me/gin-gonic-prepack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rate limits should be per-method, not per-resource string.

Browse Source
This commit is contained in:
🐙PiperYxzzy
2022-10-12 22:43:05 +02:00
parent 2922793427
commit 2ada2b5936
3 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
config/dev/ratelimit.auth.json
View File

@@ -1,16 +1,16 @@
{
"": {"seconds": 60, "max": 30, "_comment": "Global ratelimit."},
"/v1/sec/doot":
"GET:/v1/sec/doot":
{"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
"/v1/sec/2fa-doot":
"GET:/v1/sec/2fa-doot":
{"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."},
"/v1/adm/doot":
"GET:/v1/adm/doot":
{"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
"/v1/adm/2fa-doot":
"GET:/v1/adm/2fa-doot":
{"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."}

10
config/dev/ratelimit.unauth.json
View File

@@ -2,18 +2,18 @@
"":
{"seconds": 60, "max": 30, "_comment": "Global unauthenticated ratelimit."},
"/v1/doot":
"GET:/v1/doot":
{"seconds": 5, "max": 5, "_comment": "Unauthenticated DOOT for server monitoring."},
"/v1/login":
"POST:/v1/login":
{"seconds": 60, "max": 3, "_comment": "Prevent bruteforce attacks on Login."},
"/v1/admin":
"POST:/v1/admin":
{"seconds": 60, "max": 1, "_comment": "Prevent bruteforce attacks on Admin Login."},
"/v1/signup":
"POST:/v1/signup":
{"seconds": 1800, "max": 1, "_comment": "Prevent spam account creation."},
"/v1/forgot":
"POST:/v1/forgot":
{"seconds": 60, "max": 1, "_comment": "Slow down 'forgot password' enumeration/spam."}
}

4
controllers/ratelimit.go
View File

@@ -125,7 +125,7 @@ func UnauthRateLimit() gin.HandlerFunc {
ip := c.ClientIP()
if !unauthed.take(ip, "") {
if !unauthed.take(ip, c.Request.Method+":"+c.FullPath()) {
c.AbortWithStatus(http.StatusTooManyRequests)
return
}
@@ -156,7 +156,7 @@ func AuthedRateLimit() gin.HandlerFunc {
return
}
if !authed.take(p.Uid.String(), c.FullPath()) {
if !authed.take(p.Uid.String(), c.Request.Method+":"+c.FullPath()) {
c.AbortWithStatus(http.StatusTooManyRequests)
return
}