summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexis Hovorka <[email protected]>2024-02-16 23:45:17 -0700
committerAlexis Hovorka <[email protected]>2024-02-16 23:45:17 -0700
commit772b806095314da3ad678a38585da35a669b26e4 (patch)
tree8f052c47cdd6719d201a8cd2a99dad157f18d64e
parent789f6d3e9f9f984070292223cc6f295808c23de8 (diff)
[fix] Tweak rate limit timing
-rw-r--r--app/auth.js8
1 files changed, 4 insertions, 4 deletions
diff --git a/app/auth.js b/app/auth.js
index eb71a2f..cd771ca 100644
--- a/app/auth.js
+++ b/app/auth.js
@@ -174,7 +174,7 @@ async function login(req, res, match, data) {
const currentToken = parseCookies(req)?.token;
if (currentToken || !data.username || !data.password) return err400(res);
const error = {success:false, msg:"Bad username or password"};
- const sendError = res => { rateLimitIP(req, 2, 9); sj(res, error); };
+ const sendError = res => { rateLimitIP(req, 1, 8); sj(res, error); };
const uid = getUID(data.username);
if (!uid) return sendError(res); // User doesn't exist
@@ -234,7 +234,7 @@ function changePassword(req, res, match, data) {
const error = token?
{success:false, msg:"Bad password"}:
{success:false, msg:"Bad username or password"};
- const sendError = res => { rateLimitIP(req, token?3:2, 9); sj(res, error); };
+ const sendError = res => { rateLimitIP(req, token?2:1, 8); sj(res, error); };
const uid = token? req.uid : getUID(data.username);
if (!uid) return token? err401(res) : sendError(req);
@@ -288,7 +288,7 @@ async function changeUsernameReq(req, res, match, data) {
return sj(res, {success:false, msg:`New username is too long (must be <=${USERNAME_MAX_LENGTH} chars)`})
const error = {success:false, msg:"Bad password"};
- const sendError = res => { rateLimitIP(req, 3, 9); sj(res, error); };
+ const sendError = res => { rateLimitIP(req, 2, 8); sj(res, error); };
let user;
try { user = JSON.parse(await rf(`private/${req.uid}.json`));
@@ -436,7 +436,7 @@ exports.attach = (app) => { // TODO make endpoints RESTier?
// TODO
// - create user
// - delete user
-// - OTP (MITM/XSS/shoulder surfing; ensure codes only work once)
+// - OTP (prevents login replay; ensure codes only work once)
// - PIN (client-side, and easy session verification)
// - normalize error response times?
// - rate limit username/uid signin attempts?