Merge pull request #23810 from overleaf/msm-ldap-login-rate-limiter

[SP] LDAP login rate limiter GitOrigin-RevId: dedab17da85c0f91b280d002cdad796e95b9fd4f
2025-04-18 23:44:41 +00:00 · 2025-03-05 11:10:08 +01:00 · 2025-03-05 11:10:08 +01:00 · 42ee56ecd4
commit 42ee56ecd4
parent 2c91363745
3 changed files with 27 additions and 24 deletions
--- a/server-ce/hotfix/5.3.2/Dockerfile
+++ b/server-ce/hotfix/5.3.2/Dockerfile
@ -0,0 +1 @@
+FROM sharelatex/sharelatex:5.3.1
--- a/services/web/app/src/Features/Security/RateLimiterMiddleware.js
+++ b/services/web/app/src/Features/Security/RateLimiterMiddleware.js
@ -56,29 +56,31 @@ function rateLimit(rateLimiter, opts = {}) {
  }
 }

-function loginRateLimitEmail(req, res, next) {
-  const { email } = req.body
-  if (!email) {
-    return next()
+function loginRateLimitEmail(emailField = 'email') {
+  return function (req, res, next) {
+    const email = req.body[emailField]
+    if (!email) {
+      return next()
+    }
+    LoginRateLimiter.processLoginRequest(email, (err, isAllowed) => {
+      if (err) {
+        return next(err)
+      }
+      if (isAllowed) {
+        next()
+      } else {
+        logger.warn({ email }, 'rate limit exceeded')
+        res.status(429) // Too many requests
+        res.json({
+          message: {
+            type: 'error',
+            text: req.i18n.translate('to_many_login_requests_2_mins'),
+            key: 'to-many-login-requests-2-mins',
+          },
+        })
+      }
+    })
  }
-  LoginRateLimiter.processLoginRequest(email, (err, isAllowed) => {
-    if (err) {
-      return next(err)
-    }
-    if (isAllowed) {
-      next()
-    } else {
-      logger.warn({ email }, 'rate limit exceeded')
-      res.status(429) // Too many requests
-      res.json({
-        message: {
-          type: 'error',
-          text: req.i18n.translate('to_many_login_requests_2_mins'),
-          key: 'to-many-login-requests-2-mins',
-        },
-      })
-    }
-  })
 }

 const RateLimiterMiddleware = {
--- a/services/web/app/src/router.mjs
+++ b/services/web/app/src/router.mjs
@ -218,7 +218,7 @@ async function initialize(webRouter, privateApiRouter, publicApiRouter) {
  webRouter.post(
    '/login',
    RateLimiterMiddleware.rateLimit(overleafLoginRateLimiter), // rate limit IP (20 / 60s)
-    RateLimiterMiddleware.loginRateLimitEmail, // rate limit email (10 / 120s)
+    RateLimiterMiddleware.loginRateLimitEmail(), // rate limit email (10 / 120s)
    CaptchaMiddleware.validateCaptcha('login'),
    AuthenticationController.passportLogin
  )
@ -243,7 +243,7 @@ async function initialize(webRouter, privateApiRouter, publicApiRouter) {
    webRouter.post(
      '/login/legacy',
      RateLimiterMiddleware.rateLimit(overleafLoginRateLimiter), // rate limit IP (20 / 60s)
-      RateLimiterMiddleware.loginRateLimitEmail, // rate limit email (10 / 120s)
+      RateLimiterMiddleware.loginRateLimitEmail(), // rate limit email (10 / 120s)
      CaptchaMiddleware.validateCaptcha('login'),
      AuthenticationController.passportLogin
    )