Support disabled rate limiter by setting max to 0, add logs when rate limit is changed from default

2025-07-19 10:24:41 +02:00 · 2025-07-12 10:51:07 -05:00 · 2025-07-12 10:51:07 -05:00 · 030e43f382
commit 030e43f382
parent f081a7fdc1
1 changed files with 20 additions and 4 deletions
--- a/server/utils/rateLimiterFactory.js
+++ b/server/utils/rateLimiterFactory.js
@ -6,6 +6,9 @@ const requestIp = require('../libs/requestIp')
 * Factory for creating authentication rate limiters
 */
 class RateLimiterFactory {
+  static DEFAULT_WINDOW_MS = 10 * 60 * 1000 // 10 minutes
+  static DEFAULT_MAX = 40 // 40 attempts
+
  constructor() {
    this.authRateLimiter = null
  }
@ -19,14 +22,27 @@ class RateLimiterFactory {
      return this.authRateLimiter
    }

-    let windowMs = 10 * 60 * 1000 // 10 minutes default
-    if (parseInt(process.env.RATE_LIMIT_AUTH_WINDOW) > 0) {
-      windowMs = parseInt(process.env.RATE_LIMIT_AUTH_WINDOW)
+    // Disable by setting max to 0
+    if (process.env.RATE_LIMIT_AUTH_MAX === '0') {
+      this.authRateLimiter = (req, res, next) => next()
+      Logger.info(`[RateLimiterFactory] Authentication rate limiting disabled by ENV variable`)
+      return this.authRateLimiter
    }

-    let max = 40 // 40 attempts default
+    let windowMs = RateLimiterFactory.DEFAULT_WINDOW_MS
+    if (parseInt(process.env.RATE_LIMIT_AUTH_WINDOW) > 0) {
+      windowMs = parseInt(process.env.RATE_LIMIT_AUTH_WINDOW)
+      if (windowMs !== RateLimiterFactory.DEFAULT_WINDOW_MS) {
+        Logger.info(`[RateLimiterFactory] Authentication rate limiting window set to ${windowMs}ms by ENV variable`)
+      }
+    }
+
+    let max = RateLimiterFactory.DEFAULT_MAX
    if (parseInt(process.env.RATE_LIMIT_AUTH_MAX) > 0) {
      max = parseInt(process.env.RATE_LIMIT_AUTH_MAX)
+      if (max !== RateLimiterFactory.DEFAULT_MAX) {
+        Logger.info(`[RateLimiterFactory] Authentication rate limiting max set to ${max} by ENV variable`)
+      }
    }

    let message = 'Too many authentication requests'