Update both Admin and U&P ratelimit to lower path

strapi · Jul 17, 2023 · ed364d9 · ed364d9
1 parent 5b675cc
commit ed364d9
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 22 deletions.
diff --git a/packages/core/admin/server/middlewares/rateLimit.js b/packages/core/admin/server/middlewares/rateLimit.js
@@ -24,11 +24,12 @@ module.exports =
       const rateLimit = require('koa2-ratelimit').RateLimit;
 
       const userEmail = toLower(ctx.request.body.email) || 'unknownEmail';
+      const requestPath = toLower(ctx.request.path) || 'unknownPath';
 
       const loadConfig = {
         interval: { min: 5 },
         max: 5,
-        prefixKey: `${userEmail}:${ctx.request.path}:${ctx.request.ip}`,
+        prefixKey: `${userEmail}:${requestPath}:${ctx.request.ip}`,
         handler() {
           throw new RateLimitError();
         },

diff --git a/packages/plugins/users-permissions/server/middlewares/rateLimit.js b/packages/plugins/users-permissions/server/middlewares/rateLimit.js
@@ -1,27 +1,44 @@
 'use strict';
 
+const utils = require('@strapi/utils');
+const { has, toLower } = require('lodash/fp');
+
+const { RateLimitError } = utils.errors;
+
 module.exports =
   (config, { strapi }) =>
   async (ctx, next) => {
-    const ratelimit = require('koa2-ratelimit').RateLimit;
-
-    const message = [
-      {
-        messages: [
-          {
-            id: 'Auth.form.error.ratelimit',
-            message: 'Too many attempts, please try again in a minute.',
-          },
-        ],
-      },
-    ];
-
-    return ratelimit.middleware({
-      interval: 1 * 60 * 1000,
-      max: 5,
-      prefixKey: `${ctx.request.path}:${ctx.request.ip}`,
-      message,
-      ...strapi.config.get('plugin.users-permissions.ratelimit'),
-      ...config,
-    })(ctx, next);
+    let rateLimitConfig = strapi.config.get('plugin.users-permissions.ratelimit');
+
+    if (!rateLimitConfig) {
+      rateLimitConfig = {
+        enabled: true,
+      };
+    }
+
+    if (!has('enabled', rateLimitConfig)) {
+      rateLimitConfig.enabled = true;
+    }
+
+    if (rateLimitConfig.enabled === true) {
+      const rateLimit = require('koa2-ratelimit').RateLimit;
+
+      const userIdentifier = toLower(ctx.request.body.email) || 'unknownIdentifier';
+      const requestPath = toLower(ctx.request.path) || 'unknownPath';
+
+      const loadConfig = {
+        interval: { min: 5 },
+        max: 5,
+        prefixKey: `${userIdentifier}:${requestPath}:${ctx.request.ip}`,
+        handler() {
+          throw new RateLimitError();
+        },
+        ...rateLimitConfig,
+        ...config,
+      };
+
+      return rateLimit.middleware(loadConfig)(ctx, next);
+    }
+
+    return next();
   };