refactor(login): move rate limiter after successful login

Before, we weren't checking if a login was successful before counting it
against the rate limiter.

With this change, we only count unsuccessful logins against the rate limiter.

We did this because this was a bug but also because it caused problems with our
e2e tests hitting the rate limit.
This commit is contained in:
Joe Previte 2021-04-15 16:34:51 -07:00
parent 83cfbf82cf
commit 08521077f0
No known key found for this signature in database
GPG Key ID: 2C91590C6B742C24
1 changed files with 6 additions and 4 deletions

View File

@ -59,10 +59,6 @@ router.get("/", async (req, res) => {
router.post("/", async (req, res) => { router.post("/", async (req, res) => {
try { try {
if (!limiter.try()) {
throw new Error("Login rate limited!")
}
if (!req.body.password) { if (!req.body.password) {
throw new Error("Missing password") throw new Error("Missing password")
} }
@ -84,6 +80,12 @@ router.post("/", async (req, res) => {
return redirect(req, res, to, { to: undefined }) return redirect(req, res, to, { to: undefined })
} }
// Note: successful logins should not count against the RateLimiter
// which is why this logic must come after the successful login logic
if (!limiter.try()) {
throw new Error("Login rate limited!")
}
console.error( console.error(
"Failed login attempt", "Failed login attempt",
JSON.stringify({ JSON.stringify({