Update both Admin and U&P ratelimit to lower path

2025-10-17 02:53:22 +00:00 · 2023-07-17 14:55:45 -07:00 · 2023-07-17 14:55:45 -07:00 · ed364d951a
commit ed364d951a
parent 5b675ccfa6
2 changed files with 38 additions and 20 deletions
--- a/packages/core/admin/server/middlewares/rateLimit.js
+++ b/packages/core/admin/server/middlewares/rateLimit.js
@ -24,11 +24,12 @@ module.exports =
      const rateLimit = require('koa2-ratelimit').RateLimit;

      const userEmail = toLower(ctx.request.body.email) || 'unknownEmail';
+      const requestPath = toLower(ctx.request.path) || 'unknownPath';

      const loadConfig = {
        interval: { min: 5 },
        max: 5,
-        prefixKey: `${userEmail}:${ctx.request.path}:${ctx.request.ip}`,
+        prefixKey: `${userEmail}:${requestPath}:${ctx.request.ip}`,
        handler() {
          throw new RateLimitError();
        },
--- a/packages/plugins/users-permissions/server/middlewares/rateLimit.js
+++ b/packages/plugins/users-permissions/server/middlewares/rateLimit.js
@ -1,27 +1,44 @@
 'use strict';

+const utils = require('@strapi/utils');
+const { has, toLower } = require('lodash/fp');
+
+const { RateLimitError } = utils.errors;
+
 module.exports =
  (config, { strapi }) =>
  async (ctx, next) => {
-    const ratelimit = require('koa2-ratelimit').RateLimit;
+    let rateLimitConfig = strapi.config.get('plugin.users-permissions.ratelimit');

-    const message = [
-      {
-        messages: [
-          {
-            id: 'Auth.form.error.ratelimit',
-            message: 'Too many attempts, please try again in a minute.',
-          },
-        ],
-      },
-    ];
+    if (!rateLimitConfig) {
+      rateLimitConfig = {
+        enabled: true,
+      };
+    }

-    return ratelimit.middleware({
-      interval: 1 * 60 * 1000,
-      max: 5,
-      prefixKey: `${ctx.request.path}:${ctx.request.ip}`,
-      message,
-      ...strapi.config.get('plugin.users-permissions.ratelimit'),
-      ...config,
-    })(ctx, next);
+    if (!has('enabled', rateLimitConfig)) {
+      rateLimitConfig.enabled = true;
+    }
+
+    if (rateLimitConfig.enabled === true) {
+      const rateLimit = require('koa2-ratelimit').RateLimit;
+
+      const userIdentifier = toLower(ctx.request.body.email) || 'unknownIdentifier';
+      const requestPath = toLower(ctx.request.path) || 'unknownPath';
+
+      const loadConfig = {
+        interval: { min: 5 },
+        max: 5,
+        prefixKey: `${userIdentifier}:${requestPath}:${ctx.request.ip}`,
+        handler() {
+          throw new RateLimitError();
+        },
+        ...rateLimitConfig,
+        ...config,
+      };
+
+      return rateLimit.middleware(loadConfig)(ctx, next);
+    }
+
+    return next();
  };