#121 Added rate limiting and secure cookie settings

2018-03-04 19:43:37 +00:00 · 2018-03-04 19:43:37 +00:00 · 3af3d9aa96
parent fa3a24fdbf
commit 3af3d9aa96
3 changed files with 14 additions and 19 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -2122,13 +2122,10 @@
        }
      }
    },
-    "express-better-ratelimit": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/express-better-ratelimit/-/express-better-ratelimit-1.1.2.tgz",
-      "integrity": "sha1-quiTO4NhyvPyY2cMGuz5eJby6dw=",
-      "requires": {
-        "ipchecker": "0.0.2"
-      }
+    "express-request-limit": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/express-request-limit/-/express-request-limit-1.0.2.tgz",
+      "integrity": "sha1-gVjPr8A5VFEAjH3Hm/2zYTaDSB4="
    },
    "extend": {
      "version": "3.0.1",
@ -3684,11 +3681,6 @@
      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.5.2.tgz",
      "integrity": "sha1-1LUFvemUaYfM8PxY2QEP+WB+P6A="
    },
-    "ipchecker": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/ipchecker/-/ipchecker-0.0.2.tgz",
-      "integrity": "sha1-lgbr97s80jQZsUmnBOF8FTLwtnk="
-    },
    "is-absolute-url": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/is-absolute-url/-/is-absolute-url-2.1.0.tgz",
--- a/package.json
+++ b/package.json
@ -12,7 +12,7 @@
    "css-loader": "^0.28.7",
    "debug": "^2.6.9",
    "express": "^4.15.5",
-    "express-better-ratelimit": "^1.1.2",
+    "express-request-limit": "^1.0.2",
    "helmet": "^3.12.0",
    "jquery": "^3.2.1",
    "load-google-maps-api": "^1.0.0",
--- a/server.js
+++ b/server.js
@ -3,7 +3,7 @@
 /* IMPORTS */
 const express = require('express')
 const helmet = require('helmet')
-const ratelimiter = require('express-better-ratelimit')
+const rateLimit = require('express-request-limit')
 const bodyParser = require('body-parser')
 const cookieParser = require('cookie-parser')
 const cookieSession = require('cookie-session')
@ -59,7 +59,7 @@ let ready_promise_list = []
  app.use(cookieParser(env.cookie))
  app.use(cookieSession({
    cookie: {
-      maxAge: 60000,
+      maxAge: 1000 * 60 * 60 * 24 * 7, // 1 week
      secure: true,
      httpOnly: true,
      domain: env.url.substring(env.url.indexOf('//')+2),
@ -73,10 +73,6 @@ let ready_promise_list = []
    extended: true
  }))
  app.use(flash())
-  app.use(ratelimiter({
-    max: 20,
-    duration: 120000, // 2 minutes
-  }))
 }

 /* Auth */ {
@ -92,6 +88,13 @@ let ready_promise_list = []
  // Default locals available to all views (keep this after static files)
  app.get('*', (req, res, next) => {

+    // Rate limit
+    rateLimit({
+      timeout: 1000 * 60 * 30, // 30 minutes
+      exactPath: true,
+      cleanUpInterval: 1000 * 60 * 60 * 24 * 7, // 1 week
+    })
+
    // User account
    res.locals.user = req.user