rate limiter

tabarra · May 30, 2019 · 642f8f1 · 642f8f1
1 parent dd95438
commit 642f8f1
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ One of the problems I noticed with the servers out there is that the "bases" are
 - Live Console
 - Auto Restart on failure detection
 - Auto Restart on schedule
+- Password brute-force protection
 
 
 ## Installation
@@ -71,7 +72,7 @@ $ npm i
 - [x] Write the admin log component (or part of another?)
 - [x] Separate the web routes
 - [ ] Add custom commands to the config file
-- [ ] **Add a simple rate limiter (MUST)**
+- [x] **Add a simple rate limiter (MUST)**
 - [x] Write some documentation
 - [x] **Automatically check for updates (MUST)**
 - [ ] Add hitch detection

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
     "cors": "^2.8.5",
     "discord.js": "^11.4.2",
     "express": "^4.16.4",
+    "express-rate-limit": "^4.0.3",
     "express-session": "^1.16.1",
     "express-socket.io-session": "^1.3.5",
     "lodash.template": "^4.4.0",

diff --git a/src/components/webServer.js b/src/components/webServer.js
@@ -1,11 +1,12 @@
 //Requires
 const fs = require('fs');
+const path = require('path');
 const bcrypt = require('bcrypt');
 const httpServer  = require('http');
 const express = require('express');
 const session = require('express-session');
+const rateLimit = require("express-rate-limit");
 const template = require('lodash.template');
-const path = require('path');
 const cors = require('cors');
 const { dir, log, logOk, logWarn, logError, cleanTerminal } = require('../extras/console');
 const Webroutes = require('../webroutes');
@@ -19,14 +20,19 @@ module.exports = class WebServer {
             resave: false,
             saveUninitialized: false
         });
-
+        this.authLimiter = rateLimit({
+            windowMs: this.config.limiterMinutes * 60 * 1000, // 15 minutes
+            max: this.config.limiterAttempts, // limit each IP to 5 requests per 15 minutes
+            message: render('login', {message:`Too many login attempts, enjoy your ${this.config.limiterMinutes} minutes of cooldown.`})
+        });
+
         this.app = express();
-        this.httpServer = httpServer.createServer(this.app);
         this.app.use(cors());
         this.app.use(this.session);
         this.app.use(express.urlencoded({extended: true}))
         this.app.use(express.static('public', {index: false}))
         this.setupRoutes()
+        this.httpServer = httpServer.createServer(this.app);
         try {
             this.httpServer.listen(this.config.port, '0.0.0.0', () => {
                 logOk(`::Started at http://${globals.config.publicIP}:${this.config.port}/`, context);
@@ -52,7 +58,7 @@ module.exports = class WebServer {
                 res.send(render('login', {message:''}));
             }
         });
-        this.app.post('/auth', async (req, res) => {
+        this.app.post('/auth', this.authLimiter, async (req, res) => {
             if(typeof req.body.password == 'undefined'){
                 req.redirect('/');
                 return;
@@ -68,10 +74,6 @@ module.exports = class WebServer {
             res.redirect('/');
         });
 
-        this.app.get('/test', globals.authenticator.sessionCheckerWeb, async (req, res) => {
-            res.send('<pre>'+JSON.stringify(req.session, null, 2)+'</pre>'); 
-        });
-
         this.app.post('/action', globals.authenticator.sessionCheckerWeb, async (req, res) => {
             await Webroutes.action(res, req).catch((err) => {
                 this.handleRouteError(res, "[action] Route Internal Error", err);

diff --git a/src/extras/config.js b/src/extras/config.js
@@ -74,6 +74,8 @@ try {
     cfg.webServer = {
         port: parseInt(configFile.webServer.port) || 40121,
         bufferTime: parseInt(configFile.webServer.bufferTime) || 1500, //removed from template - deprecate?
+        limiterMinutes: parseInt(configFile.webServer.limiterMinutes) || 15, //removed from template
+        limiterAttempts: parseInt(configFile.webServer.limiterAttempts) || 5, //removed from template
     };
     cfg.webConsole = {
         //nothing to configure

diff --git a/version.json b/version.json
@@ -1,4 +1,4 @@
 {
-    "version": "0.8.0",
-    "changelog": "Schedule/Failure Auto Restarter. You will need to copy server-template.json again. Modified the start command."
+    "version": "0.9.0",
+    "changelog": "Schedule/Failure Auto Restarter. You will need to copy server-template.json again. Modified the start command. Password brute-force protection."
 }