New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create and apply admin rate limit middleware #14546
Conversation
For some reason I am unable to set the status code in the new error class and I'm not quite sure how this works, would appreciate a bit of help here before this is merged as the status code should be 429 not 400 |
What do you see if you log the ctx & error's status in there? https://github.com/strapi/strapi/blob/deits/poc/packages/core/strapi/lib/middlewares/errors.js#L19-L24 |
Good work! You should come develop with us :p |
a74ed0c
to
92a912e
Compare
Codecov ReportBase: 60.49% // Head: 60.49% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #14546 +/- ##
==========================================
- Coverage 60.49% 60.49% -0.01%
==========================================
Files 1352 1352
Lines 33174 33179 +5
Branches 6337 6339 +2
==========================================
Hits 20070 20070
- Misses 11271 11274 +3
- Partials 1833 1835 +2
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small things
Hey @derrickmehaffy,
|
Good catch @MattieBelt! Organizations behind a proxy or vpn could have issues loggin in. |
It shouldn't as we can just adjust the message sent in the thrown error. Downside is this would be more complex to implement in storage. Realistically a user should be using the redis connection option here but we can't do that by default. |
I added in the user's email (with a fallback, it would be rare an email wouldn't exist but didn't want to take the risk). That should allow multiple people to fail from the same IP. I also decreased the default down to 5 requests per 5 minutes. |
Following up on what @MattieBelt said, if it's doable it'd be cool to have an header with the number of requests left and another with the number of seconds remaining before the rate limit resets. Shopify does it and I like it quite a lot. |
Yeah this is fairly common with rate limiting. I wanted to just get this one out ASAP and we can add more cool features later. |
@derrickmehaffy I've added a small version bump in #14730 to avoid missing peer dependency warnings. It would be good if you could update the dependency here too 🙏🏼 |
329362d
to
5c2549c
Compare
I updated the PR to only rate limit on the login. After discussing with Alex, we came to the conclusion that it is not necessary to rate limit on routes that use a token, we believe token are strong enough (same as jwt). Wdyt? When we agree I'll ask Alex review |
Makes sense to me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM :)
Co-authored-by: Pierre Noël <petersg83@users.noreply.github.com>
Co-authored-by: Ben Irvin <ben@innerdvations.com>
I want to do a bit more testing with the changes yet so I'll re-request later today probably. Thank you both |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
What this PR does:
RateLimitError
class to properly throw an error that is readable by the login page./config/admin.js
fileHow to test
Preview