Updated config.sample.js

Updated sample API rate limits. This will pretty much be the same ones used live in safe.fiery.me. This rate limits ALL API calls to 10 requests per second, but apply stricter limits to login & register endpoints, which are 2 requests per 5 seconds. Also apply stricter limit to album ZIP download endpoint to 4 requests in 30 seconds. Also removed forcing 200 HTTP status code from the error responses, cause front-end will now handle any HTTP status codes properly. It was previously set to 200 cause frontend couldn't handler errors properly. On a side note, rate limiting all API calls is important due to the fact that any token-based endpoints can be used for brute-forcing tokens. Some server firewalls can also be used to ban possible brute force attacks through actively monitoring the HTTP server's access logs, so you may also want to consider that kind of solution for your site instead.
2024-12-14 00:16:21 +00:00 · 2019-10-12 13:55:38 +07:00 · 2019-10-12 13:55:38 +07:00 · fbd8037c35
commit fbd8037c35
parent 37266fb05b
1 changed files with 31 additions and 4 deletions
--- a/config.sample.js
+++ b/config.sample.js
@ -111,6 +111,20 @@ module.exports = {
    https://github.com/nfriedly/express-rate-limit#configuration-options
  */
  rateLimits: [
+    {
+      // 10 requests in 1 second
+      routes: [
+        '/api/'
+      ],
+      config: {
+        windowMs: 1000,
+        max: 10,
+        message: {
+          success: false,
+          description: 'Rate limit reached, please try again in a while.'
+        }
+      }
+    },
    {
      // 2 requests in 5 seconds
      routes: [
@ -120,21 +134,34 @@ module.exports = {
      config: {
        windowMs: 5 * 1000,
        max: 2,
-        statusCode: 200,
        message: {
          success: false,
-          description: 'Rate limit reached, please try again in a while.'
+          description: 'Rate limit reached, please try again in 5 seconds.'
        }
      }
    },
    {
-      // 2 requests in 30 seconds
+      // 4 requests in 30 seconds
      routes: [
        '/api/album/zip'
      ],
      config: {
        windowMs: 30 * 1000,
-        max: 2
+        max: 4
+      }
+    },
+    {
+      // 1 request in 60 seconds
+      routes: [
+        '/api/tokens/change'
+      ],
+      config: {
+        windowMs: 60 * 1000,
+        max: 1,
+        message: {
+          success: false,
+          description: 'Rate limit reached, please try again in 60 seconds.'
+        }
      }
    }
  ],