Merge pull request from GHSA-c69x-5xmw-v44x

* feat: limit too many login request * fix: fix error rate limt --------- Signed-off-by: CorrectRoadH <a778917369@gmail.com>
IceWhaleTech · Feb 5, 2024 · 62006f6 · 62006f6
1 parent c75063d
commit 62006f6
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/tidwall/gjson v1.14.4
 	go.uber.org/zap v1.24.0
 	golang.org/x/net v0.17.0
+	golang.org/x/time v0.3.0
 	gopkg.in/ini.v1 v1.67.0
 	gorm.io/gorm v1.25.0
 )
@@ -75,7 +76,6 @@ require (
 	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect
 	golang.org/x/sys v0.14.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/route/v1/user.go b/route/v1/user.go
@@ -32,6 +32,7 @@ import (
 	uuid "github.com/satori/go.uuid"
 	"github.com/tidwall/gjson"
 	"go.uber.org/zap"
+	"golang.org/x/time/rate"
 
 	"github.com/IceWhaleTech/CasaOS-UserService/service"
 	"github.com/gin-gonic/gin"
@@ -84,6 +85,8 @@ func PostUserRegister(c *gin.Context) {
 	c.JSON(common_err.SUCCESS, model.Result{Success: common_err.SUCCESS, Message: common_err.GetMsg(common_err.SUCCESS)})
 }
 
+var limiter = rate.NewLimiter(rate.Every(time.Minute), 5)
+
 // @Summary login
 // @Produce  application/json
 // @Accept application/json
@@ -93,6 +96,16 @@ func PostUserRegister(c *gin.Context) {
 // @Success 200 {string} string "ok"
 // @Router /user/login [post]
 func PostUserLogin(c *gin.Context) {
+
+	if !limiter.Allow() {
+		c.JSON(common_err.TOO_MANY_REQUEST,
+			model.Result{
+				Success: common_err.TOO_MANY_LOGIN_REQUESTS,
+				Message: common_err.GetMsg(common_err.TOO_MANY_LOGIN_REQUESTS),
+			})
+		return
+	}
+
 	json := make(map[string]string)
 	c.ShouldBind(&json)