Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more secure token handling

Browse Source
This commit is contained in:
jackiettran
2025-09-17 18:37:07 -04:00
parent a9fa579b6d
commit cf6dd9be90
10 changed files with 807 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
backend/middleware/rateLimiter.js
View File

@@ -104,12 +104,70 @@ const burstProtection = createUserBasedRateLimiter(
"Too many requests in a short period. Please slow down."
);
// Authentication rate limiters
const authRateLimiters = {
// Login rate limiter - stricter to prevent brute force
login: rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 login attempts per 15 minutes
message: {
error: "Too many login attempts. Please try again in 15 minutes.",
retryAfter: 900, // seconds
},
standardHeaders: true,
legacyHeaders: false,
skipSuccessfulRequests: true, // Don't count successful logins
}),
// Registration rate limiter
register: rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 3, // 3 registration attempts per hour
message: {
error: "Too many registration attempts. Please try again later.",
retryAfter: 3600,
},
standardHeaders: true,
legacyHeaders: false,
}),
// Password reset rate limiter
passwordReset: rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 3, // 3 password reset requests per hour
message: {
error: "Too many password reset requests. Please try again later.",
retryAfter: 3600,
},
standardHeaders: true,
legacyHeaders: false,
}),
// General API rate limiter
general: rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 100, // 100 requests per minute
message: {
error: "Too many requests. Please slow down.",
retryAfter: 60,
},
standardHeaders: true,
legacyHeaders: false,
}),
};
module.exports = {
// Individual rate limiters
placesAutocomplete: rateLimiters.placesAutocomplete,
placeDetails: rateLimiters.placeDetails,
geocoding: rateLimiters.geocoding,
// Auth rate limiters
loginLimiter: authRateLimiters.login,
registerLimiter: authRateLimiters.register,
passwordResetLimiter: authRateLimiters.passwordReset,
generalLimiter: authRateLimiters.general,
// Burst protection
burstProtection,