feat(core): Rate-limit login endpoint to mitigate brute force password guessing attacks (#9028)

2024-04-03 12:08:54 +02:00
parent 4668db20fb
commit a6446fe057
6 changed files with 65 additions and 14 deletions
--- a/packages/cli/test/unit/decorators/registerController.test.ts
+++ b/packages/cli/test/unit/decorators/registerController.test.ts
@@ -0,0 +1,40 @@
+jest.mock('@/constants', () => ({
+	inE2ETests: false,
+	inTest: false,
+}));
+
+import express from 'express';
+import { agent as testAgent } from 'supertest';
+
+import { Get, RestController, registerController } from '@/decorators';
+import { AuthService } from '@/auth/auth.service';
+import { mockInstance } from '../../shared/mocking';
+
+describe('registerController', () => {
+	@RestController('/test')
+	class TestController {
+		@Get('/unlimited', { skipAuth: true })
+		@Get('/rate-limited', { skipAuth: true, rateLimit: true })
+		endpoint() {
+			return { ok: true };
+		}
+	}
+
+	mockInstance(AuthService);
+	const app = express();
+	registerController(app, TestController);
+	const agent = testAgent(app);
+
+	it('should not rate-limit by default', async () => {
+		for (let i = 0; i < 6; i++) {
+			await agent.get('/rest/test/unlimited').expect(200);
+		}
+	});
+
+	it('should rate-limit when configured', async () => {
+		for (let i = 0; i < 5; i++) {
+			await agent.get('/rest/test/rate-limited').expect(200);
+		}
+		await agent.get('/rest/test/rate-limited').expect(429);
+	});
+});