a3x/nyaa
1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2024-12-22 07:50:01 +00:00
Code Issues Projects Releases Wiki Activity

Add login endpoint rate limiting

Browse source 
This doesn't discriminate between failed logins and successful
logins, but only counts POST requests. The limit is set to 6 per
hour.
This commit is contained in:
Nicolas F 2019-06-16 23:08:23 +02:00 committed by Nicolas F
parent 611f0c5706
commit 5c943f35e3
4 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
nyaa/__init__.py
View file

@ -6,7 +6,7 @@ import flask
from flask_assets import Bundle # noqa F401 from flask_assets import Bundle # noqa F401
from nyaa.api_handler import api_blueprint from nyaa.api_handler import api_blueprint
from nyaa.extensions import assets, cache, db, fix_paginate, toolbar from nyaa.extensions import assets, cache, db, fix_paginate, limiter, toolbar
from nyaa.template_utils import bp as template_utils_bp from nyaa.template_utils import bp as template_utils_bp
from nyaa.template_utils import caching_url_for from nyaa.template_utils import caching_url_for
from nyaa.utils import random_string from nyaa.utils import random_string
@ -128,4 +128,7 @@ def create_app(config):
# Cache # Cache
cache.init_app(app, config=app.config) cache.init_app(app, config=app.config)
# Rate Limiting
limiter.init_app(app)
return app return app

3
nyaa/extensions.py
View file

@ -5,12 +5,15 @@ from flask.config import Config
from flask_assets import Environment from flask_assets import Environment
from flask_caching import Cache from flask_caching import Cache
from flask_debugtoolbar import DebugToolbarExtension from flask_debugtoolbar import DebugToolbarExtension
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from flask_sqlalchemy import BaseQuery, Pagination, SQLAlchemy from flask_sqlalchemy import BaseQuery, Pagination, SQLAlchemy
assets = Environment() assets = Environment()
db = SQLAlchemy() db = SQLAlchemy()
toolbar = DebugToolbarExtension() toolbar = DebugToolbarExtension()
cache = Cache() cache = Cache()
limiter = Limiter(key_func=get_remote_address)
class LimitedPagination(Pagination): class LimitedPagination(Pagination):

4
nyaa/views/account.py
View file

@ -6,7 +6,7 @@ from ipaddress import ip_address
import flask import flask
from nyaa import email, forms, models from nyaa import email, forms, models
from nyaa.extensions import db from nyaa.extensions import db, limiter
from nyaa.utils import sha1_hash from nyaa.utils import sha1_hash
from nyaa.views.users import get_activation_link, get_password_reset_link, get_serializer from nyaa.views.users import get_activation_link, get_password_reset_link, get_serializer
@ -15,6 +15,8 @@ bp = flask.Blueprint('account', __name__)
@bp.route('/login', methods=['GET', 'POST']) @bp.route('/login', methods=['GET', 'POST'])
@limiter.limit('6/hour', methods=['POST'],
error_message="You've tried logging in too many times, try again in an hour.")
def login(): def login():
if flask.g.user: if flask.g.user:
return flask.redirect(redirect_url()) return flask.redirect(redirect_url())

1
requirements.txt
View file

@ -52,3 +52,4 @@ webassets==0.12.1
Werkzeug==0.15.5 Werkzeug==0.15.5
WTForms==2.2.1 WTForms==2.2.1
Flask-Caching==1.7.2 Flask-Caching==1.7.2
Flask-Limiter==1.0.1