From 772b806095314da3ad678a38585da35a669b26e4 Mon Sep 17 00:00:00 2001
From: Alexis Hovorka <alexisspacegirl@gmail.com>
Date: Fri, 16 Feb 2024 23:45:17 -0700
Subject: [fix] Tweak rate limit timing

---
 app/auth.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/auth.js b/app/auth.js
index eb71a2f..cd771ca 100644
--- a/app/auth.js
+++ b/app/auth.js
@@ -174,7 +174,7 @@ async function login(req, res, match, data) {
   const currentToken = parseCookies(req)?.token;
   if (currentToken || !data.username || !data.password) return err400(res);
   const error = {success:false, msg:"Bad username or password"};
-  const sendError = res => { rateLimitIP(req, 2, 9); sj(res, error); };
+  const sendError = res => { rateLimitIP(req, 1, 8); sj(res, error); };
 
   const uid = getUID(data.username);
   if (!uid) return sendError(res); // User doesn't exist
@@ -234,7 +234,7 @@ function changePassword(req, res, match, data) {
     const error = token?
       {success:false, msg:"Bad password"}:
       {success:false, msg:"Bad username or password"};
-    const sendError = res => { rateLimitIP(req, token?3:2, 9); sj(res, error); };
+    const sendError = res => { rateLimitIP(req, token?2:1, 8); sj(res, error); };
 
     const uid = token? req.uid : getUID(data.username);
     if (!uid) return token? err401(res) : sendError(req);
@@ -288,7 +288,7 @@ async function changeUsernameReq(req, res, match, data) {
     return sj(res, {success:false, msg:`New username is too long (must be <=${USERNAME_MAX_LENGTH} chars)`})
 
   const error = {success:false, msg:"Bad password"};
-  const sendError = res => { rateLimitIP(req, 3, 9); sj(res, error); };
+  const sendError = res => { rateLimitIP(req, 2, 8); sj(res, error); };
 
   let user;
   try { user = JSON.parse(await rf(`private/${req.uid}.json`));
@@ -436,7 +436,7 @@ exports.attach = (app) => { // TODO make endpoints RESTier?
 // TODO
 // - create user
 // - delete user
-// - OTP (MITM/XSS/shoulder surfing; ensure codes only work once)
+// - OTP (prevents login replay; ensure codes only work once)
 // - PIN (client-side, and easy session verification)
 // - normalize error response times?
 // - rate limit username/uid signin attempts?
-- 
cgit v1.2.3-54-g00ecf