From 1af2b50dcf5e47f971ba2af7a8310777f6a627d4 Mon Sep 17 00:00:00 2001
From: Fabien 'egg' O'Carroll <fabien@allou.is>
Date: Mon, 19 Jul 2021 09:40:38 +0100
Subject: [PATCH] Added userAuth brute middleware to members auth endpoint
 (#13152)

refs https://github.com/TryGhost/Team/issues/696

The userAuth spam prevention logic is reused, but a new piece of
middleware has to be created so that we can use a custom lookup key to
conatin the member email.

We must also add json parsing middleware to the route so that the brute
middleware can read the email.

The express body-parser middleware handles multiple instances on the
same route, so this doesn't cause problems upstream.

https://github.com/expressjs/body-parser/blob/1.19.0/lib/types/json.js#L99-L103
---
 core/server/web/members/app.js              |  2 +-
 core/server/web/shared/middlewares/brute.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/core/server/web/members/app.js b/core/server/web/members/app.js
index 3706b32a29..b01b43e32b 100644
--- a/core/server/web/members/app.js
+++ b/core/server/web/members/app.js
@@ -39,7 +39,7 @@ module.exports = function setupMembersApp() {
     membersApp.get('/api/site', middleware.getMemberSiteData);
 
     // NOTE: this is wrapped in a function to ensure we always go via the getter
-    membersApp.post('/api/send-magic-link', (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));
+    membersApp.post('/api/send-magic-link', bodyParser.json(), shared.middlewares.brute.membersAuth, (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));
     membersApp.post('/api/create-stripe-checkout-session', (req, res, next) => membersService.api.middleware.createCheckoutSession(req, res, next));
     membersApp.post('/api/create-stripe-update-session', (req, res, next) => membersService.api.middleware.createCheckoutSetupSession(req, res, next));
     membersApp.put('/api/subscriptions/:id', (req, res, next) => membersService.api.middleware.updateSubscription(req, res, next));
diff --git a/core/server/web/shared/middlewares/brute.js b/core/server/web/shared/middlewares/brute.js
index c79e4938b3..1b0ced21e3 100644
--- a/core/server/web/shared/middlewares/brute.js
+++ b/core/server/web/shared/middlewares/brute.js
@@ -94,5 +94,20 @@ module.exports = {
             }
             return next(err, ...rest);
         });
+    },
+
+    /**
+     */
+    membersAuth(req, res, next) {
+        return spamPrevention.userLogin().getMiddleware({
+            ignoreIP: false,
+            key(_req, _res, _next) {
+                if (_req.body.email) {
+                    return _next(`${_req.body.email}login`);
+                }
+
+                return _next();
+            }
+        })(req, res, next);
     }
 };