chore: quick fix

api/.env.example

@@ -24,8 +24,12 @@ LDAP_BIND_PASSWORD = <password>
 LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
 LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
 
-MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=[100] default value is 100
-MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=[10] default value is 10 
+
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=100 
+#default value is 100
+
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=10
+#default value is 10
 
 RUN_TIMES=[sas,js,py | js,py | sas | sas,js] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas

api/src/utils/rateLimiter.ts

@@ -63,12 +63,12 @@ export class RateLimiter {
     // Check if IP or Username + IP is already blocked
     if (
       resSlowByIP !== null &&
-      resSlowByIP.consumedPoints >= this.maxWrongAttemptsByIpPerDay
+      resSlowByIP.consumedPoints > this.maxWrongAttemptsByIpPerDay
     ) {
       return Math.ceil(resSlowByIP.msBeforeNext / 1000)
     } else if (
       resUsernameAndIP !== null &&
-      resUsernameAndIP.consumedPoints >= this.maxConsecutiveFailsByUsernameAndIp
+      resUsernameAndIP.consumedPoints > this.maxConsecutiveFailsByUsernameAndIp
     ) {
       return Math.ceil(resUsernameAndIP.msBeforeNext / 1000)
     }
@@ -98,6 +98,10 @@ export class RateLimiter {
       if (rlRejected instanceof Error) {
         throw rlRejected
       } else {
+        // based upon the implementation of consume method of RateLimiterMongo
+        // we are sure that rlRejected will contain msBeforeNext
+        // for further reference,
+        // see https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#login-endpoint-protection
         return Math.ceil(rlRejected.msBeforeNext / 1000)
       }
     }