From 2ada2b5936eecb53be58c6f9b117a54d1cc724f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9F=90=99PiperYxzzy?= <piper@yxzzy.wtf>
Date: Wed, 12 Oct 2022 22:43:05 +0200
Subject: [PATCH] Rate limits should be per-method, not per-resource string.

---
 config/dev/ratelimit.auth.json   |  8 ++++----
 config/dev/ratelimit.unauth.json | 10 +++++-----
 controllers/ratelimit.go         |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/config/dev/ratelimit.auth.json b/config/dev/ratelimit.auth.json
index 9a8c07e..9b71b06 100644
--- a/config/dev/ratelimit.auth.json
+++ b/config/dev/ratelimit.auth.json
@@ -1,16 +1,16 @@
 {
     "": {"seconds": 60, "max": 30, "_comment": "Global ratelimit."},
 
-    "/v1/sec/doot": 
+    "GET:/v1/sec/doot": 
         {"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
 
-    "/v1/sec/2fa-doot": 
+    "GET:/v1/sec/2fa-doot": 
         {"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."},
 
-    "/v1/adm/doot": 
+    "GET:/v1/adm/doot": 
         {"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
 
-    "/v1/adm/2fa-doot": 
+    "GET:/v1/adm/2fa-doot": 
         {"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."}
     
     
diff --git a/config/dev/ratelimit.unauth.json b/config/dev/ratelimit.unauth.json
index ff74971..299e44b 100644
--- a/config/dev/ratelimit.unauth.json
+++ b/config/dev/ratelimit.unauth.json
@@ -2,18 +2,18 @@
     "": 
         {"seconds": 60, "max": 30, "_comment": "Global unauthenticated ratelimit."},
 
-    "/v1/doot": 
+    "GET:/v1/doot": 
         {"seconds": 5, "max": 5, "_comment": "Unauthenticated DOOT for server monitoring."},
 
-    "/v1/login": 
+    "POST:/v1/login": 
         {"seconds": 60, "max": 3, "_comment": "Prevent bruteforce attacks on Login."},
 
-    "/v1/admin": 
+    "POST:/v1/admin": 
         {"seconds": 60, "max": 1, "_comment": "Prevent bruteforce attacks on Admin Login."},
 
-    "/v1/signup": 
+    "POST:/v1/signup": 
         {"seconds": 1800, "max": 1, "_comment": "Prevent spam account creation."},
 
-    "/v1/forgot": 
+    "POST:/v1/forgot": 
         {"seconds": 60, "max": 1, "_comment": "Slow down 'forgot password' enumeration/spam."}
 }
\ No newline at end of file
diff --git a/controllers/ratelimit.go b/controllers/ratelimit.go
index f7b6b14..4a05e38 100644
--- a/controllers/ratelimit.go
+++ b/controllers/ratelimit.go
@@ -125,7 +125,7 @@ func UnauthRateLimit() gin.HandlerFunc {
 
 		ip := c.ClientIP()
 
-		if !unauthed.take(ip, "") {
+		if !unauthed.take(ip, c.Request.Method+":"+c.FullPath()) {
 			c.AbortWithStatus(http.StatusTooManyRequests)
 			return
 		}
@@ -156,7 +156,7 @@ func AuthedRateLimit() gin.HandlerFunc {
 			return
 		}
 
-		if !authed.take(p.Uid.String(), c.FullPath()) {
+		if !authed.take(p.Uid.String(), c.Request.Method+":"+c.FullPath()) {
 			c.AbortWithStatus(http.StatusTooManyRequests)
 			return
 		}