"Added express-rate-limit package and implemented rate limiting for admin API login attempts"

2025-12-24 16:22:44 +00:00 · 2024-05-24 20:42:25 +02:00
parent dcd34ccdaf
commit 748c25aae4
3 changed files with 15196 additions and 15162 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -97,6 +97,7 @@
    "expr-eval": "^2.0.2",
    "express": "^4.19.2",
    "express-async-handler": "^1.2.0",
+    "express-rate-limit": "^7.2.0",
    "express-static-gzip": "2.1.7",
    "fs-extra": "11.2.0",
    "js-yaml": "^4.1.0",
--- a/server/admin.api.js
+++ b/server/admin.api.js
@@ -1,29 +1,39 @@
 const HomebrewModel = require('./homebrew.model.js').model;
 const router = require('express').Router();
 const Moment = require('moment');
-//const render = require('vitreum/steps/render');
 const templateFn = require('../client/template.js');
 const zlib = require('zlib');
+const rateLimit = require('express-rate-limit');
+
+// Define rate limiter options
+const loginLimiter = rateLimit({
+    windowMs: 24 * 60 * 60 * 1000, // 24 hours window
+    max: 10, // limit each IP to 10 requests per windowMs
+    message: "Too many login attempts from this IP, please try again later"
+});

 process.env.ADMIN_USER = process.env.ADMIN_USER || 'admin';
 process.env.ADMIN_PASS = process.env.ADMIN_PASS || 'password3';

 const mw = {
-	adminOnly : (req, res, next)=>{
-		if(!req.get('authorization')){
-			return res
-				.set('WWW-Authenticate', 'Basic realm="Authorization Required"')
-				.status(401)
-				.send('Authorization Required');
-		}
-		const [username, password] = Buffer.from(req.get('authorization').split(' ').pop(), 'base64')
-			.toString('ascii')
-			.split(':');
-		if(process.env.ADMIN_USER === username && process.env.ADMIN_PASS === password){
-			return next();
-		}
-		return res.status(401).send('Access denied');
-	}
+    adminOnly: [
+        loginLimiter,
+        (req, res, next) => {
+            if (!req.get('authorization')) {
+                return res
+                    .set('WWW-Authenticate', 'Basic realm="Authorization Required"')
+                    .status(401)
+                    .send('Authorization Required');
+            }
+            const [username, password] = Buffer.from(req.get('authorization').split(' ').pop(), 'base64')
+                .toString('ascii')
+                .split(':');
+            if (process.env.ADMIN_USER === username && process.env.ADMIN_PASS === password) {
+                return next();
+            }
+            return res.status(401).send('Access denied');
+        }
+    ]
 };

 const junkBrewPipeline = [