npm - @riocrypto/common-server - Versions diffs - 1.0.2800 → 1.0.2803 - Mend

@riocrypto/common-server 1.0.2800 → 1.0.2803

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/build/middlewares/dynamic-rate-limiter.js +28 -33
package/build/models/auth.d.ts +4 -0
package/build/models/auth.js +9 -0
package/package.json +1 -1

package/build/middlewares/dynamic-rate-limiter.js CHANGED Viewed

@@ -26,6 +26,32 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createDynamicRateLimiter = void 0;
 const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
 const custom_rate_limit_1 = require("../models/custom-rate-limit");
+// Resolve the real client IP, preferring Cloudflare's cf-connecting-ip and
+// falling back through x-forwarded-for and req.ip. Used both to look up
+// per-IP custom rules and to key the underlying express-rate-limit instance,
+// so a single attacker is bucketed to their own real IP rather than sharing
+// a counter with every other client behind the ingress.
+function resolveClientIp(req) {
+    var _a, _b, _c;
+    const cfConnectingIp = req.headers["cf-connecting-ip"];
+    const xForwardedFor = req.headers["x-forwarded-for"];
+    let raw;
+    if (typeof cfConnectingIp === "string" && cfConnectingIp.length > 0) {
+        raw = cfConnectingIp.trim();
+    }
+    else if (typeof xForwardedFor === "string" && xForwardedFor.length > 0) {
+        raw = (_a = xForwardedFor.split(",")[0]) === null || _a === void 0 ? void 0 : _a.trim();
+    }
+    else if (Array.isArray(xForwardedFor) && xForwardedFor.length > 0) {
+        raw = (_c = (_b = xForwardedFor[0]) === null || _b === void 0 ? void 0 : _b.split(",")[0]) === null || _c === void 0 ? void 0 : _c.trim();
+    }
+    else {
+        raw = req.ip;
+    }
+    if (!raw)
+        return undefined;
+    return raw.startsWith("::ffff:") ? raw.substring(7) : raw;
+}
 // Cache for rate limiter instances
 const limiterInstanceCache = new Map();
 // Cache for compiled RegExp objects from path strings
@@ -84,32 +110,7 @@ function createDynamicRateLimiter(options) {
                 (customIpRulesCache.size === 0 && lastCacheRefreshTime === 0)) {
                 yield refreshCustomIpRulesCache(CustomRateLimit, req.path);
             }
-            // Determine the client's IP address, prioritizing Cloudflare/proxy headers
-            let rawClientIp;
-            const cfConnectingIp = req.headers["cf-connecting-ip"];
-            const xForwardedForHeader = req.headers["x-forwarded-for"];
-            if (cfConnectingIp) {
-                rawClientIp = cfConnectingIp;
-            }
-            else if (xForwardedForHeader) {
-                // X-Forwarded-For can be a comma-separated list (client, proxy1, proxy2)
-                // The first IP is the original client IP
-                rawClientIp = xForwardedForHeader.split(",")[0].trim();
-            }
-            else {
-                rawClientIp = req.ip; // Fallback to Express's req.ip
-            }
-            let normalizedIp;
-            if (rawClientIp) {
-                // Normalize IPv4-mapped IPv6 addresses (e.g., ::ffff:192.0.2.1 -> 192.0.2.1)
-                // Also handles direct IPv4 and standard IPv6 addresses
-                if (rawClientIp.startsWith("::ffff:")) {
-                    normalizedIp = rawClientIp.substring(7);
-                }
-                else {
-                    normalizedIp = rawClientIp;
-                }
-            }
+            const normalizedIp = resolveClientIp(req);
             let currentLimit = defaultMax;
             let currentWindowMs = defaultWindowMs;
             let ruleIdentifier = "default"; // Start with default identifier
@@ -149,13 +150,7 @@ function createDynamicRateLimiter(options) {
             let selectedLimiter = limiterInstanceCache.get(limiterCacheKey);
             if (!selectedLimiter) {
                 // Create a new limiter instance with the determined limit/window
-                selectedLimiter = (0, express_rate_limit_1.default)(Object.assign({ windowMs: currentWindowMs, max: currentLimit, keyGenerator: (request) => {
-                        let ipForKey = request.ip;
-                        if (ipForKey === null || ipForKey === void 0 ? void 0 : ipForKey.startsWith("::ffff:")) {
-                            ipForKey = ipForKey.substring(7);
-                        }
-                        return ipForKey || "unknown_ip_for_rate_limit";
-                    }, message: message, standardHeaders: standardHeaders, legacyHeaders: legacyHeaders, skip: skip, requestPropertyName: requestPropertyName }, otherRateLimitOptions));
+                selectedLimiter = (0, express_rate_limit_1.default)(Object.assign({ windowMs: currentWindowMs, max: currentLimit, keyGenerator: (request) => { var _a; return (_a = resolveClientIp(request)) !== null && _a !== void 0 ? _a : "unknown_ip_for_rate_limit"; }, message: message, standardHeaders: standardHeaders, legacyHeaders: legacyHeaders, skip: skip, requestPropertyName: requestPropertyName }, otherRateLimitOptions));
                 limiterInstanceCache.set(limiterCacheKey, selectedLimiter);
             }
             return selectedLimiter(req, res, next);

package/build/models/auth.d.ts CHANGED Viewed

@@ -35,6 +35,8 @@ interface AuthAttrs {
     emailVerificationAttempts?: number;
     securityAnswerAttempts?: number;
     securityAnswerLockedUntil?: Date;
+    authenticatorVerificationAttempts?: number;
+    authenticatorVerificationLockedUntil?: Date;
     authMethod?: AuthMethod;
     twoFactorConfigured?: boolean;
     twoFactorMethod?: string;
@@ -74,6 +76,8 @@ interface AuthDoc extends Document {
     emailVerificationAttempts?: number;
     securityAnswerAttempts?: number;
     securityAnswerLockedUntil?: Date;
+    authenticatorVerificationAttempts?: number;
+    authenticatorVerificationLockedUntil?: Date;
     authMethod?: AuthMethod;
     twoFactorConfigured?: boolean;
     twoFactorMethod?: string;

package/build/models/auth.js CHANGED Viewed

@@ -132,6 +132,13 @@ const buildAuth = (mongoose) => {
         securityAnswerLockedUntil: {
             type: Date,
         },
+        authenticatorVerificationAttempts: {
+            type: Number,
+            default: 0,
+        },
+        authenticatorVerificationLockedUntil: {
+            type: Date,
+        },
         authMethod: {
             type: String,
         },
@@ -160,6 +167,8 @@ const buildAuth = (mongoose) => {
                 delete ret.emailVerificationAttempts;
                 delete ret.securityAnswerAttempts;
                 delete ret.securityAnswerLockedUntil;
+                delete ret.authenticatorVerificationAttempts;
+                delete ret.authenticatorVerificationLockedUntil;
                 for (let apiKey of ret.apiKeys) {
                     delete apiKey.value;
                 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@riocrypto/common-server",
-  "version": "1.0.2800",
+  "version": "1.0.2803",
   "description": "",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",