Added limits to config.json

This commit is contained in:
Akif9748 2022-09-17 16:27:01 +03:00
parent b3735ce606
commit e341e8d2e9
7 changed files with 39 additions and 19 deletions

View file

@ -13,7 +13,7 @@ You need this headers for send request to API:
``` ```
But in front end, the API will works with session. But in front end, the API will works with session.
## Limits: ## Default Limits:
- 3 - 25 char for username, password and category name - 3 - 25 char for username, password and category name
- 256 char for user about and desp of category - 256 char for user about and desp of category
- 5 - 128 char for thread titles. - 5 - 128 char for thread titles.

View file

@ -1,5 +1,16 @@
{ {
"def_theme": "default", "def_theme": "default",
"forum_name": "akf", "forum_name": "akf",
"description": "Akf-forum!" "description": "Akf-forum!",
"limits": {
"title": 128,
"message": 1024,
"names": 25,
"desp": 256
},
"global_ratelimit":{
"enabled": true,
"max": 25,
"windowMs": 60000
}
} }

View file

@ -4,7 +4,7 @@ const { urlencoded: BP } = require('body-parser'),
SES = require('express-session'); SES = require('express-session');
const const
{ def_theme, forum_name, description } = require("./config.json"), { def_theme, forum_name, description, limits, global_ratelimit: RLS } = require("./config.json"),
{ UserModel, BanModel } = require("./models"), { UserModel, BanModel } = require("./models"),
port = process.env.PORT || 3000, port = process.env.PORT || 3000,
mongoose = require("mongoose"), mongoose = require("mongoose"),
@ -19,8 +19,9 @@ mongoose.connect(process.env.MONGO_DB_URL,
async () => console.log("Database is connected with", (app.ips = await BanModel.find({})).length, "banned IPs")); async () => console.log("Database is connected with", (app.ips = await BanModel.find({})).length, "banned IPs"));
app.set("view engine", "ejs"); app.set("view engine", "ejs");
app.set("limits", limits);
app.use(express.static("public"), express.json(), IP(), app.use(express.static("public"), express.json(), IP(),
SES({ secret: 'secret', resave: true, saveUninitialized: true }), SES({ secret: 'secret', resave: true, saveUninitialized: true }),
async (req, res, next) => { async (req, res, next) => {
if (app.ips.includes(req.clientIp)) return res.status(403).send("You are banned from this forum."); if (app.ips.includes(req.clientIp)) return res.status(403).send("You are banned from this forum.");
@ -38,12 +39,12 @@ app.use(express.static("public"), express.json(), IP(),
return res.error(403, "Your account has been deleted."); return res.error(403, "Your account has been deleted.");
} }
next(); next();
}, RL({ }, BP({ extended: true })
windowMs: 60_000, max: 20,
handler: (req, res, next, opts) => !req.user?.admin ? res.error(opts.statusCode, "You are begin ratelimited") : next()
}), BP({ extended: true })
); );
if (RLS.enabled)
app.use(RL({ ...RLS, handler: (req, res, next, opts) => !req.user?.admin ? res.error(opts.statusCode, "You are begin ratelimited") : next() }));
for (const file of fs.readdirSync("./routes")) for (const file of fs.readdirSync("./routes"))
app.use("/" + file.replace(".js", ""), require(`./routes/${file}`)); app.use("/" + file.replace(".js", ""), require(`./routes/${file}`));

View file

@ -27,7 +27,9 @@ app.patch("/:id/", async (req, res) => {
if (user.id !== message.authorID && !user.admin) return res.error(403, "You have not got permission for this."); if (user.id !== message.authorID && !user.admin) return res.error(403, "You have not got permission for this.");
const { content = null } = req.body; const { content = null } = req.body;
if (!content) return res.error(400, "Missing message content in request body."); if (!content) return res.error(400, "Missing message content in request body.");
if (content.length < 5 || content.length > 1024) return res.error(400, "content must be between 5 - 1024 characters");
const limits = req.app.get("limits");
if (content.length < 5 || content.length > limits.message) return res.error(400, "content must be between 5 - 1024 characters");
message.content = content; message.content = content;
message.edited = true; message.edited = true;
@ -45,7 +47,9 @@ app.post("/", rateLimit({
const { threadID, content } = req.body; const { threadID, content } = req.body;
if (!content) return res.error(400, "Missing message content in request body."); if (!content) return res.error(400, "Missing message content in request body.");
if (content.length < 5 || content.length > 1024) return res.error(400, "content must be between 5 - 1024 characters"); const limits = req.app.get("limits");
if (content.length < 5 || content.length > limits.message) return res.error(400, "content must be between 5 - 1024 characters");
const thread = await ThreadModel.get(threadID); const thread = await ThreadModel.get(threadID);

View file

@ -41,8 +41,10 @@ app.post("/", async (req, res) => {
const { title, content, category } = req.body; const { title, content, category } = req.body;
if (!content || !title) return res.error(400, "Missing content/title in request body."); if (!content || !title) return res.error(400, "Missing content/title in request body.");
if (title.length < 5 || title.length > 128) return res.error(400, "title must be between 5 - 128 characters"); const limits = req.app.get("limits");
if (content.length < 5 || content.length > 1024) return res.error(400, "content must be between 5 - 1024 characters");
if (title.length < 5 || title.length > limits.title) return res.error(400, "title must be between 5 - 128 characters");
if (content.length < 5 || content.length > limits.message) return res.error(400, "content must be between 5 - 1024 characters");
const { user } = req; const { user } = req;
const thread = await new ThreadModel({ title, author: user }).takeId() const thread = await new ThreadModel({ title, author: user }).takeId()
if (category) if (category)
@ -61,7 +63,9 @@ app.patch("/:id/", async (req, res) => {
if (user.id !== thread.authorID && !user.admin) return res.error(403, "You have not got permission for this."); if (user.id !== thread.authorID && !user.admin) return res.error(403, "You have not got permission for this.");
const { title } = req.body; const { title } = req.body;
if (!title) return res.error(400, "Missing thread title in request body."); if (!title) return res.error(400, "Missing thread title in request body.");
if (title.length < 5 || title.length > 128) return res.error(400, "title must be between 5 - 128 characters"); const limits = req.app.get("limits");
if (title.length < 5 || title.length > limits.title) return res.error(400, "title must be between 5 - 128 characters");
thread.title = title; thread.title = title;
await thread.save(); await thread.save();

View file

@ -42,7 +42,6 @@ app.post("/:id/undelete/", async (req, res) => {
if (!member.deleted) return res.error(404, "This user is not deleted, first, delete it."); if (!member.deleted) return res.error(404, "This user is not deleted, first, delete it.");
member.deleted = false; member.deleted = false;
;
res.complate(await member.save()); res.complate(await member.save());
@ -57,17 +56,17 @@ app.patch("/:id/", async (req, res) => {
const { name, about, theme, admin, deleted } = req.body; const { name, about, theme, admin, deleted } = req.body;
if ((admin?.length || "deleted" in req.body) && !req.user.admin) return res.error(403, "You have not got permission for edit 'admin' and 'deleted' information, or bad request."); if ((admin?.length || "deleted" in req.body) && !req.user.admin) return res.error(403, "You have not got permission for edit 'admin' and 'deleted' information, or bad request.");
const { names, desp } = req.app.get("limits");
if (name) { if (name) {
if (name.length < 3 || name.length > 25) return res.error(400, "Username must be between 3 - 25 characters"); if (name.length < 3 || names > 25) return res.error(400, "Username must be between 3 - 25 characters");
await SecretModel.updateOne({ id: member.id }, { username: name }); await SecretModel.updateOne({ id: member.id }, { username: name });
member.name = name; member.name = name;
} }
if (about) { if (about) {
if (about.length > 256) return res.error(400, "About must be under 256 characters"); if (about.length > desp) return res.error(400, "About must be under 256 characters");
member.about = about; member.about = about;
} }
if (theme || ["default", "black"].includes(theme)) member.theme = theme; if (theme || ["default", "black"].includes(theme)) member.theme = theme;

View file

@ -16,8 +16,9 @@ app.post("/", rateLimit({
let { username, password: body_pass, about } = req.body; let { username, password: body_pass, about } = req.body;
if (!username || !body_pass) return res.error(400, "You forgot entering some values"); if (!username || !body_pass) return res.error(400, "You forgot entering some values");
if (username.length < 3 || username.length > 25) return res.error(400, "Username must be between 3 - 25 characters"); const {names} = req.app.get("limits");
if (body_pass.length < 3 || body_pass.length > 25) return res.error(400, "Password must be between 3 - 25 characters"); if (username.length < 3 || names > 25) return res.error(400, "Username must be between 3 - 25 characters");
if (body_pass.length < 3 || names > 25) return res.error(400, "Password must be between 3 - 25 characters");
const user = await SecretModel.findOne({ username }); const user = await SecretModel.findOne({ username });