TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-28 14:03:48 +03:00
Code Issues Projects Releases Wiki Activity

Added userAuth brute middleware to members auth endpoint (#13152)

Browse Source 
refs https://github.com/TryGhost/Team/issues/696

The userAuth spam prevention logic is reused, but a new piece of
middleware has to be created so that we can use a custom lookup key to
conatin the member email.

We must also add json parsing middleware to the route so that the brute
middleware can read the email.

The express body-parser middleware handles multiple instances on the
same route, so this doesn't cause problems upstream.

https://github.com/expressjs/body-parser/blob/1.19.0/lib/types/json.js#L99-L103
This commit is contained in:
Fabien 'egg' O'Carroll 2021-07-19 09:40:38 +01:00 committed by GitHub
parent bf587d4055
commit 1af2b50dcf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/server/web/members/app.js
View File

@ -39,7 +39,7 @@ module.exports = function setupMembersApp() {
membersApp.get('/api/site', middleware.getMemberSiteData);
// NOTE: this is wrapped in a function to ensure we always go via the getter
membersApp.post('/api/send-magic-link', (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));
membersApp.post('/api/send-magic-link', bodyParser.json(), shared.middlewares.brute.membersAuth, (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));
membersApp.post('/api/create-stripe-checkout-session', (req, res, next) => membersService.api.middleware.createCheckoutSession(req, res, next));
membersApp.post('/api/create-stripe-update-session', (req, res, next) => membersService.api.middleware.createCheckoutSetupSession(req, res, next));
membersApp.put('/api/subscriptions/:id', (req, res, next) => membersService.api.middleware.updateSubscription(req, res, next));

15
core/server/web/shared/middlewares/brute.js
View File

@ -94,5 +94,20 @@ module.exports = {
}
return next(err, ...rest);
});
},
/**
*/
membersAuth(req, res, next) {
return spamPrevention.userLogin().getMiddleware({
ignoreIP: false,
key(_req, _res, _next) {
if (_req.body.email) {
return _next(`${_req.body.email}login`);
}
return _next();
}
})(req, res, next);
}
};