mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-27 21:03:29 +03:00
99 lines
2.8 KiB
JavaScript
99 lines
2.8 KiB
JavaScript
const url = require('url');
|
|
const spamPrevention = require('./api/spam-prevention');
|
|
|
|
/**
|
|
* We set ignoreIP to false, because we tell brute-knex to use `req.ip`.
|
|
* We can use `req.ip`, because express trust proxy option is enabled.
|
|
*/
|
|
module.exports = {
|
|
/**
|
|
* block per route per ip
|
|
*/
|
|
globalBlock(req, res, next) {
|
|
return spamPrevention.globalBlock().getMiddleware({
|
|
ignoreIP: false,
|
|
key: function (_req, _res, _next) {
|
|
_next(url.parse(_req.url).pathname);
|
|
}
|
|
})(req, res, next);
|
|
},
|
|
/**
|
|
* block per route per ip
|
|
*/
|
|
globalReset(req, res, next) {
|
|
return spamPrevention.globalReset().getMiddleware({
|
|
ignoreIP: false,
|
|
key(_req, _res, _next) {
|
|
_next(url.parse(_req.url).pathname);
|
|
}
|
|
})(req, res, next);
|
|
},
|
|
/**
|
|
* block per user
|
|
* username === email!
|
|
*/
|
|
userLogin(req, res, next) {
|
|
return spamPrevention.userLogin().getMiddleware({
|
|
ignoreIP: false,
|
|
key(_req, _res, _next) {
|
|
if (_req.body.username) {
|
|
return _next(`${_req.body.username}login`);
|
|
}
|
|
|
|
if (_req.body.authorizationCode) {
|
|
return _next(`${_req.body.authorizationCode}login`);
|
|
}
|
|
|
|
if (_req.body.refresh_token) {
|
|
return _next(`${_req.body.refresh_token}login`);
|
|
}
|
|
|
|
return _next();
|
|
}
|
|
})(req, res, next);
|
|
},
|
|
/**
|
|
* block per user
|
|
*/
|
|
userReset(req, res, next) {
|
|
return spamPrevention.userReset().getMiddleware({
|
|
ignoreIP: false,
|
|
key(_req, _res, _next) {
|
|
_next(`${_req.body.username}reset`);
|
|
}
|
|
})(req, res, next);
|
|
},
|
|
/**
|
|
* block per ip
|
|
*/
|
|
privateBlog(req, res, next) {
|
|
return spamPrevention.privateBlog().getMiddleware({
|
|
ignoreIP: false,
|
|
key(_req, _res, _next) {
|
|
_next('privateblog');
|
|
}
|
|
})(req, res, next);
|
|
},
|
|
|
|
/*
|
|
* protect content api from brute force
|
|
*/
|
|
contentApiKey(req, res, next) {
|
|
return spamPrevention.contentApiKey().getMiddleware({
|
|
ignoreIP: false
|
|
})(req, res, function (err, ...rest) {
|
|
if (!err) {
|
|
// Reset any blocks if the request is authorized
|
|
// This ensures that the count only goes up for
|
|
// unauthorized requests.
|
|
res.on('finish', function () {
|
|
if (res.statusCode < 400) {
|
|
req.brute.reset();
|
|
}
|
|
});
|
|
}
|
|
return next(err, ...rest);
|
|
});
|
|
}
|
|
};
|