From c3c8026041d29d7b50d54080d21518cadae97fff Mon Sep 17 00:00:00 2001
From: Flam3rboy <34555296+Flam3rboy@users.noreply.github.com>
Date: Thu, 1 Jul 2021 21:27:46 +0200
Subject: [PATCH] :sparkles: route specific rate limits

---
 package-lock.json            | Bin 644837 -> 645191 bytes
 package.json                 |   2 +-
 src/Server.ts                |   9 +++++----
 src/middlewares/RateLimit.ts |  36 ++++++++++++++++++++---------------
 src/routes/auth/login.ts     |   2 ++
 src/routes/auth/register.ts  |   2 ++
 6 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 728f252d755aa6335bb35a81fc2e82fb81269a0a..56a7449e5248941023eb6dfaa936ff5981969c03 100644
GIT binary patch
delta 1060
zcmchV&ui0Q7{|%Fcgd!k;Lsr`hT*SKyDT$pR`JrUzg%njBW;rw6w@}YZPFx7)2^8Z
z1(hBZb9nK*S-cb~3Pr?&CqdM?qbI$1-_Wy|sdLUhU@v?R@ArLppD)kz`Px1Erg!$i
zH-vin{V)qx1(bjv?t&?pr~y3f)`^%D6y$1xZY4aqG})*yO|~SfQY2IG^Ywz0rPXNG
zEa?G`b2BoTuZ06)f2PJ&vxYmyJG~U;O)N5Mp7!S=WQx>DVHR#&b>LQS4ej5*2YQHg
z``DQEl0N{uZE&ccYXb~{*PjedK!QR>pZ(yTN1%0Skgz^JLgDAP06^_Mn1&7$!P8l`
z#Rf|C6+Yq(IO$9>TGX-?iLVusd@LR`LNl$LD0mgx=TwDoDM!j|X1+>r&B$z0rzsB;
z*HcwOB8{Y{A+DGqk7Sk=6K=dlw&RTtxu?mQX}2Y;p0_sFPQz<c1G_1#_+tW6pHMuV
z(tP}EQVQ}>gQ=K>ayi>7HnUo$vEXYGOQawNQ!*9M7r7=I^Ev$u#?Lfw@ND=(VUF<g
z3uJD7B}UPyh2^l&x=h3aDXLy;?ab((5U1`$JMCx(=|?*QuX+z_LuWKm)cv9+Dn(H#
zl*RfL(GVst;x|Wz?K3GX*QxCr+~BdJ5bJ=^gZa9uxWtz6pDl@cUewk4Ui(B<RhHCZ
z-c^vxqGGu09=fR+WmVZ*H@;J6e_XK}?0Fp<Rs>BmcfD{3I|6%ij?p&GIcyE~aSq&a
z?GJd!7B~*Sya2z*>xA~1t4#tsXW<?64_9#O9XPrFVEvte#iX$jdoh#0G2f0e(eADT
QTSK-`TUfulK0Js11g@-dV*mgE

delta 789
zcmX@ULH+4k^$DLDjW>P~3Z6dcIIF>Q^)^<G$%!!vp^+8YrM~6GUb(&n&VD9U?#_h<
zJ|1PErD2v;IYAbcAw`*mr2&QEX$7XiNm+(2DQ;Effra^I<yB_ML6J$u;X$6Be)**y
z8DVAy$w@g`xuJzVo?g=%FET1j-mrvy@?93S%?hED{H7m{V$`2*aE6s<^4rCF(=VT5
zR0#DkGxv4$bTtll%?~LlF;6ttFD?j*%+@wH%SkUVGk0?gF!MCFh_v)eb~eloEUhXp
z%qz_fN%X49Pf1I%FtjizukeWSH7P7HvnVyIFe@l2bqPv@SuH&IScl5wH%s&;C+&k+
zJYD_*tNvt>`3hl4e%acAK3M^#VNszbuEk!7=_VC{#aTX%i5AYTx%$E0Q7)C4&PLh3
zMg|t;o<;7Zxn?PeF6LP#rv8P+rUpsje(q_7QISEVt{E8?6;X!fF6N1@<&!5aF#=iI
z9J;JMbQ$CJ&}B^fHcbB@!YDTVZ4@&{dwm2m5VLHrk6^9PrAsU%eq@!|{-BL@tvmgK
zA7tlrpq=cK6_)W#XFJO(KYibMRyE962&G9ZOb@)zj%vR|JO4#iAZ7z%b|B{1&VP~9
Gf*k<a*&96o

diff --git a/package.json b/package.json
index 71cfee4f..4bea58e5 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
 	},
 	"homepage": "https://github.com/fosscord/fosscord-api#readme",
 	"dependencies": {
-		"@fosscord/server-util": "^1.3.23",
+		"@fosscord/server-util": "^1.3.24",
 		"@types/jest": "^26.0.22",
 		"@types/json-schema": "^7.0.7",
 		"ajv": "^8.4.0",
diff --git a/src/Server.ts b/src/Server.ts
index 326fcc5c..94aab0f5 100644
--- a/src/Server.ts
+++ b/src/Server.ts
@@ -93,10 +93,11 @@ export class FosscordServer extends Server {
 		const prefix = Router();
 		// @ts-ignore
 		this.app = prefix;
-		prefix.use(RateLimit({ bucket: "global", count: 10, error: 10, window: 5, bot: 250 }));
-		prefix.use("/guilds/:id", RateLimit({ count: 10, window: 5 }));
-		prefix.use("/webhooks/:id", RateLimit({ count: 10, window: 5 }));
-		prefix.use("/channels/:id", RateLimit({ count: 10, window: 5 }));
+		prefix.use(RateLimit({ bucket: "global", count: 10, window: 5, bot: 250 }));
+		prefix.use(RateLimit({ bucket: "error", count: 5, error: true, window: 5, bot: 15, onylIp: true }));
+		prefix.use("/guilds/:id", RateLimit({ count: 5, window: 5 }));
+		prefix.use("/webhooks/:id", RateLimit({ count: 5, window: 5 }));
+		prefix.use("/channels/:id", RateLimit({ count: 5, window: 5 }));
 
 		this.routes = await this.registerRoutes(path.join(__dirname, "routes", "/"));
 		app.use("/api", prefix); // allow unversioned requests
diff --git a/src/middlewares/RateLimit.ts b/src/middlewares/RateLimit.ts
index 93d69236..89e002df 100644
--- a/src/middlewares/RateLimit.ts
+++ b/src/middlewares/RateLimit.ts
@@ -36,17 +36,21 @@ export default function RateLimit(opts: {
 	window: number;
 	count: number;
 	bot?: number;
-	error?: number;
 	webhook?: number;
 	oauth?: number;
 	GET?: number;
 	MODIFY?: number;
+	error?: boolean;
+	success?: boolean;
+	onylIp?: boolean;
 }) {
 	Cache.init(); // will only initalize it once
 
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const bucket_id = opts.bucket || req.path.replace(API_PREFIX_TRAILING_SLASH, "");
-		const user_id = req.user_id || getIpAdress(req);
+		const bucket_id = opts.bucket || req.originalUrl.replace(API_PREFIX_TRAILING_SLASH, "");
+		var user_id = getIpAdress(req);
+		if (!opts.onylIp && req.user_id) user_id = req.user_id;
+
 		var max_hits = opts.count;
 		if (opts.bot && req.user_bot) max_hits = opts.bot;
 		if (opts.GET && ["GET", "OPTIONS", "HEAD"].includes(req.method)) max_hits = opts.GET;
@@ -59,9 +63,9 @@ export default function RateLimit(opts: {
 			const resetAfterMs = reset - Date.now();
 			const resetAfterSec = resetAfterMs / 1000;
 			const global = bucket_id === "global";
-			console.log("blocked", { resetAfterMs });
 
 			if (resetAfterMs > 0) {
+				console.log("blocked", { resetAfterMs });
 				return (
 					res
 						.status(429)
@@ -76,26 +80,28 @@ export default function RateLimit(opts: {
 						.send({ message: "You are being rate limited.", retry_after: resetAfterSec, global })
 				);
 			} else {
+				offender.hits = 0;
+				offender.expires_at = new Date(Date.now() + opts.window * 1000);
+				offender.blocked = false;
 				// mongodb ttl didn't update yet -> manually update/delete
-				db.collection("ratelimits").updateOne(
-					{ id: bucket_id, user_id },
-					{ $set: { hits: 0, expires_at: new Date(Date.now() + opts.window * 1000), blocked: false } }
-				);
+				db.collection("ratelimits").updateOne({ id: bucket_id, user_id }, { $set: offender });
 			}
 		}
 		next();
+		const hitRouteOpts = { bucket_id, user_id, max_hits, window: opts.window };
 
-		if (opts.error) {
+		if (opts.error || opts.success) {
 			res.once("finish", () => {
 				// check if error and increment error rate limit
-				if (res.statusCode >= 400) {
-					// TODO: use config rate limit values
-					return hitRoute({ bucket_id: "error", user_id, max_hits: opts.error as number, window: opts.window });
+				if (res.statusCode >= 400 && opts.error) {
+					return hitRoute(hitRouteOpts);
+				} else if (res.statusCode >= 200 && res.statusCode < 300 && opts.success) {
+					return hitRoute(hitRouteOpts);
 				}
 			});
+		} else {
+			return hitRoute(hitRouteOpts);
 		}
-
-		return hitRoute({ user_id, bucket_id, max_hits, window: opts.window });
 	};
 }
 
@@ -121,7 +127,7 @@ function hitRoute(opts: { user_id: string; bucket_id: string; max_hits: number;
 			{
 				$set: {
 					hits: { $sum: [{ $ifNull: ["$hits", 0] }, 1] },
-					blocked: { $gt: ["$hits", opts.max_hits] }
+					blocked: { $gte: ["$hits", opts.max_hits] }
 				}
 			}
 		],
diff --git a/src/routes/auth/login.ts b/src/routes/auth/login.ts
index 2c4084ea..547d115b 100644
--- a/src/routes/auth/login.ts
+++ b/src/routes/auth/login.ts
@@ -4,12 +4,14 @@ import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
 import { Config, UserModel } from "@fosscord/server-util";
 import { adjustEmail } from "./register";
+import RateLimit from "../../middlewares/RateLimit";
 
 const router: Router = Router();
 export default router;
 
 router.post(
 	"/",
+	RateLimit({ count: 5, window: 60, onylIp: true }),
 	check({
 		login: new Length(String, 2, 100), // email or telephone
 		password: new Length(String, 8, 64),
diff --git a/src/routes/auth/register.ts b/src/routes/auth/register.ts
index f39206f2..83f8dc8c 100644
--- a/src/routes/auth/register.ts
+++ b/src/routes/auth/register.ts
@@ -6,11 +6,13 @@ import "missing-native-js-functions";
 import { generateToken } from "./login";
 import { getIpAdress, IPAnalysis, isProxy } from "../../util/ipAddress";
 import { HTTPError } from "lambert-server";
+import RateLimit from "../../middlewares/RateLimit";
 
 const router: Router = Router();
 
 router.post(
 	"/",
+	RateLimit({ count: 2, window: 60 * 60 * 12, onylIp: true, success: true }),
 	check({
 		username: new Length(String, 2, 32),
 		// TODO: check min password length in config