IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixes mm-1355 adds rate limiting apis

Browse Source
This commit is contained in:
=Corey Hulen
2015-07-29 01:26:10 -08:00
parent 81e55eb57c
commit 9677a9f717
142 changed files with 7272 additions and 24159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
api/server.go
View File

@@ -9,7 +9,10 @@ import (
"github.com/gorilla/mux"
"github.com/mattermost/platform/store"
"github.com/mattermost/platform/utils"
"github.com/throttled/throttled"
throttledStore "github.com/throttled/throttled/store"
"net/http"
"strings"
"time"
)
@@ -35,10 +38,40 @@ func NewServer() {
func StartServer() {
l4g.Info("Starting Server...")
l4g.Info("Server is listening on " + utils.Cfg.ServiceSettings.Port)
var handler http.Handler = Srv.Router
if utils.Cfg.RateLimitSettings.UseRateLimiter {
l4g.Info("RateLimiter is enabled")
vary := throttled.VaryBy{}
if utils.Cfg.RateLimitSettings.VaryByRemoteAddr {
vary.RemoteAddr = true
}
if len(utils.Cfg.RateLimitSettings.VaryByHeader) > 0 {
vary.Headers = strings.Fields(utils.Cfg.RateLimitSettings.VaryByHeader)
if utils.Cfg.RateLimitSettings.VaryByRemoteAddr {
l4g.Warn("RateLimitSettings not configured properly using VaryByHeader and disabling VaryByRemoteAddr")
vary.RemoteAddr = false
}
}
th := throttled.RateLimit(throttled.PerSec(utils.Cfg.RateLimitSettings.PerSec), &vary, throttledStore.NewMemStore(utils.Cfg.RateLimitSettings.MemoryStoreSize))
th.DeniedHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
l4g.Error("%v: code=429 ip=%v", r.URL.Path, GetIpAddress(r))
throttled.DefaultDeniedHandler.ServeHTTP(w, r)
})
handler = th.Throttle(Srv.Router)
}
go func() {
err := Srv.Server.ListenAndServe(":"+utils.Cfg.ServiceSettings.Port, Srv.Router)
err := Srv.Server.ListenAndServe(":"+utils.Cfg.ServiceSettings.Port, handler)
if err != nil {
l4g.Critical("Error starting server, err:%v", err)
time.Sleep(time.Second)

14
api/user.go
View File

@@ -282,12 +282,26 @@ func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, nam
}
func checkUserPassword(c *Context, user *model.User, password string) bool {
if user.FailedAttempts >= utils.Cfg.ServiceSettings.AllowedLoginAttempts {
c.LogAuditWithUserId(user.Id, "fail")
c.Err = model.NewAppError("checkUserPassword", "Your account is locked because of too many failed password attempts. Please reset your password.", "user_id="+user.Id)
c.Err.StatusCode = http.StatusForbidden
return false
}
if !model.ComparePassword(user.Password, password) {
c.LogAuditWithUserId(user.Id, "fail")
c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id)
c.Err.StatusCode = http.StatusForbidden
if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); result.Err != nil {
c.LogError(result.Err)
}
return false
}
return true
}