feat(indiekit): rate limit some requests

getindiekit · Jan 29, 2022 · 6a7d520 · 6a7d520
1 parent 3b5fd97
commit 6a7d520
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/indiekit/lib/routes.js b/packages/indiekit/lib/routes.js
@@ -1,5 +1,6 @@
 import express from 'express';
 import frontend from '@indiekit/frontend';
+import rateLimit from 'express-rate-limit';
 import * as assetsController from './controllers/assets.js';
 import * as homepageController from './controllers/homepage.js';
 import * as sessionController from './controllers/session.js';
@@ -8,6 +9,12 @@ import {authenticate} from './middleware/authentication.js';
 
 const {assetsPath} = frontend;
 const router = express.Router(); // eslint-disable-line new-cap
+const limit = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100,
+  standardHeaders: true,
+  legacyHeaders: false,
+});
 
 export const routes = indiekitConfig => {
   const {application, publication} = indiekitConfig;
@@ -42,9 +49,9 @@ export const routes = indiekitConfig => {
   }
 
   // Session
-  router.get('/session/login', sessionController.login);
-  router.post('/session/login', sessionController.authenticate);
-  router.get('/session/auth', sessionController.authenticationCallback);
+  router.get('/session/login', limit, sessionController.login);
+  router.post('/session/login', limit, sessionController.authenticate);
+  router.get('/session/auth', limit, sessionController.authenticationCallback);
   router.get('/session/logout', sessionController.logout);
 
   // Endpoints

diff --git a/packages/indiekit/package.json b/packages/indiekit/package.json
@@ -44,6 +44,7 @@
     "debug": "^4.3.2",
     "deepmerge": "^4.2.2",
     "express": "^4.17.1",
+    "express-rate-limit": "^6.2.0",
     "got": "^12.0.0",
     "http-errors": "^2.0.0",
     "i18n": "^0.14.0",