diff --git a/src/createApp.js b/src/createApp.js index 8a29655..22c320c 100644 --- a/src/createApp.js +++ b/src/createApp.js @@ -1,6 +1,7 @@ var express = require('express'), session = require('express-session'), cors = require('cors'), + helmet = require('helmet'), errorhandler = require('errorhandler'); const config = require('./config'), @@ -9,6 +10,7 @@ const config = require('./config'), function createApp() { const app = express(); + app.use(helmet({ contentSecurityPolicy: false })); const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim()) : []; diff --git a/src/routes/api/cms/users.routes.js b/src/routes/api/cms/users.routes.js index 531cfa9..813d1b1 100644 --- a/src/routes/api/cms/users.routes.js +++ b/src/routes/api/cms/users.routes.js @@ -1,4 +1,5 @@ const express = require('express'); +const rateLimit = require('express-rate-limit'); const { authenticate, createUser, getUser, loginAsUser, updateUser, updateUserEmail, updateUserPassword, updateUserRole, updateUserUsername @@ -7,11 +8,19 @@ const auth = require('../../../middlewares/auth'); const userRouter = express.Router(); +const authLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, + max: 10, + standardHeaders: true, + legacyHeaders: false, + message: { errors: { 'rate limit': 'too many attempts, please try again later' } } +}); + userRouter.get('/', auth.required, getUser); userRouter.put('/', auth.required, updateUser); -userRouter.post('/', auth.optional, createUser); +userRouter.post('/', authLimiter, auth.optional, createUser); userRouter.get('/authenticate', auth.optional, authenticate); -userRouter.post('/login', auth.optional, loginAsUser); +userRouter.post('/login', authLimiter, auth.optional, loginAsUser); //userRouter.post('/register', auth.optional, createUser); //userRouter.get('/users', auth.required, getAllUsers); userRouter.put('/update/email', auth.required, updateUserEmail);