added ratelimits to endpoints that did not have it before

2022-04-20 22:21:23 +02:00 · 2022-04-20 22:21:23 +02:00 · c5fb09df78
commit c5fb09df78
parent 15f47110d9
1 changed files with 47 additions and 1 deletions
--- a/server.js
+++ b/server.js
@ -102,11 +102,15 @@ START /API/*
 */

 var API_CALLS = {}
-
+var USER_CALLS = {}
 function clear_api_calls() {
  API_CALLS = {}
 }
+function clear_user_calls() {
+  USER_CALLS = {}
+}
 setInterval(clear_api_calls, 10000)
+setInterval(clear_user_calls, 30000)

 function increaseAPICall(req,res,next) {
  let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
@ -122,11 +126,26 @@ function increaseAPICall(req,res,next) {
  return true
 }

+function increaseUSERCall(req,res,next) {
+  let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
+  if(USER_CALLS[ip]==undefined)USER_CALLS[ip]=0
+  if(USER_CALLS[ip] >= 20) {
+    res.status(429)
+    res.send("You are sending too many requests!")
+    console.log("rate limiting " + ip);
+    return false
+  }
+  USER_CALLS[ip]++;
+  if(next)next()
+  return true
+}
+
 router.use("/api/*",async function(req,res,next) {
  increaseAPICall(req,res,next)
 })

 router.get("/api/getuser",async function(req,res) {
+  //already counted due to the /api/* handler
  let cookie = req.cookies.AUTH_COOKIE
  if(!cookie){
    res.status(400)
@ -160,6 +179,7 @@ router.get("/api/getuser",async function(req,res) {
 })

 router.post("/api/post", async function(req,res) {
+  //already counted due to the /api/* handler
  res.send("not implemented yet.")
 })

@ -171,6 +191,7 @@ END /API/*
 */

 router.get("/css/*", (request, response) => {
+  if(!increaseUSERCall(request,response))return
  if(fs.existsSync(__dirname + request.originalUrl)){
    response.sendFile(__dirname + request.originalUrl);
  } else {
@ -180,6 +201,7 @@ router.get("/css/*", (request, response) => {
 });

 router.get("/*", (request, response, next) => {
+  if(!increaseUSERCall(request,response))return
  let originalUrl = request.originalUrl.split("?").shift()
  if(fs.existsSync(dir + "views/"+originalUrl+".html")) {
    return response.sendFile(dir + "views/"+originalUrl+".html");
@ -209,6 +231,16 @@ router.post("/register",async function(req,res) {
    res.redirect("/register?success=false&reason=username")
    return
  }
+  if(username.length > 100) {
+    res.status(400)
+    res.send("username is too long")
+    return
+  }
+  if(password.length > 100000) {
+    res.status(400)
+    res.send("password is too long")
+    return
+  }
  if(!password) {
    res.status(400)
    res.redirect("/register?success=false&reason=password")
@ -239,6 +271,9 @@ router.post("/register",async function(req,res) {
 })

 router.post("/login",async function(req,res) {
+  if(!increaseAPICall(req,res))return;
+  if(!increaseAPICall(req,res))return;
+  //login is counted twice (think of bruteforces man)
  let username = req.body.user.toString()
  username = username.replace(" ","")
  let password = req.body.pass.toString()
@ -247,11 +282,22 @@ router.post("/login",async function(req,res) {
    res.send("no username given")
    return
  }
+  if(username.length > 100) {
+    res.status(400)
+    res.send("username is too long")
+    return
+  }
+  if(password.length > 100000) {
+    res.status(400)
+    res.send("password is too long")
+    return
+  }
  if(!password) {
    res.status(400)
    res.send("no password given")
    return
  }
+
  let hashed_pw = password;
  for (let i = 0; i < 10000; i++) {
    hashed_pw = SHA256(hashed_pw)