Add rate limit for opds

2022-09-04 19:47:04 +02:00 · 2022-09-04 19:47:04 +02:00 · 6598c4d259
parent ae3e3559b8
commit 6598c4d259
5 changed files with 16 additions and 5 deletions
--- a/cps/init.py
+++ b/cps/init.py
@ -158,6 +158,7 @@ def create_app():
        cache_buster.init_cache_busting(app)
    log.info('Starting Calibre Web...')
    limiter.init_app(app)
+    # limiter.limit("2/minute")(parent)
    Principal(app)
    lm.init_app(app)
    app.secret_key = os.getenv('SECRET_KEY', config_sql.get_flask_session_key(ub.session))
--- a/cps/admin.py
+++ b/cps/admin.py
@ -119,6 +119,7 @@ def before_request():
                                 'admin.simulatedbchange',
                                 'admin.db_configuration',
                                 'web.login',
+                                 'web.login_post',
                                 'web.logout',
                                 'admin.load_dialogtexts',
                                 'admin.ajax_pathchooser'):
--- a/cps/main.py
+++ b/cps/main.py
@ -18,9 +18,14 @@

 import sys

-from . import create_app
+from . import create_app, limiter
 from .jinjia import jinjia
 from .remotelogin import remotelogin
+from flask import request
+
+
+def request_username():
+    return request.authorization.username

 def main():
    app = create_app()
@ -56,6 +61,7 @@ def main():
    app.register_blueprint(tasks)
    app.register_blueprint(web)
    app.register_blueprint(opds)
+    limiter.limit("10/minute",key_func=request_username)(opds)
    app.register_blueprint(jinjia)
    app.register_blueprint(about)
    app.register_blueprint(shelf)
--- a/cps/opds.py
+++ b/cps/opds.py
@ -31,12 +31,13 @@ from sqlalchemy.sql.expression import func, text, or_, and_, true
 from sqlalchemy.exc import InvalidRequestError, OperationalError
 from werkzeug.security import check_password_hash

-from . import constants, logger, config, db, calibre_db, ub, services, isoLanguages
+from . import constants, logger, config, db, calibre_db, ub, services, isoLanguages, limiter
 from .helper import get_download_link, get_book_cover
 from .pagination import Pagination
 from .web import render_read_books
 from .usermanagement import load_user_from_request
 from flask_babel import gettext as _
+from flask_limiter import RateLimitExceeded

 opds = Blueprint('opds', __name__)

@ -479,6 +480,10 @@ def feed_search(term):


 def check_auth(username, password):
+    try:
+        limiter.check()
+    except RateLimitExceeded:
+        return False
    try:
        username = username.encode('windows-1252')
    except UnicodeEncodeError:
@ -486,6 +491,7 @@ def check_auth(username, password):
    user = ub.session.query(ub.User).filter(func.lower(ub.User.name) ==
                                            username.decode('utf-8').lower()).first()
    if bool(user and check_password_hash(str(user.password), password)):
+        [limiter.limiter.storage.clear(k.key) for k in limiter.current_limits]
        return True
    else:
        ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
--- a/cps/web.py
+++ b/cps/web.py
@ -1277,9 +1277,6 @@ def handle_login_user(user, remember, message, category):
    [limiter.limiter.storage.clear(k.key) for k in limiter.current_limits]
    return redirect_back(url_for("web.index"))

-def error_logi():
-    flash(_(u"Wait one minute"), category="error")
-    return render_login()

 def render_login():
    next_url = request.args.get('next', default=url_for("web.index"), type=str)