Added brute protection to content api (#10362)

* Revert "Removed brute force middleware form content api (#10353)" This reverts commit 63c8c310fb. * Updated content api spam prevention to use memory store * Used TooManyRequestsError instead of InternalServer
2025-02-03 23:00:14 -05:00 · 2019-01-14 14:11:48 +01:00 · 2019-01-14 14:11:48 +01:00 · 9837df0b6f
commit 9837df0b6f
parent a7ba90dfa1
3 changed files with 6 additions and 13 deletions
--- a/core/server/web/api/v2/content/middleware.js
+++ b/core/server/web/api/v2/content/middleware.js
@ -14,9 +14,7 @@ const shared = require('../../../shared');
 * Authentication for public endpoints
 */
 module.exports.authenticatePublic = [
-    /* @TODO: put this back
-     * shared.middlewares.brute.contentApiKey,
-     */
+    shared.middlewares.brute.contentApiKey,
    auth.authenticate.authenticateContentApi,
    auth.authorize.authorizeContentApi,
    cors(),
--- a/core/server/web/shared/middlewares/api/spam-prevention.js
+++ b/core/server/web/shared/middlewares/api/spam-prevention.js
@ -13,6 +13,7 @@ const spamUserLogin = spam.user_login || {};
 const spamContentApiKey = spam.content_api_key || {};

 let store;
+let memoryStore;
 let privateBlogInstance;
 let globalResetInstance;
 let globalBlockInstance;
@ -207,20 +208,14 @@ const privateBlog = () => {

 const contentApiKey = () => {
    const ExpressBrute = require('express-brute');
-    const BruteKnex = require('brute-knex');
-    const db = require('../../../../data/db');

-    store = store || new BruteKnex({
-        tablename: 'brute',
-        createTable: false,
-        knex: db.knex
-    });
+    memoryStore = memoryStore || new ExpressBrute.MemoryStore();

-    contentApiKeyInstance = contentApiKeyInstance || new ExpressBrute(store,
+    contentApiKeyInstance = contentApiKeyInstance || new ExpressBrute(memoryStore,
        extend({
            attachResetToRequest: true,
            failCallback(req, res, next) {
-                const err = new common.errors.GhostError({
+                const err = new common.errors.TooManyRequestsError({
                    message: common.i18n.t('errors.middleware.spamprevention.tooManyAttempts')
                });

--- a/core/test/unit/web/api/v2/content/middleware_spec.js
+++ b/core/test/unit/web/api/v2/content/middleware_spec.js
@ -6,7 +6,7 @@ describe('Content Api v2 middleware', function () {
        should.exist(middleware.authenticatePublic);
    });

-    describe.skip('authenticatePublic', function () {
+    describe('authenticatePublic', function () {
        it('uses brute content api middleware as the first middleware in the chain', function () {
            const firstMiddleware = middleware.authenticatePublic[0];
            const brute = require('../../../../../../server/web/shared/middlewares/brute');