diff options
-rw-r--r-- | app/auth.js | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/app/auth.js b/app/auth.js index eb71a2f..cd771ca 100644 --- a/app/auth.js +++ b/app/auth.js @@ -174,7 +174,7 @@ async function login(req, res, match, data) { const currentToken = parseCookies(req)?.token; if (currentToken || !data.username || !data.password) return err400(res); const error = {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, 2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 1, 8); sj(res, error); }; const uid = getUID(data.username); if (!uid) return sendError(res); // User doesn't exist @@ -234,7 +234,7 @@ function changePassword(req, res, match, data) { const error = token? {success:false, msg:"Bad password"}: {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, token?3:2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, token?2:1, 8); sj(res, error); }; const uid = token? req.uid : getUID(data.username); if (!uid) return token? err401(res) : sendError(req); @@ -288,7 +288,7 @@ async function changeUsernameReq(req, res, match, data) { return sj(res, {success:false, msg:`New username is too long (must be <=${USERNAME_MAX_LENGTH} chars)`}) const error = {success:false, msg:"Bad password"}; - const sendError = res => { rateLimitIP(req, 3, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 2, 8); sj(res, error); }; let user; try { user = JSON.parse(await rf(`private/${req.uid}.json`)); @@ -436,7 +436,7 @@ exports.attach = (app) => { // TODO make endpoints RESTier? // TODO // - create user // - delete user -// - OTP (MITM/XSS/shoulder surfing; ensure codes only work once) +// - OTP (prevents login replay; ensure codes only work once) // - PIN (client-side, and easy session verification) // - normalize error response times? // - rate limit username/uid signin attempts? |