Allow to control RATES_LIMIT from configuration (#1787)

author Yohan Boniface <yb@enix.org>

Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)

committer Chocobozzz <me@florianbigard.com>

Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)
author Yohan Boniface <yb@enix.org>
Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)
committer Chocobozzz <me@florianbigard.com>
Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)
diff --git a/config/default.yaml b/config/default.yaml

index 70b10299d5632e40da4a4e9bf356952f6f1d83bb..f8be23d6947eadb0f5973c673695e11c0257900a 100644 (file)
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -9,6 +9,16 @@ webserver:
    hostname: 'localhost'
    port: 9000
  
+rates_limit:
+  login:
+    # 15 attempts in 5 min
+    window: 5 minutes
+    max: 15
+  ask_send_email:
+    # 3 attempts in 5 min
+    window: 5 minutes
+    max: 3
+
  # Proxies to trust to get real client IP
  # If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
  # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
diff --git a/config/production.yaml.example b/config/production.yaml.example

index 06baaf7d49250687226c2cff9dad2dfc1a2b9c8d..f1f0f12d12b503fbeb57236114ea6fd1aef8cd63 100644 (file)
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -8,6 +8,16 @@ webserver:
    hostname: 'example.com'
    port: 443
  
+rates_limit:
+  login:
+    # 15 attempts in 5 min
+    window: 5 minutes
+    max: 15
+  ask_send_email:
+    # 3 attempts in 5 min
+    window: 5 minutes
+    max: 3
+
  # Proxies to trust to get real client IP
  # If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
  # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts

index 223ef8078e448b08810c062fb4a0eaa6c9cc92be..622ad7d6b12b249aa2c0bff3374c22a9d7abbbc0 100644 (file)
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -27,7 +27,8 @@ function checkMissedConfig () {
      'services.twitter.username', 'services.twitter.whitelisted',
      'followers.instance.enabled', 'followers.instance.manual_approval',
      'tracker.enabled', 'tracker.private', 'tracker.reject_too_many_announces',
-    'history.videos.max_age', 'views.videos.remote.max_age'
+    'history.videos.max_age', 'views.videos.remote.max_age',
+    'rates_limit.login.window', 'rates_limit.login.max', 'rates_limit.ask_send_email.window', 'rates_limit.ask_send_email.max'
    ]
    const requiredAlternatives = [
      [ // set
diff --git a/server/initializers/config.ts b/server/initializers/config.ts

index baf5023054a0f49ed63d77c59dc66a52ea8b22b4..4f77e144d0ef19a17133e4535e1b97a64dcdebd6 100644 (file)
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -63,6 +63,16 @@ const CONFIG = {
      HOSTNAME: config.get<string>('webserver.hostname'),
      PORT: config.get<number>('webserver.port')
    },
+  RATES_LIMIT: {
+    LOGIN: {
+      WINDOW_MS: parseDurationToMs(config.get<string>('rates_limit.login.window')),
+      MAX: config.get<number>('rates_limit.login.max')
+    },
+    ASK_SEND_EMAIL: {
+      WINDOW_MS: parseDurationToMs(config.get<string>('rates_limit.ask_send_email.window')),
+      MAX: config.get<number>('rates_limit.ask_send_email.max')
+    }
+  },
    TRUST_PROXY: config.get<string[]>('trust_proxy'),
    LOG: {
      LEVEL: config.get<string>('log.level')
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts

index 2be364cc8ec333e4e051fbbdb379f88fd58b33f9..193bae5b50b59ccabe9cf3cd6240dfcfc6a0b0d2 100644 (file)
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -281,12 +281,12 @@ let CONSTRAINTS_FIELDS = {
  
  const RATES_LIMIT = {
    LOGIN: {
-    WINDOW_MS: 5 * 60 * 1000, // 5 minutes
-    MAX: 15 // 15 attempts
+    WINDOW_MS: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
+    MAX: CONFIG.RATES_LIMIT.LOGIN.MAX
    },
    ASK_SEND_EMAIL: {
-    WINDOW_MS: 5 * 60 * 1000, // 5 minutes
-    MAX: 3 // 3 attempts
+    WINDOW_MS: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+    MAX: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
    }
  }
  
diff --git a/support/docker/production/config/production.yaml b/support/docker/production/config/production.yaml

index d585cd73eade2cd8206f53260a5035c8a9df3d34..ae6bf3982b7cb2518614a9f23e76d03ea8885e82 100644 (file)
--- a/support/docker/production/config/production.yaml
+++ b/support/docker/production/config/production.yaml
@@ -8,6 +8,16 @@ webserver:
    hostname: undefined
    port: 443
  
+rates_limit:
+  login:
+    # 15 attempts in 5 min
+    window: 5 minutes
+    max: 15
+  ask_send_email:
+    # 3 attempts in 5 min
+    window: 5 minutes
+    max: 3
+
  # Proxies to trust to get real client IP
  # If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
  # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
author	Yohan Boniface <yb@enix.org>
	Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)
committer	Chocobozzz <me@florianbigard.com>
	Fri, 26 Apr 2019 11:48:55 +0000 (13:48 +0200)
config/default.yaml		patch \| blob \| history
config/production.yaml.example		patch \| blob \| history
server/initializers/checker-before-init.ts		patch \| blob \| history
server/initializers/config.ts		patch \| blob \| history
server/initializers/constants.ts		patch \| blob \| history
support/docker/production/config/production.yaml		patch \| blob \| history