agw/overleaf-cep
1
0
Fork 0
mirror of https://github.com/yu-i-i/overleaf-cep.git synced 2026-06-04 14:49:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
27230aa017248922795a270b0c268eae5fcd8f1d
overleaf-cep/services/web/app/src/Features/Security/RateLimiterMiddleware.js
T
Miguel Serrano 42ee56ecd4 Merge pull request #23810 from overleaf/msm-ldap-login-rate-limiter 
[SP] LDAP login rate limiter

GitOrigin-RevId: dedab17da85c0f91b280d002cdad796e95b9fd4f
2025-03-06 09:04:55 +00:00

92 lines
2.4 KiB
JavaScript
Raw Blame History

const logger = require('@overleaf/logger')
const SessionManager = require('../Authentication/SessionManager')
const LoginRateLimiter = require('./LoginRateLimiter')
const settings = require('@overleaf/settings')
/**
* Return a rate limiting middleware
*
* Pass an array of opts.params to segment this based on parameters in the
* request URL, e.g.:
*
* app.get "/project/:project_id", RateLimiterMiddleware.rateLimit(
* rateLimiter, params: ["project_id"]
* )
*
* will rate limit each project_id separately.
*
* Unique clients are identified by user_id if logged in, and IP address if not.
* The method label is used to identify this in our metrics.
*/
function rateLimit(rateLimiter, opts = {}) {
const getUserId =
opts.getUserId || (req => SessionManager.getLoggedInUserId(req.session))
return function (req, res, next) {
const clientId = opts.ipOnly ? req.ip : getUserId(req) || req.ip
const method = clientId === req.ip ? 'ip' : 'userId'
if (
settings.smokeTest &&
settings.smokeTest.userId &&
settings.smokeTest.userId.toString() === clientId.toString()
) {
// ignore smoke test user
return next()
}
let key = clientId
if (!opts.ipOnly) {
const params = (opts.params || []).map(p => req.params[p])
params.push(clientId)
key = params.join(':')
}
rateLimiter
.consume(key, 1, { method })
.then(() => next())
.catch(err => {
if (err instanceof Error) {
next(err)
} else {
res.status(429) // Too many requests
res.write('Rate limit reached, please try again later')
res.end()
}
})
}
}
function loginRateLimitEmail(emailField = 'email') {
return function (req, res, next) {
const email = req.body[emailField]
if (!email) {
return next()
}
LoginRateLimiter.processLoginRequest(email, (err, isAllowed) => {
if (err) {
return next(err)
}
if (isAllowed) {
next()
} else {
logger.warn({ email }, 'rate limit exceeded')
res.status(429) // Too many requests
res.json({
message: {
type: 'error',
text: req.i18n.translate('to_many_login_requests_2_mins'),
key: 'to-many-login-requests-2-mins',
},
})
}
})
}
}
const RateLimiterMiddleware = {
rateLimit,
loginRateLimitEmail,
}
module.exports = RateLimiterMiddleware
Reference in New Issue View Git Blame Copy Permalink