jschaufuss/DiceCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added rate limiting to all methods

Browse Source
This commit is contained in:
Stefan Zermatten
2020-06-06 14:23:13 +02:00
parent 93d566e263
commit ea8d036c72
16 changed files with 252 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
app/imports/api/creature/CreatureProperties.js
View File

@@ -1,5 +1,6 @@
import { Meteor } from 'meteor/meteor'; import { Meteor } from 'meteor/meteor';
import { Mongo } from 'meteor/mongo'; import { Mongo } from 'meteor/mongo';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js'; import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js';
@@ -78,6 +79,11 @@ function recomputeCreatures(property){
const insertProperty = new ValidatedMethod({ const insertProperty = new ValidatedMethod({
name: 'creatureProperties.insert', name: 'creatureProperties.insert',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({creatureProperty}) { run({creatureProperty}) {
delete creatureProperty._id; delete creatureProperty._id;
assertPropertyEditPermission(creatureProperty, this.userId); assertPropertyEditPermission(creatureProperty, this.userId);
@@ -95,6 +101,11 @@ const duplicateProperty = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
} }
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id}) { run({_id}) {
let creatureProperty = CreatureProperties.findOne(_id); let creatureProperty = CreatureProperties.findOne(_id);
assertPropertyEditPermission(creatureProperty, this.userId); assertPropertyEditPermission(creatureProperty, this.userId);
@@ -115,6 +126,11 @@ const insertPropertyFromLibraryNode = new ValidatedMethod({
type: RefSchema, type: RefSchema,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({nodeId, parentRef}) { run({nodeId, parentRef}) {
// get the new ancestry for the properties // get the new ancestry for the properties
let {parentDoc, ancestors} = getAncestry({parentRef}); let {parentDoc, ancestors} = getAncestry({parentRef});
@@ -192,6 +208,11 @@ const updateProperty = new ValidatedMethod({
'This property can\'t be updated directly'); 'This property can\'t be updated directly');
} }
}, },
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, value}) { run({_id, path, value}) {
let property = CreatureProperties.findOne(_id); let property = CreatureProperties.findOne(_id);
assertPropertyEditPermission(property, this.userId); assertPropertyEditPermission(property, this.userId);
@@ -220,6 +241,11 @@ const damageProperty = new ValidatedMethod({
}, },
value: Number, value: Number,
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, operation, value}) { run({_id, operation, value}) {
let currentProperty = CreatureProperties.findOne(_id); let currentProperty = CreatureProperties.findOne(_id);
// Check permissions // Check permissions
@@ -274,6 +300,11 @@ const adjustQuantity = new ValidatedMethod({
}, },
value: Number, value: Number,
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, operation, value}) { run({_id, operation, value}) {
let currentProperty = CreatureProperties.findOne(_id); let currentProperty = CreatureProperties.findOne(_id);
// Check permissions // Check permissions
@@ -309,6 +340,11 @@ const adjustQuantity = new ValidatedMethod({
const pushToProperty = new ValidatedMethod({ const pushToProperty = new ValidatedMethod({
name: 'creatureProperties.push', name: 'creatureProperties.push',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, value}){ run({_id, path, value}){
let property = CreatureProperties.findOne(_id); let property = CreatureProperties.findOne(_id);
assertPropertyEditPermission(property, this.userId); assertPropertyEditPermission(property, this.userId);
@@ -324,6 +360,11 @@ const pushToProperty = new ValidatedMethod({
const pullFromProperty = new ValidatedMethod({ const pullFromProperty = new ValidatedMethod({
name: 'creatureProperties.pull', name: 'creatureProperties.pull',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, itemId}){ run({_id, path, itemId}){
let property = CreatureProperties.findOne(_id); let property = CreatureProperties.findOne(_id);
assertPropertyEditPermission(property, this.userId); assertPropertyEditPermission(property, this.userId);
@@ -342,6 +383,11 @@ const softRemoveProperty = new ValidatedMethod({
validate: new SimpleSchema({ validate: new SimpleSchema({
_id: SimpleSchema.RegEx.Id _id: SimpleSchema.RegEx.Id
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id}){ run({_id}){
let property = CreatureProperties.findOne(_id); let property = CreatureProperties.findOne(_id);
assertPropertyEditPermission(property, this.userId); assertPropertyEditPermission(property, this.userId);

12
app/imports/api/creature/Creatures.js
View File

@@ -1,4 +1,5 @@
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import deathSaveSchema from '/imports/api/properties/subSchemas/DeathSavesSchema.js' import deathSaveSchema from '/imports/api/properties/subSchemas/DeathSavesSchema.js'
import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js'; import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js';
@@ -124,6 +125,12 @@ const insertCreature = new ValidatedMethod({
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run() { run() {
if (!this.userId) { if (!this.userId) {
throw new Meteor.Error('Creatures.methods.insert.denied', throw new Meteor.Error('Creatures.methods.insert.denied',
@@ -164,6 +171,11 @@ const updateCreature = new ValidatedMethod({
'This field can\'t be updated using this method'); 'This field can\'t be updated using this method');
} }
}, },
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, value}) { run({_id, path, value}) {
let creature = Creatures.findOne(_id); let creature = Creatures.findOne(_id);
assertEditPermission(creature, this.userId); assertEditPermission(creature, this.userId);

7
app/imports/api/creature/computation/recomputeCreature.js
View File

@@ -1,4 +1,5 @@
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js'; import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js';
import ComputationMemo from '/imports/api/creature/computation/ComputationMemo.js'; import ComputationMemo from '/imports/api/creature/computation/ComputationMemo.js';
@@ -17,6 +18,12 @@ export const recomputeCreature = new ValidatedMethod({
charId: { type: String } charId: { type: String }
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({charId}) { run({charId}) {
let creature = Creatures.findOne(charId); let creature = Creatures.findOne(charId);
// Permission // Permission

7
app/imports/api/creature/damageMultiplierDenormalise/recomputeDamageMultipliers.js
View File

@@ -1,4 +1,5 @@
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js'; import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js';
import Creatures from '/imports/api/creature/Creatures.js'; import Creatures from '/imports/api/creature/Creatures.js';
@@ -12,6 +13,12 @@ export const recomputeDamageMultipliers = new ValidatedMethod({
creatureId: { type: String } creatureId: { type: String }
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({creatureId}) { run({creatureId}) {
// Permission // Permission
assertEditPermission(creatureId, this.userId); assertEditPermission(creatureId, this.userId);

16
app/imports/api/creature/experience/Experiences.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import { getUserTier } from '/imports/api/users/patreon/tiers.js'; import { getUserTier } from '/imports/api/users/patreon/tiers.js';
import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js'; import { assertEditPermission } from '/imports/api/creature/creaturePermissions.js';
import Creatures from '/imports/api/creature/Creatures.js'; import Creatures from '/imports/api/creature/Creatures.js';
@@ -78,6 +79,11 @@ const insertExperience = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({experience, creatureIds}) { run({experience, creatureIds}) {
let userId = this.userId; let userId = this.userId;
if (!userId) { if (!userId) {
@@ -106,6 +112,11 @@ const removeExperience = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({experienceId}) { run({experienceId}) {
let userId = this.userId; let userId = this.userId;
if (!userId) { if (!userId) {
@@ -146,6 +157,11 @@ const recomputeExperiences = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({creatureId}) { run({creatureId}) {
let userId = this.userId; let userId = this.userId;
if (!userId) { if (!userId) {

6
app/imports/api/creature/removeCreature.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import Creatures from '/imports/api/creature/Creatures.js'; import Creatures from '/imports/api/creature/Creatures.js';
import CreatureProperties from '/imports/api/creature/CreatureProperties.js' import CreatureProperties from '/imports/api/creature/CreatureProperties.js'
import { assertOwnership } from '/imports/api/creature/creaturePermissions.js'; import { assertOwnership } from '/imports/api/creature/creaturePermissions.js';
@@ -18,6 +19,11 @@ const removeCreature = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({charId}) { run({charId}) {
assertOwnership(charId, this.userId) assertOwnership(charId, this.userId)
Creatures.remove(charId); Creatures.remove(charId);

6
app/imports/api/creature/restCreature.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import Creatures from '/imports/api/creature/Creatures.js'; import Creatures from '/imports/api/creature/Creatures.js';
import CreatureProperties from '/imports/api/creature/CreatureProperties.js'; import CreatureProperties from '/imports/api/creature/CreatureProperties.js';
import getActiveProperties, { getActivePropertyFilter } from '/imports/api/creature/getActiveProperties.js'; import getActiveProperties, { getActivePropertyFilter } from '/imports/api/creature/getActiveProperties.js';
@@ -18,6 +19,11 @@ const restCreature = new ValidatedMethod({
allowedValues: ['shortRest', 'longRest'], allowedValues: ['shortRest', 'longRest'],
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({creatureId, restType}) { run({creatureId, restType}) {
let creature = Creatures.findOne(creatureId, { let creature = Creatures.findOne(creatureId, {
fields: { fields: {

6
app/imports/api/icons/Icons.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import { assertAdmin } from '/imports/api/sharing/sharingPermissions.js'; import { assertAdmin } from '/imports/api/sharing/sharingPermissions.js';
let Icons = new Mongo.Collection('icons'); let Icons = new Mongo.Collection('icons');
@@ -68,6 +69,11 @@ const findIcons = new ValidatedMethod({
optional: true, optional: true,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({search}){ run({search}){
if (!search) return []; if (!search) return [];
if (!Meteor.isServer) return; if (!Meteor.isServer) return;

16
app/imports/api/library/Libraries.js
View File

@@ -1,4 +1,5 @@
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import SharingSchema from '/imports/api/sharing/SharingSchema.js'; import SharingSchema from '/imports/api/sharing/SharingSchema.js';
import simpleSchemaMixin from '/imports/api/creature/mixins/simpleSchemaMixin.js'; import simpleSchemaMixin from '/imports/api/creature/mixins/simpleSchemaMixin.js';
@@ -65,6 +66,11 @@ const updateLibraryName = new ValidatedMethod({
type: String, type: String,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, name}){ run({_id, name}){
let library = Libraries.findOne(_id); let library = Libraries.findOne(_id);
assertEditPermission(library, this.userId); assertEditPermission(library, this.userId);
@@ -83,6 +89,11 @@ const setLibraryDefault = new ValidatedMethod({
type: Boolean, type: Boolean,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, isDefault}) { run({_id, isDefault}) {
if (!Meteor.users.isAdmin()){ if (!Meteor.users.isAdmin()){
throw new Meteor.Error('Permission denied', 'User must be admin to set libraries as default'); throw new Meteor.Error('Permission denied', 'User must be admin to set libraries as default');
@@ -99,6 +110,11 @@ const removeLibrary = new ValidatedMethod({
regEx: SimpleSchema.RegEx.id regEx: SimpleSchema.RegEx.id
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id}){ run({_id}){
let library = Libraries.findOne(_id); let library = Libraries.findOne(_id);
assertOwnership(library, this.userId); assertOwnership(library, this.userId);

31
app/imports/api/library/LibraryNodes.js
View File

@@ -1,6 +1,7 @@
import { Meteor } from 'meteor/meteor'; import { Meteor } from 'meteor/meteor';
import { Mongo } from 'meteor/mongo'; import { Mongo } from 'meteor/mongo';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js'; import ColorSchema from '/imports/api/properties/subSchemas/ColorSchema.js';
import ChildSchema from '/imports/api/parenting/ChildSchema.js'; import ChildSchema from '/imports/api/parenting/ChildSchema.js';
@@ -58,6 +59,11 @@ function assertNodeEditPermission(node, userId){
const insertNode = new ValidatedMethod({ const insertNode = new ValidatedMethod({
name: 'libraryNodes.insert', name: 'libraryNodes.insert',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run(libraryNode) { run(libraryNode) {
delete libraryNode._id; delete libraryNode._id;
assertNodeEditPermission(libraryNode, this.userId); assertNodeEditPermission(libraryNode, this.userId);
@@ -73,6 +79,11 @@ const duplicateNode = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
} }
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id}) { run({_id}) {
let libraryNode = LibraryNodes.findOne(_id); let libraryNode = LibraryNodes.findOne(_id);
assertNodeEditPermission(libraryNode, this.userId); assertNodeEditPermission(libraryNode, this.userId);
@@ -94,6 +105,11 @@ const updateLibraryNode = new ValidatedMethod({
return false; return false;
} }
}, },
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, value}) { run({_id, path, value}) {
let node = LibraryNodes.findOne(_id); let node = LibraryNodes.findOne(_id);
assertNodeEditPermission(node, this.userId); assertNodeEditPermission(node, this.userId);
@@ -114,6 +130,11 @@ const updateLibraryNode = new ValidatedMethod({
const pushToLibraryNode = new ValidatedMethod({ const pushToLibraryNode = new ValidatedMethod({
name: 'libraryNodes.push', name: 'libraryNodes.push',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, value}){ run({_id, path, value}){
let node = LibraryNodes.findOne(_id); let node = LibraryNodes.findOne(_id);
assertNodeEditPermission(node, this.userId); assertNodeEditPermission(node, this.userId);
@@ -128,6 +149,11 @@ const pushToLibraryNode = new ValidatedMethod({
const pullFromLibraryNode = new ValidatedMethod({ const pullFromLibraryNode = new ValidatedMethod({
name: 'libraryNodes.pull', name: 'libraryNodes.pull',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id, path, itemId}){ run({_id, path, itemId}){
let node = LibraryNodes.findOne(_id); let node = LibraryNodes.findOne(_id);
assertNodeEditPermission(node, this.userId); assertNodeEditPermission(node, this.userId);
@@ -145,6 +171,11 @@ const softRemoveLibraryNode = new ValidatedMethod({
validate: new SimpleSchema({ validate: new SimpleSchema({
_id: SimpleSchema.RegEx.Id _id: SimpleSchema.RegEx.Id
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({_id}){ run({_id}){
let node = LibraryNodes.findOne(_id); let node = LibraryNodes.findOne(_id);
assertNodeEditPermission(node, this.userId); assertNodeEditPermission(node, this.userId);

11
app/imports/api/parenting/organizeMethods.js
View File

@@ -1,6 +1,7 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { union } from 'lodash'; import { union } from 'lodash';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import { updateParent } from '/imports/api/parenting/parenting.js'; import { updateParent } from '/imports/api/parenting/parenting.js';
import { reorderDocs, safeUpdateDocOrder } from '/imports/api/parenting/order.js'; import { reorderDocs, safeUpdateDocOrder } from '/imports/api/parenting/order.js';
import { RefSchema } from '/imports/api/parenting/ChildSchema.js'; import { RefSchema } from '/imports/api/parenting/ChildSchema.js';
@@ -19,6 +20,11 @@ const organizeDoc = new ValidatedMethod({
// Should end in 0.5 to place it reliably between two existing documents // Should end in 0.5 to place it reliably between two existing documents
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({docRef, parentRef, order}) { run({docRef, parentRef, order}) {
let doc = fetchDocByRef(docRef); let doc = fetchDocByRef(docRef);
let collection = getCollectionByName(docRef.collection); let collection = getCollectionByName(docRef.collection);
@@ -62,6 +68,11 @@ const reorderDoc = new ValidatedMethod({
// Should end in 0.5 to place it reliably between two existing documents // Should end in 0.5 to place it reliably between two existing documents
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({docRef, order}) { run({docRef, order}) {
let doc = fetchDocByRef(docRef); let doc = fetchDocByRef(docRef);
assertDocEditPermission(doc, this.userId); assertDocEditPermission(doc, this.userId);

11
app/imports/api/sharing/sharing.js
View File

@@ -4,6 +4,7 @@ import fetchDocByRef from '/imports/api/parenting/fetchDocByRef.js';
import getCollectionByName from '/imports/api/parenting/getCollectionByName.js'; import getCollectionByName from '/imports/api/parenting/getCollectionByName.js';
import { RefSchema } from '/imports/api/parenting/ChildSchema.js'; import { RefSchema } from '/imports/api/parenting/ChildSchema.js';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
const setPublic = new ValidatedMethod({ const setPublic = new ValidatedMethod({
name: 'sharing.setPublic', name: 'sharing.setPublic',
@@ -11,6 +12,11 @@ const setPublic = new ValidatedMethod({
docRef: RefSchema, docRef: RefSchema,
isPublic: { type: Boolean }, isPublic: { type: Boolean },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({docRef, isPublic}){ run({docRef, isPublic}){
let doc = fetchDocByRef(docRef); let doc = fetchDocByRef(docRef);
assertOwnership(doc, this.userId); assertOwnership(doc, this.userId);
@@ -33,6 +39,11 @@ const updateUserSharePermissions = new ValidatedMethod({
allowedValues: ['reader', 'writer', 'none'], allowedValues: ['reader', 'writer', 'none'],
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({docRef, userId, role}){ run({docRef, userId, role}){
let doc = fetchDocByRef(docRef); let doc = fetchDocByRef(docRef);
if (role === 'none'){ if (role === 'none'){

16
app/imports/api/users/Invites.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
import { getUserTier } from '/imports/api/users/patreon/tiers.js'; import { getUserTier } from '/imports/api/users/patreon/tiers.js';
let Invites= new Mongo.Collection('invites'); let Invites= new Mongo.Collection('invites');
@@ -92,6 +93,11 @@ const getInviteToken = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({inviteId}) { run({inviteId}) {
let invite = Invites.findOne(inviteId); let invite = Invites.findOne(inviteId);
if (this.userId !== invite.inviter) { if (this.userId !== invite.inviter) {
@@ -115,6 +121,11 @@ const acceptInviteToken = new ValidatedMethod({
type: String, type: String,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({inviteToken}) { run({inviteToken}) {
if (!this.userId) { if (!this.userId) {
throw new Meteor.Error('Invites.methods.acceptToken.denied', throw new Meteor.Error('Invites.methods.acceptToken.denied',
@@ -153,6 +164,11 @@ const revokeInvite = new ValidatedMethod({
regEx: SimpleSchema.RegEx.Id, regEx: SimpleSchema.RegEx.Id,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({inviteId}) { run({inviteId}) {
if (!this.userId) { if (!this.userId) {
throw new Meteor.Error('Invites.methods.revokeInvite.denied', throw new Meteor.Error('Invites.methods.revokeInvite.denied',

36
app/imports/api/users/Users.js
View File

@@ -1,5 +1,6 @@
import SimpleSchema from 'simpl-schema'; import SimpleSchema from 'simpl-schema';
import { ValidatedMethod } from 'meteor/mdg:validated-method'; import { ValidatedMethod } from 'meteor/mdg:validated-method';
import { RateLimiterMixin } from 'ddp-rate-limiter-mixin';
const userSchema = new SimpleSchema({ const userSchema = new SimpleSchema({
username: { username: {
@@ -89,6 +90,11 @@ Meteor.users.attachSchema(userSchema);
Meteor.users.generateApiKey = new ValidatedMethod({ Meteor.users.generateApiKey = new ValidatedMethod({
name: 'users.generateApiKey', name: 'users.generateApiKey',
validate: null, validate: null,
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run(){ run(){
if(Meteor.isClient) return; if(Meteor.isClient) return;
var user = Meteor.users.findOne(this.userId); var user = Meteor.users.findOne(this.userId);
@@ -104,6 +110,11 @@ Meteor.users.setDarkMode = new ValidatedMethod({
validate: new SimpleSchema({ validate: new SimpleSchema({
darkMode: { type: Boolean }, darkMode: { type: Boolean },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({darkMode}){ run({darkMode}){
if (!this.userId) return; if (!this.userId) return;
Meteor.users.update(this.userId, {$set: {darkMode}}); Meteor.users.update(this.userId, {$set: {darkMode}});
@@ -121,6 +132,11 @@ Meteor.users.sendVerificationEmail = new ValidatedMethod({
type: String, type: String,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({userId, address}){ run({userId, address}){
userId = this.userId || userId; userId = this.userId || userId;
let user = Meteor.users.findOne(userId); let user = Meteor.users.findOne(userId);
@@ -145,6 +161,11 @@ Meteor.users.isAdmin = function(userId){
Meteor.users.canPickUsername = new ValidatedMethod({ Meteor.users.canPickUsername = new ValidatedMethod({
name: 'users.canPickUsername', name: 'users.canPickUsername',
validate: userSchema.pick('username').validator(), validate: userSchema.pick('username').validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({username}){ run({username}){
if (Meteor.isClient) return; if (Meteor.isClient) return;
let user = Accounts.findUserByUsername(username); let user = Accounts.findUserByUsername(username);
@@ -159,6 +180,11 @@ Meteor.users.canPickUsername = new ValidatedMethod({
Meteor.users.setUsername = new ValidatedMethod({ Meteor.users.setUsername = new ValidatedMethod({
name: 'users.setUsername', name: 'users.setUsername',
validate: userSchema.pick('username').validator(), validate: userSchema.pick('username').validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({username}){ run({username}){
if (!this.userId) throw 'Can only set your username if logged in'; if (!this.userId) throw 'Can only set your username if logged in';
if (Meteor.isClient) return; if (Meteor.isClient) return;
@@ -177,6 +203,11 @@ Meteor.users.subscribeToLibrary = new ValidatedMethod({
type: Boolean, type: Boolean,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({libraryId, subscribe}){ run({libraryId, subscribe}){
if (!this.userId) throw 'Can only subscribe if logged in'; if (!this.userId) throw 'Can only subscribe if logged in';
if (subscribe){ if (subscribe){
@@ -198,6 +229,11 @@ Meteor.users.findUserByUsernameOrEmail = new ValidatedMethod({
type: String, type: String,
}, },
}).validator(), }).validator(),
mixins: [RateLimiterMixin],
rateLimit: {
numRequests: 5,
timeInterval: 5000,
},
run({usernameOrEmail}){ run({usernameOrEmail}){
if (Meteor.isClient) return; if (Meteor.isClient) return;
let user = Accounts.findUserByUsername(usernameOrEmail) || let user = Accounts.findUserByUsername(usernameOrEmail) ||

24
app/package-lock.json generated
View File

@@ -142,6 +142,22 @@
"integrity": "sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg==", "integrity": "sha512-+Ryf6g3BKoRc7jfp7ad8tM4TtMiaWvbF/1/sQcZPkkS7ag3D5nMBCe2UfOTONtAkaG0tO0ij3C5Lwmf1EiyjHg==",
"dev": true "dev": true
}, },
"babel-runtime": {
"version": "6.26.0",
"resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
"integrity": "sha1-llxwWGaOgrVde/4E/yM3vItWR/4=",
"requires": {
"core-js": "^2.4.0",
"regenerator-runtime": "^0.11.0"
},
"dependencies": {
"regenerator-runtime": {
"version": "0.11.1",
"resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
"integrity": "sha512-MguG95oij0fC3QV3URf4V2SDYGJhJnJGqvIIgdECeODCT98wSWDAJ94SSuVpYQUoTcGUIL6L4yNB7j1DFFHSBg=="
}
}
},
"balanced-match": { "balanced-match": {
"version": "1.0.0", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
@@ -375,6 +391,14 @@
"resolved": "https://registry.npmjs.org/date-fns/-/date-fns-1.30.1.tgz", "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-1.30.1.tgz",
"integrity": "sha512-hBSVCvSmWC+QypYObzwGOd9wqdDpOt+0wl0KbU+R+uuZBS1jN8VsD1ss3irQDknRj5NvxiTF6oj/nDRnN/UQNw==" "integrity": "sha512-hBSVCvSmWC+QypYObzwGOd9wqdDpOt+0wl0KbU+R+uuZBS1jN8VsD1ss3irQDknRj5NvxiTF6oj/nDRnN/UQNw=="
}, },
"ddp-rate-limiter-mixin": {
"version": "1.1.10",
"resolved": "https://registry.npmjs.org/ddp-rate-limiter-mixin/-/ddp-rate-limiter-mixin-1.1.10.tgz",
"integrity": "sha1-WIx5zw8RUrUKtbGHBkLKAcZy5uY=",
"requires": {
"babel-runtime": "6.x.x"
}
},
"debug": { "debug": {
"version": "3.2.6", "version": "3.2.6",
"resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz", "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz",

1
app/package.json
View File

@@ -24,6 +24,7 @@
"core-js": "^2.6.11", "core-js": "^2.6.11",
"css-box-shadow": "^1.0.0-3", "css-box-shadow": "^1.0.0-3",
"date-fns": "^1.30.1", "date-fns": "^1.30.1",
"ddp-rate-limiter-mixin": "^1.1.10",
"dompurify": "^2.0.10", "dompurify": "^2.0.10",
"lodash": "^4.17.15", "lodash": "^4.17.15",
"marked": "^0.8.2", "marked": "^0.8.2",