From d27ff64a7471711a9d1cabcac0f86b5076b3b19b Mon Sep 17 00:00:00 2001 From: Josh Harvey Date: Wed, 21 Dec 2016 17:58:39 +0200 Subject: [PATCH] WIP; rate limiting --- bin/lamassu-admin-server | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/bin/lamassu-admin-server b/bin/lamassu-admin-server index 8a33dd11..70383c72 100755 --- a/bin/lamassu-admin-server +++ b/bin/lamassu-admin-server @@ -13,7 +13,6 @@ const argv = require('minimist')(process.argv.slice(2)) const got = require('got') const morgan = require('morgan') const helmet = require('helmet') -const RateLimit = require('express-rate-limit') const accounts = require('../lib/admin/accounts') const machines = require('../lib/admin/machines') @@ -56,19 +55,18 @@ function dbNotify () { const skip = (req, res) => req.path === '/api/status/' && res.statusCode === 200 -const limiter = new RateLimit({ - windowMs: T.minute, - max: 120, - delayMs: 0, - delayAfter: 0, - keyGenerator: () => 'everybody' -}) +// Note: no rate limiting applied since that would allow an attacker to +// easily DDoS by just hitting the aggregate rate limit. We assume the +// attacker has unlimited unique IP addresses. +// +// The best we can do at the application level is to make the authentication +// lookup very fast. There will only be a few users at most, so it's not a problem +// to keep them in memory, but we need to update right after a new one is added. +// For now, we believe that probability of sustained DDoS by saturating our ability to +// fetch from the DB is pretty low. -app.use(limiter) app.use(morgan('dev', {skip})) -app.use(helmet({ - noCache: true -})) +app.use(helmet({noCache: true})) app.use(cookieParser()) app.use(register) app.use(authenticate)