mirror of
https://gitlab.com/SIGBUS/nyaa.git
synced 2024-12-21 16:39:59 +00:00
Add login endpoint rate limiting
This doesn't discriminate between failed logins and successful logins, but only counts POST requests. The limit is set to 6 per hour.
This commit is contained in:
parent
611f0c5706
commit
5c943f35e3
|
@ -6,7 +6,7 @@ import flask
|
|||
from flask_assets import Bundle # noqa F401
|
||||
|
||||
from nyaa.api_handler import api_blueprint
|
||||
from nyaa.extensions import assets, cache, db, fix_paginate, toolbar
|
||||
from nyaa.extensions import assets, cache, db, fix_paginate, limiter, toolbar
|
||||
from nyaa.template_utils import bp as template_utils_bp
|
||||
from nyaa.template_utils import caching_url_for
|
||||
from nyaa.utils import random_string
|
||||
|
@ -128,4 +128,7 @@ def create_app(config):
|
|||
# Cache
|
||||
cache.init_app(app, config=app.config)
|
||||
|
||||
# Rate Limiting
|
||||
limiter.init_app(app)
|
||||
|
||||
return app
|
||||
|
|
|
@ -5,12 +5,15 @@ from flask.config import Config
|
|||
from flask_assets import Environment
|
||||
from flask_caching import Cache
|
||||
from flask_debugtoolbar import DebugToolbarExtension
|
||||
from flask_limiter import Limiter
|
||||
from flask_limiter.util import get_remote_address
|
||||
from flask_sqlalchemy import BaseQuery, Pagination, SQLAlchemy
|
||||
|
||||
assets = Environment()
|
||||
db = SQLAlchemy()
|
||||
toolbar = DebugToolbarExtension()
|
||||
cache = Cache()
|
||||
limiter = Limiter(key_func=get_remote_address)
|
||||
|
||||
|
||||
class LimitedPagination(Pagination):
|
||||
|
|
|
@ -6,7 +6,7 @@ from ipaddress import ip_address
|
|||
import flask
|
||||
|
||||
from nyaa import email, forms, models
|
||||
from nyaa.extensions import db
|
||||
from nyaa.extensions import db, limiter
|
||||
from nyaa.utils import sha1_hash
|
||||
from nyaa.views.users import get_activation_link, get_password_reset_link, get_serializer
|
||||
|
||||
|
@ -15,6 +15,8 @@ bp = flask.Blueprint('account', __name__)
|
|||
|
||||
|
||||
@bp.route('/login', methods=['GET', 'POST'])
|
||||
@limiter.limit('6/hour', methods=['POST'],
|
||||
error_message="You've tried logging in too many times, try again in an hour.")
|
||||
def login():
|
||||
if flask.g.user:
|
||||
return flask.redirect(redirect_url())
|
||||
|
|
|
@ -52,3 +52,4 @@ webassets==0.12.1
|
|||
Werkzeug==0.15.5
|
||||
WTForms==2.2.1
|
||||
Flask-Caching==1.7.2
|
||||
Flask-Limiter==1.0.1
|
||||
|
|
Loading…
Reference in a new issue