diff --git a/server/utils/rateLimiterFactory.js b/server/utils/rateLimiterFactory.js index e639c51c9..b51996627 100644 --- a/server/utils/rateLimiterFactory.js +++ b/server/utils/rateLimiterFactory.js @@ -1,14 +1,10 @@ const { rateLimit, RateLimitRequestHandler } = require('express-rate-limit') const Logger = require('../Logger') -const requestIp = require('../libs/requestIp') /** * Factory for creating authentication rate limiters */ class RateLimiterFactory { - static DEFAULT_WINDOW_MS = 10 * 60 * 1000 // 10 minutes - static DEFAULT_MAX = 40 // 40 attempts - constructor() { this.authRateLimiter = null } @@ -22,30 +18,17 @@ class RateLimiterFactory { return this.authRateLimiter } - // Disable by setting max to 0 - if (process.env.RATE_LIMIT_AUTH_MAX === '0') { - this.authRateLimiter = (req, res, next) => next() - Logger.info(`[RateLimiterFactory] Authentication rate limiting disabled by ENV variable`) - return this.authRateLimiter - } - - let windowMs = RateLimiterFactory.DEFAULT_WINDOW_MS + let windowMs = 10 * 60 * 1000 // 10 minutes default if (parseInt(process.env.RATE_LIMIT_AUTH_WINDOW) > 0) { windowMs = parseInt(process.env.RATE_LIMIT_AUTH_WINDOW) - if (windowMs !== RateLimiterFactory.DEFAULT_WINDOW_MS) { - Logger.info(`[RateLimiterFactory] Authentication rate limiting window set to ${windowMs}ms by ENV variable`) - } } - let max = RateLimiterFactory.DEFAULT_MAX + let max = 40 // 40 attempts default if (parseInt(process.env.RATE_LIMIT_AUTH_MAX) > 0) { max = parseInt(process.env.RATE_LIMIT_AUTH_MAX) - if (max !== RateLimiterFactory.DEFAULT_MAX) { - Logger.info(`[RateLimiterFactory] Authentication rate limiting max set to ${max} by ENV variable`) - } } - let message = 'Too many authentication requests' + let message = 'Too many requests, please try again later.' if (process.env.RATE_LIMIT_AUTH_MESSAGE) { message = process.env.RATE_LIMIT_AUTH_MESSAGE } @@ -53,22 +36,18 @@ class RateLimiterFactory { this.authRateLimiter = rateLimit({ windowMs, max, + message, standardHeaders: true, legacyHeaders: false, - keyGenerator: (req) => { - // Override keyGenerator to handle proxy IPs - return requestIp.getClientIp(req) || req.ip - }, handler: (req, res) => { const userAgent = req.get('User-Agent') || 'Unknown' const endpoint = req.path const method = req.method - const ip = requestIp.getClientIp(req) || req.ip - Logger.warn(`[RateLimiter] Rate limit exceeded - IP: ${ip}, Endpoint: ${method} ${endpoint}, User-Agent: ${userAgent}`) + Logger.warn(`[RateLimiter] Rate limit exceeded - IP: ${req.ip}, Endpoint: ${method} ${endpoint}, User-Agent: ${userAgent}`) res.status(429).json({ - error: message + error: 'Too many authentication attempts, please try again later.' }) } })