WIP; rate limiting

bin/lamassu-admin-server

@@ -13,7 +13,6 @@ const argv = require('minimist')(process.argv.slice(2))
 const got = require('got')
 const morgan = require('morgan')
 const helmet = require('helmet')
-const RateLimit = require('express-rate-limit')
 
 const accounts = require('../lib/admin/accounts')
 const machines = require('../lib/admin/machines')
@@ -56,19 +55,18 @@ function dbNotify () {
 
 const skip = (req, res) => req.path === '/api/status/' && res.statusCode === 200
 
-const limiter = new RateLimit({
-  windowMs: T.minute,
-  max: 120,
-  delayMs: 0,
-  delayAfter: 0,
-  keyGenerator: () => 'everybody'
-})
+// Note: no rate limiting applied since that would allow an attacker to
+// easily DDoS by just hitting the aggregate rate limit. We assume the
+// attacker has unlimited unique IP addresses.
+//
+// The best we can do at the application level is to make the authentication
+// lookup very fast. There will only be a few users at most, so it's not a problem
+// to keep them in memory, but we need to update right after a new one is added.
+// For now, we believe that probability of sustained DDoS by saturating our ability to
+// fetch from the DB is pretty low.
 
-app.use(limiter)
 app.use(morgan('dev', {skip}))
-app.use(helmet({
-  noCache: true
-}))
+app.use(helmet({noCache: true}))
 app.use(cookieParser())
 app.use(register)
 app.use(authenticate)