From fbd8037c35c51e48cd7bd8fc86ed62cc2f7e5f77 Mon Sep 17 00:00:00 2001
From: Bobby Wibowo <bobbywibowo98@gmail.com>
Date: Sat, 12 Oct 2019 13:55:38 +0700
Subject: [PATCH] Updated config.sample.js

Updated sample API rate limits.
This will pretty much be the same ones used live in safe.fiery.me.

This rate limits ALL API calls to 10 requests per second,
but apply stricter limits to login & register endpoints, which are
2 requests per 5 seconds.
Also apply stricter limit to album ZIP download endpoint to
4 requests in 30 seconds.

Also removed forcing 200 HTTP status code from the error responses,
cause front-end will now handle any HTTP status codes properly.
It was previously set to 200 cause frontend couldn't handler
errors properly.

On a side note, rate limiting all API calls is important due to the fact
that any token-based endpoints can be used for brute-forcing tokens.
Some server firewalls can also be used to ban possible brute force
attacks through actively monitoring the HTTP server's access logs,
so you may also want to consider that kind of solution for your site
instead.
---
 config.sample.js | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/config.sample.js b/config.sample.js
index b8f71e1..6380352 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -111,6 +111,20 @@ module.exports = {
     https://github.com/nfriedly/express-rate-limit#configuration-options
   */
   rateLimits: [
+    {
+      // 10 requests in 1 second
+      routes: [
+        '/api/'
+      ],
+      config: {
+        windowMs: 1000,
+        max: 10,
+        message: {
+          success: false,
+          description: 'Rate limit reached, please try again in a while.'
+        }
+      }
+    },
     {
       // 2 requests in 5 seconds
       routes: [
@@ -120,21 +134,34 @@ module.exports = {
       config: {
         windowMs: 5 * 1000,
         max: 2,
-        statusCode: 200,
         message: {
           success: false,
-          description: 'Rate limit reached, please try again in a while.'
+          description: 'Rate limit reached, please try again in 5 seconds.'
         }
       }
     },
     {
-      // 2 requests in 30 seconds
+      // 4 requests in 30 seconds
       routes: [
         '/api/album/zip'
       ],
       config: {
         windowMs: 30 * 1000,
-        max: 2
+        max: 4
+      }
+    },
+    {
+      // 1 request in 60 seconds
+      routes: [
+        '/api/tokens/change'
+      ],
+      config: {
+        windowMs: 60 * 1000,
+        max: 1,
+        message: {
+          success: false,
+          description: 'Rate limit reached, please try again in 60 seconds.'
+        }
       }
     }
   ],