").disabled = !document.getElementById("bio").disabled
  document.getElementById("changeBio").innerText = (document.getElementById("bio").disabled && "Change Bio") || "Submit"
  if(document.getElementById("bio").disabled) {
+    let response = await sendBio(document.getElementById("bio").value)
+    console.log(response);
    document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 0px solid black; color:white;}'
  }
  else
  {
    document.querySelector('style').innerHTML = '::placeholder {color: white;} #bio {border: 2px solid gray; color:white;}'
  }
-  if(document.getElementById("bio").disabled) {
-    let response = await sendBio(document.getElementById("bio").value)
-    console.log(response);
-  }
 }

 async function sendBio(str) {
--- a/server.js
+++ b/server.js
@ -170,18 +170,46 @@ function getunsigned(req,res) {
 }

 var API_CALLS = {}
+var API_CALLS_ACCOUNT = {}
 var USER_CALLS = {}
 var SESSIONS = {}
 var REVERSE_SESSIONS = {}
 function clear_api_calls() {
  API_CALLS = {}
 }
+function clear_account_api_calls() {
+  API_CALLS_ACCOUNT = {}
+}
 function clear_user_calls() {
  USER_CALLS = {}
 }
 setInterval(clear_api_calls, config.rate_limits.api.reset_time)
+setInterval(clear_account_api_calls, config.rate_limits.api.reset_time)
 setInterval(clear_user_calls, config.rate_limits.user.reset_time)

+function increaseAccountAPICall(req,res) {
+  let cookie = req.cookies.AUTH_COOKIE
+  if(!cookie){
+    return true;
+  }
+  let unsigned = unsign(cookie,req,res)
+  if(!unsigned) {
+
+    return true;//if there's no account, why not just ignore it
+  }
+  unsigned = decodeURIComponent(unsigned)
+  if(!unsigned)return false;
+  let values = unsigned.split(" ")
+  let username = values[0]
+  if(API_CALLS_ACCOUNT[username]==undefined)API_CALLS_ACCOUNT[username]=0
+  if(API_CALLS_ACCOUNT[username] >= config.rate_limits.api.max_per_account) {
+    res.status(429)
+    res.send("You are sending way too many api calls!")
+    return false;
+  }
+  return true
+}
+
 function increaseAPICall(req,res,next) {
  let ip = req.socket.remoteAddress
  if(API_CALLS[ip]==undefined)API_CALLS[ip]=0
@ -214,6 +242,9 @@ function increaseAPICall(req,res,next) {
    return false
  }
  API_CALLS[ip]++;
+
+  if(!increaseAccountAPICall(req,res))return false; //can't forget account-based ratelimits
+
  if(next)next()
  return true
 }
@ -517,7 +548,9 @@ router.get("/*", (request, response, next) => {


 router.post("/register",async function(req,res) {
+  for (let i = 0; i < 10; i++) { //don't want people spam registering
    if(!increaseAPICall(req,res))return;
+  }
  res.status(200)
  let username = req.body.user.toString()
  username = username.replace(/\s/gi,"")
--- a/server_config.json
+++ b/server_config.json
@ -13,7 +13,8 @@
    "api": {
      "reset_time": 10000,
      "max_without_session": 20,
-      "max_with_session": 60
+      "max_with_session": 60,
+      "max_per_account": 30
    },
    "user": {
      "reset_time": 30000,