Updated config.sample.js

Updated sample API rate limits.
This will pretty much be the same ones used live in safe.fiery.me.

This rate limits ALL API calls to 10 requests per second,
but apply stricter limits to login & register endpoints, which are
2 requests per 5 seconds.
Also apply stricter limit to album ZIP download endpoint to
4 requests in 30 seconds.

Also removed forcing 200 HTTP status code from the error responses,
cause front-end will now handle any HTTP status codes properly.
It was previously set to 200 cause frontend couldn't handler
errors properly.

On a side note, rate limiting all API calls is important due to the fact
that any token-based endpoints can be used for brute-forcing tokens.
Some server firewalls can also be used to ban possible brute force
attacks through actively monitoring the HTTP server's access logs,
so you may also want to consider that kind of solution for your site
instead.
This commit is contained in:
Bobby Wibowo 2019-10-12 13:55:38 +07:00
parent 37266fb05b
commit fbd8037c35
No known key found for this signature in database
GPG Key ID: 51C3A1E1E22D26CF

View File

@ -111,6 +111,20 @@ module.exports = {
https://github.com/nfriedly/express-rate-limit#configuration-options https://github.com/nfriedly/express-rate-limit#configuration-options
*/ */
rateLimits: [ rateLimits: [
{
// 10 requests in 1 second
routes: [
'/api/'
],
config: {
windowMs: 1000,
max: 10,
message: {
success: false,
description: 'Rate limit reached, please try again in a while.'
}
}
},
{ {
// 2 requests in 5 seconds // 2 requests in 5 seconds
routes: [ routes: [
@ -120,21 +134,34 @@ module.exports = {
config: { config: {
windowMs: 5 * 1000, windowMs: 5 * 1000,
max: 2, max: 2,
statusCode: 200,
message: { message: {
success: false, success: false,
description: 'Rate limit reached, please try again in a while.' description: 'Rate limit reached, please try again in 5 seconds.'
} }
} }
}, },
{ {
// 2 requests in 30 seconds // 4 requests in 30 seconds
routes: [ routes: [
'/api/album/zip' '/api/album/zip'
], ],
config: { config: {
windowMs: 30 * 1000, windowMs: 30 * 1000,
max: 2 max: 4
}
},
{
// 1 request in 60 seconds
routes: [
'/api/tokens/change'
],
config: {
windowMs: 60 * 1000,
max: 1,
message: {
success: false,
description: 'Rate limit reached, please try again in 60 seconds.'
}
} }
} }
], ],