From 5f2320a492bbaaeb4c990e8f2258feab0e79cc4d Mon Sep 17 00:00:00 2001
From: Jack Foltz <jack@foltz.io>
Date: Wed, 26 Dec 2018 21:01:15 -0500
Subject: [PATCH] Fix rate limiting middleware

---
 app/routes/api/auth.js |  7 ++++---
 app/util/auth.js       | 26 --------------------------
 config/default.json    |  4 ++--
 3 files changed, 6 insertions(+), 31 deletions(-)

diff --git a/app/routes/api/auth.js b/app/routes/api/auth.js
index 738e804..626bac4 100644
--- a/app/routes/api/auth.js
+++ b/app/routes/api/auth.js
@@ -98,11 +98,11 @@ router.post('/register',
     res.status(200).json({'message': 'Registration successful.'});
 }));
 
+console.log(config.get('RateLimit'));
 const loginLimiter = config.get('RateLimit.enable')
     ? rateLimit({
-        windowMs: config.get('RateLimit.login.window') * 1000,
-        max: config.get('RateLimit.login.max'),
-        skipSuccessfulRequests: true
+        windowMs: 60 * 60 * 1000,//config.get('RateLimit.login.window') * 1000,
+        max: 5,//config.get('RateLimit.login.max'),
     })
     : (req, res, next) => { next(); };
 const loginProps = [
@@ -110,6 +110,7 @@ const loginProps = [
     {name: 'displayname', type: 'string', optional: true},
     {name: 'password', type: 'string'}];
 router.post('/login',
+    loginLimiter,
     bodyVerifier(loginProps),
     canonicalizeRequest,
     wrap(async (req, res, next) => {
diff --git a/app/util/auth.js b/app/util/auth.js
index 9c4b43d..e710a2f 100644
--- a/app/util/auth.js
+++ b/app/util/auth.js
@@ -53,32 +53,6 @@ const apiLimiter = config.get('RateLimit.enable')
 // sets req.username, req.displayname, req.scope, and req.key if authenticated properly,
 // otherwise throws an error code.
 // If the user is banned, also throw an error.
-/*
-const requireAuth = scope => wrap(async (req, res, next) => {
-        const status = {
-            authenticated: false,
-            permission: false
-        };
-
-        // First, check the session
-        checkSession(req, scope, status);
-        // If not authenticated yet, check for a key
-        if (!status.authenticated)
-            await checkKey(req, scope, status);
-
-        if (!status.authenticated)
-            return res.status(401).json({message: 'Unauthorized.'});
-        else if (!status.permission)
-            return res.status(403).json({message: 'Forbidden.'});
-
-        // Check if the user is banned
-        const user = await User.findOne({username: req.username});
-        if (user && user.banned)
-            return res.status(403).json({message: 'Forbidden.'});
-
-        next();
-    });
-    */
 const requireAuth = scope => (req, res, next) => {
     apiLimiter(req, res, wrap(async () => {
 
diff --git a/config/default.json b/config/default.json
index 60a6197..0bba7f9 100644
--- a/config/default.json
+++ b/config/default.json
@@ -41,11 +41,11 @@
     "enable": true,
     "login": {
       "window": 600,
-      "max": 5
+      "max": 10
     },
     "register": {
       "window": 600,
-      "max": 5
+      "max": 10
     },
     "api": {
       "window": 600,