From 772b806095314da3ad678a38585da35a669b26e4 Mon Sep 17 00:00:00 2001 From: Alexis Hovorka Date: Fri, 16 Feb 2024 23:45:17 -0700 Subject: [fix] Tweak rate limit timing --- app/auth.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/auth.js b/app/auth.js index eb71a2f..cd771ca 100644 --- a/app/auth.js +++ b/app/auth.js @@ -174,7 +174,7 @@ async function login(req, res, match, data) { const currentToken = parseCookies(req)?.token; if (currentToken || !data.username || !data.password) return err400(res); const error = {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, 2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 1, 8); sj(res, error); }; const uid = getUID(data.username); if (!uid) return sendError(res); // User doesn't exist @@ -234,7 +234,7 @@ function changePassword(req, res, match, data) { const error = token? {success:false, msg:"Bad password"}: {success:false, msg:"Bad username or password"}; - const sendError = res => { rateLimitIP(req, token?3:2, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, token?2:1, 8); sj(res, error); }; const uid = token? req.uid : getUID(data.username); if (!uid) return token? err401(res) : sendError(req); @@ -288,7 +288,7 @@ async function changeUsernameReq(req, res, match, data) { return sj(res, {success:false, msg:`New username is too long (must be <=${USERNAME_MAX_LENGTH} chars)`}) const error = {success:false, msg:"Bad password"}; - const sendError = res => { rateLimitIP(req, 3, 9); sj(res, error); }; + const sendError = res => { rateLimitIP(req, 2, 8); sj(res, error); }; let user; try { user = JSON.parse(await rf(`private/${req.uid}.json`)); @@ -436,7 +436,7 @@ exports.attach = (app) => { // TODO make endpoints RESTier? // TODO // - create user // - delete user -// - OTP (MITM/XSS/shoulder surfing; ensure codes only work once) +// - OTP (prevents login replay; ensure codes only work once) // - PIN (client-side, and easy session verification) // - normalize error response times? // - rate limit username/uid signin attempts? -- cgit v1.2.3-70-g09d2