From 08521077f054d01c8963244de6dbbb2680c82b01 Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Thu, 15 Apr 2021 16:34:51 -0700
Subject: [PATCH] refactor(login): move rate limiter after successful login

Before, we weren't checking if a login was successful before counting it
against the rate limiter.

With this change, we only count unsuccessful logins against the rate limiter.

We did this because this was a bug but also because it caused problems with our
e2e tests hitting the rate limit.
---
 src/node/routes/login.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
index b1cd34b9..3ec339c1 100644
--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@@ -59,10 +59,6 @@ router.get("/", async (req, res) => {
 
 router.post("/", async (req, res) => {
   try {
-    if (!limiter.try()) {
-      throw new Error("Login rate limited!")
-    }
-
     if (!req.body.password) {
       throw new Error("Missing password")
     }
@@ -84,6 +80,12 @@ router.post("/", async (req, res) => {
       return redirect(req, res, to, { to: undefined })
     }
 
+    // Note: successful logins should not count against the RateLimiter
+    // which is why this logic must come after the successful login logic
+    if (!limiter.try()) {
+      throw new Error("Login rate limited!")
+    }
+
     console.error(
       "Failed login attempt",
       JSON.stringify({