From e89ee4042acd1d26547348edd2de7f425aa1c4cb Mon Sep 17 00:00:00 2001 From: Milo Schwartz Date: Thu, 3 Oct 2024 21:01:19 -0400 Subject: [PATCH] add rate limit and app name to env --- server/environment.ts | 12 ++++++++++++ server/middlewares/rateLimit.ts | 5 +++-- server/middlewares/verifySession.ts | 2 +- server/routers/auth/requestTotpSecret.ts | 3 ++- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/server/environment.ts b/server/environment.ts index c5808645..6a764332 100644 --- a/server/environment.ts +++ b/server/environment.ts @@ -21,6 +21,15 @@ const environmentSchema = z.object({ .string() .transform((val) => parseInt(val, 10)) .pipe(z.number()), + RATE_LIMIT_WINDOW_MIN: z + .string() + .transform((val) => parseInt(val, 10)) + .pipe(z.number()), + RATE_LIMIT_MAX: z + .string() + .transform((val) => parseInt(val, 10)) + .pipe(z.number()), + APP_NAME: z.string(), EMAIL_SMTP_HOST: z.string().optional(), EMAIL_SMTP_PORT: z .string() @@ -45,6 +54,9 @@ const environment = { path.join("config"), EXTERNAL_PORT: (process.env.EXTERNAL_PORT as string) || "3000", INTERNAL_PORT: (process.env.INTERNAL_PORT as string) || "3001", + RATE_LIMIT_WINDOW_MIN: (process.env.RATE_LIMIT_WINDOW_MIN as string) || "1", + RATE_LIMIT_MAX: (process.env.RATE_LIMIT_MAX as string) || "100", + APP_NAME: (process.env.APP_NAME as string) || "Pangolin", EMAIL_SMTP_HOST: process.env.EMAIL_SMTP_HOST as string, EMAIL_SMTP_PORT: process.env.EMAIL_SMTP_PORT as string, EMAIL_SMTP_USER: process.env.EMAIL_SMTP_USER as string, diff --git a/server/middlewares/rateLimit.ts b/server/middlewares/rateLimit.ts index 69e3a8cf..cdad8177 100644 --- a/server/middlewares/rateLimit.ts +++ b/server/middlewares/rateLimit.ts @@ -3,9 +3,10 @@ import createHttpError from "http-errors"; import { NextFunction, Request, Response } from "express"; import logger from "@server/logger"; import HttpCode from "@server/types/HttpCode"; +import environment from "@server/environment"; -const limit = 100; -const minutes = 1; +const limit = environment.RATE_LIMIT_MAX; +const minutes = environment.RATE_LIMIT_WINDOW_MIN; export const rateLimitMiddleware = rateLimit({ windowMs: minutes * 60 * 1000, diff --git a/server/middlewares/verifySession.ts b/server/middlewares/verifySession.ts index 998fbdbc..fe9e70e4 100644 --- a/server/middlewares/verifySession.ts +++ b/server/middlewares/verifySession.ts @@ -1,4 +1,4 @@ -import { NextFunction, Response, Request } from "express"; +import { NextFunction, Response } from "express"; import ErrorResponse from "@server/types/ErrorResponse"; import { unauthorized, verifySession } from "@server/auth"; import { db } from "@server/db"; diff --git a/server/routers/auth/requestTotpSecret.ts b/server/routers/auth/requestTotpSecret.ts index b0a5714e..7e83113a 100644 --- a/server/routers/auth/requestTotpSecret.ts +++ b/server/routers/auth/requestTotpSecret.ts @@ -11,6 +11,7 @@ import { User, users } from "@server/db/schema"; import { eq } from "drizzle-orm"; import { verify } from "@node-rs/argon2"; import { createTOTPKeyURI } from "oslo/otp"; +import env from "@server/environment"; export const requestTotpSecretBody = z.object({ password: z.string(), @@ -64,7 +65,7 @@ export async function requestTotpSecret( const hex = crypto.getRandomValues(new Uint8Array(20)); const secret = encodeHex(hex); - const uri = createTOTPKeyURI("pangolin", user.email, hex); + const uri = createTOTPKeyURI(env.APP_NAME, user.email, hex); await db .update(users)