diff options
author | Alexis Hovorka <[email protected]> | 2024-02-16 23:45:17 -0700 |
---|---|---|
committer | Alexis Hovorka <[email protected]> | 2024-02-16 23:45:17 -0700 |
commit | 772b806095314da3ad678a38585da35a669b26e4 (patch) | |
tree | 8f052c47cdd6719d201a8cd2a99dad157f18d64e | |
parent | 789f6d3e9f9f984070292223cc6f295808c23de8 (diff) |
[fix] Tweak rate limit timing
-rw-r--r-- | app/auth.js | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/app/auth.js b/app/auth.js index eb71a2f..cd771ca 100644 --- a/app/auth.js +++ b/app/auth.js @@ -174,7 +174,7 @@ async function login(req, res, match, data) { const currentToken = parseCookies(req)?.token; if (currentToken || !data.username || !data.password) return err400(res); const error = {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, 2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 1, 8); sj(res, error); }; const uid = getUID(data.username); if (!uid) return sendError(res); // User doesn't exist @@ -234,7 +234,7 @@ function changePassword(req, res, match, data) { const error = token? {success:false, msg:"Bad password"}: {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, token?3:2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, token?2:1, 8); sj(res, error); }; const uid = token? req.uid : getUID(data.username); if (!uid) return token? err401(res) : sendError(req); @@ -288,7 +288,7 @@ async function changeUsernameReq(req, res, match, data) { return sj(res, {success:false, msg:`New username is too long (must be <=${USERNAME_MAX_LENGTH} chars)`}) const error = {success:false, msg:"Bad password"}; - const sendError = res => { rateLimitIP(req, 3, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 2, 8); sj(res, error); }; let user; try { user = JSON.parse(await rf(`private/${req.uid}.json`)); @@ -436,7 +436,7 @@ exports.attach = (app) => { // TODO make endpoints RESTier? // TODO // - create user // - delete user -// - OTP (MITM/XSS/shoulder surfing; ensure codes only work once) +// - OTP (prevents login replay; ensure codes only work once) // - PIN (client-side, and easy session verification) // - normalize error response times? // - rate limit username/uid signin attempts? |