Added rate limiting to all methods

2020-06-06 14:23:13 +02:00
parent 93d566e263
commit ea8d036c72
16 changed files with 252 additions and 0 deletions
--- a/app/imports/api/users/Invites.js
+++ b/app/imports/api/users/Invites.js
@@ -1,5 +1,6 @@
 import SimpleSchema from 'simpl-schema';
 import { ValidatedMethod } from 'meteor/mdg:validated-method';
+import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
 import { getUserTier } from '/imports/api/users/patreon/tiers.js';

 let Invites= new Mongo.Collection('invites');
@@ -92,6 +93,11 @@ const getInviteToken = new ValidatedMethod({
      regEx: SimpleSchema.RegEx.Id,
    },
  }).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
  run({inviteId}) {
    let invite = Invites.findOne(inviteId);
    if (this.userId !== invite.inviter) {
@@ -115,6 +121,11 @@ const acceptInviteToken = new ValidatedMethod({
      type: String,
    },
  }).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
  run({inviteToken}) {
    if (!this.userId) {
      throw new Meteor.Error('Invites.methods.acceptToken.denied',
@@ -153,6 +164,11 @@ const revokeInvite = new ValidatedMethod({
      regEx: SimpleSchema.RegEx.Id,
    },
  }).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
  run({inviteId}) {
    if (!this.userId) {
      throw new Meteor.Error('Invites.methods.revokeInvite.denied',
--- a/app/imports/api/users/Users.js
+++ b/app/imports/api/users/Users.js
@@ -1,5 +1,6 @@
 import SimpleSchema from 'simpl-schema';
 import { ValidatedMethod } from 'meteor/mdg:validated-method';
+import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';

 const userSchema = new SimpleSchema({
 	username: {
@@ -89,6 +90,11 @@ Meteor.users.attachSchema(userSchema);
 Meteor.users.generateApiKey = new ValidatedMethod({
  name: 'users.generateApiKey',
 	validate: null,
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
  run(){
 		if(Meteor.isClient) return;
 		var user = Meteor.users.findOne(this.userId);
@@ -104,6 +110,11 @@ Meteor.users.setDarkMode = new ValidatedMethod({
 	validate: new SimpleSchema({
    darkMode: { type: Boolean },
  }).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
  run({darkMode}){
 		if (!this.userId) return;
 		Meteor.users.update(this.userId, {$set: {darkMode}});
@@ -121,6 +132,11 @@ Meteor.users.sendVerificationEmail = new ValidatedMethod({
 			type: String,
 		},
 	}).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
 	run({userId, address}){
 		userId = this.userId || userId;
 		let user = Meteor.users.findOne(userId);
@@ -145,6 +161,11 @@ Meteor.users.isAdmin = function(userId){
 Meteor.users.canPickUsername = new ValidatedMethod({
 	name: 'users.canPickUsername',
 	validate: userSchema.pick('username').validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
 	run({username}){
 		if (Meteor.isClient) return;
 		let user = Accounts.findUserByUsername(username);
@@ -159,6 +180,11 @@ Meteor.users.canPickUsername = new ValidatedMethod({
 Meteor.users.setUsername = new ValidatedMethod({
  name: 'users.setUsername',
 	validate: userSchema.pick('username').validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
 	run({username}){
 		if (!this.userId) throw 'Can only set your username if logged in';
    if (Meteor.isClient) return;
@@ -177,6 +203,11 @@ Meteor.users.subscribeToLibrary = new ValidatedMethod({
      type: Boolean,
    },
 	}).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
 	run({libraryId, subscribe}){
 		if (!this.userId) throw 'Can only subscribe if logged in';
    if (subscribe){
@@ -198,6 +229,11 @@ Meteor.users.findUserByUsernameOrEmail = new ValidatedMethod({
 			type: String,
 		},
 	}).validator(),
+  mixins: [RateLimiterMixin],
+  rateLimit: {
+    numRequests: 5,
+    timeInterval: 5000,
+  },
 	run({usernameOrEmail}){
 		if (Meteor.isClient) return;
 		let user = Accounts.findUserByUsername(usernameOrEmail) ||