refactor(login): move rate limiter after successful login
Before, we weren't checking if a login was successful before counting it against the rate limiter. With this change, we only count unsuccessful logins against the rate limiter. We did this because this was a bug but also because it caused problems with our e2e tests hitting the rate limit.
This commit is contained in:
parent
83cfbf82cf
commit
08521077f0
@ -59,10 +59,6 @@ router.get("/", async (req, res) => {
|
|||||||
|
|
||||||
router.post("/", async (req, res) => {
|
router.post("/", async (req, res) => {
|
||||||
try {
|
try {
|
||||||
if (!limiter.try()) {
|
|
||||||
throw new Error("Login rate limited!")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!req.body.password) {
|
if (!req.body.password) {
|
||||||
throw new Error("Missing password")
|
throw new Error("Missing password")
|
||||||
}
|
}
|
||||||
@ -84,6 +80,12 @@ router.post("/", async (req, res) => {
|
|||||||
return redirect(req, res, to, { to: undefined })
|
return redirect(req, res, to, { to: undefined })
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Note: successful logins should not count against the RateLimiter
|
||||||
|
// which is why this logic must come after the successful login logic
|
||||||
|
if (!limiter.try()) {
|
||||||
|
throw new Error("Login rate limited!")
|
||||||
|
}
|
||||||
|
|
||||||
console.error(
|
console.error(
|
||||||
"Failed login attempt",
|
"Failed login attempt",
|
||||||
JSON.stringify({
|
JSON.stringify({
|
||||||
|
Reference in New Issue
Block a user