Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-10-31 18:36:30 +01:00
Code Issues Packages Projects Releases Activity

Rate limit the /auth/login route of ETAPI

Browse Source
This commit is contained in:
DynamoFox
2022-08-22 11:50:58 +02:00
parent 9ce0421ae7
commit b965f77f4a
4 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/etapi/auth.js
View File

@@ -3,8 +3,8 @@ const eu = require("./etapi_utils");
const passwordEncryptionService = require("../services/password_encryption"); const passwordEncryptionService = require("../services/password_encryption");
const etapiTokenService = require("../services/etapi_tokens"); const etapiTokenService = require("../services/etapi_tokens");
function register(router) { function register(router, loginMiddleware) {
eu.NOT_AUTHENTICATED_ROUTE(router, 'post', '/etapi/auth/login', (req, res, next) => { eu.NOT_AUTHENTICATED_ROUTE(router, 'post', '/etapi/auth/login', loginMiddleware, (req, res, next) => {
const {password, tokenName} = req.body; const {password, tokenName} = req.body;
if (!passwordEncryptionService.verifyPassword(password)) { if (!passwordEncryptionService.verifyPassword(password)) {

2
src/etapi/etapi.openapi.yaml
View File

@@ -602,6 +602,8 @@ paths:
authToken: authToken:
type: string type: string
example: Bc4bFn0Ffiok_4NpbVCDnFz7B2WU+pdhW8B5Ne3DiR5wXrEyqdjgRIsk= example: Bc4bFn0Ffiok_4NpbVCDnFz7B2WU+pdhW8B5Ne3DiR5wXrEyqdjgRIsk=
'429':
description: Client IP has been blacklisted because too many requests (possibly failed authentications) were made within a short time frame, try again later
default: default:
description: unexpected error description: unexpected error
content: content:

4
src/etapi/etapi_utils.js
View File

@@ -66,8 +66,8 @@ function route(router, method, path, routeHandler) {
router[method](path, checkEtapiAuth, (req, res, next) => processRequest(req, res, routeHandler, next, method, path)); router[method](path, checkEtapiAuth, (req, res, next) => processRequest(req, res, routeHandler, next, method, path));
} }
function NOT_AUTHENTICATED_ROUTE(router, method, path, routeHandler) { function NOT_AUTHENTICATED_ROUTE(router, method, path, middleware, routeHandler) {
router[method](path, (req, res, next) => processRequest(req, res, routeHandler, next, method, path)); router[method](path, ...middleware, (req, res, next) => processRequest(req, res, routeHandler, next, method, path));
} }
function getAndCheckNote(noteId) { function getAndCheckNote(noteId) {

2
src/routes/routes.js
View File

@@ -416,7 +416,7 @@ function register(app) {
shareRoutes.register(router); shareRoutes.register(router);
etapiAuthRoutes.register(router); etapiAuthRoutes.register(router, [loginRateLimiter]);
etapiAppInfoRoutes.register(router); etapiAppInfoRoutes.register(router);
etapiAttributeRoutes.register(router); etapiAttributeRoutes.register(router);
etapiBranchRoutes.register(router); etapiBranchRoutes.register(router);