Add login endpoint rate limiting

This doesn't discriminate between failed logins and successful
logins, but only counts POST requests. The limit is set to 6 per
hour.
master
Nicolas F 4 years ago committed by Nicolas F
parent 611f0c5706
commit 5c943f35e3

@ -6,7 +6,7 @@ import flask
from flask_assets import Bundle # noqa F401
from nyaa.api_handler import api_blueprint
from nyaa.extensions import assets, cache, db, fix_paginate, toolbar
from nyaa.extensions import assets, cache, db, fix_paginate, limiter, toolbar
from nyaa.template_utils import bp as template_utils_bp
from nyaa.template_utils import caching_url_for
from nyaa.utils import random_string
@ -128,4 +128,7 @@ def create_app(config):
# Cache
cache.init_app(app, config=app.config)
# Rate Limiting
limiter.init_app(app)
return app

@ -5,12 +5,15 @@ from flask.config import Config
from flask_assets import Environment
from flask_caching import Cache
from flask_debugtoolbar import DebugToolbarExtension
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from flask_sqlalchemy import BaseQuery, Pagination, SQLAlchemy
assets = Environment()
db = SQLAlchemy()
toolbar = DebugToolbarExtension()
cache = Cache()
limiter = Limiter(key_func=get_remote_address)
class LimitedPagination(Pagination):

@ -6,7 +6,7 @@ from ipaddress import ip_address
import flask
from nyaa import email, forms, models
from nyaa.extensions import db
from nyaa.extensions import db, limiter
from nyaa.utils import sha1_hash
from nyaa.views.users import get_activation_link, get_password_reset_link, get_serializer
@ -15,6 +15,8 @@ bp = flask.Blueprint('account', __name__)
@bp.route('/login', methods=['GET', 'POST'])
@limiter.limit('6/hour', methods=['POST'],
error_message="You've tried logging in too many times, try again in an hour.")
def login():
if flask.g.user:
return flask.redirect(redirect_url())

@ -52,3 +52,4 @@ webassets==0.12.1
Werkzeug==0.15.5
WTForms==2.2.1
Flask-Caching==1.7.2
Flask-Limiter==1.0.1

Loading…
Cancel
Save