From 092c0364067134d68ed466752ada7d02fe487a6d Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Thu, 4 Aug 2016 09:50:47 +0100 Subject: [PATCH] Rate-limit calls to invite api --- .../Collaborators/CollaboratorsRouter.coffee | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/services/web/app/coffee/Features/Collaborators/CollaboratorsRouter.coffee b/services/web/app/coffee/Features/Collaborators/CollaboratorsRouter.coffee index 0da728542e..b19011c5f9 100644 --- a/services/web/app/coffee/Features/Collaborators/CollaboratorsRouter.coffee +++ b/services/web/app/coffee/Features/Collaborators/CollaboratorsRouter.coffee @@ -2,6 +2,7 @@ CollaboratorsController = require('./CollaboratorsController') AuthenticationController = require('../Authentication/AuthenticationController') AuthorizationMiddlewear = require('../Authorization/AuthorizationMiddlewear') CollaboratorsInviteController = require('./CollaboratorsInviteController') +RateLimiterMiddlewear = require('../Security/RateLimiterMiddlewear') module.exports = apply: (webRouter, apiRouter) -> @@ -13,24 +14,40 @@ module.exports = # invites webRouter.post( '/project/:Project_id/invite', + RateLimiterMiddlewear.rateLimit({ + endpointName: "invite-to-project" + params: ["Project_id"] + maxRequests: 200 + timeInterval: 60 * 10 + }), + AuthenticationController.requireLogin(), AuthorizationMiddlewear.ensureUserCanAdminProject, CollaboratorsInviteController.inviteToProject ) webRouter.get( '/project/:Project_id/invite', + AuthenticationController.requireLogin(), AuthorizationMiddlewear.ensureUserCanAdminProject, CollaboratorsInviteController.getAllInvites ) webRouter.delete( '/project/:Project_id/invite/:invite_id', + AuthenticationController.requireLogin(), AuthorizationMiddlewear.ensureUserCanAdminProject, CollaboratorsInviteController.revokeInvite ) webRouter.post( '/project/:Project_id/invite/:invite_id/resend', + RateLimiterMiddlewear.rateLimit({ + endpointName: "resend-invite" + params: ["Project_id"] + maxRequests: 200 + timeInterval: 60 * 10 + }), + AuthenticationController.requireLogin(), AuthorizationMiddlewear.ensureUserCanAdminProject, CollaboratorsInviteController.resendInvite )