From c1c0554de2ddc14ada88f4754fa2e2221e0e61fa Mon Sep 17 00:00:00 2001
From: Sabir Hassan <sabirbk06@gmail.com>
Date: Wed, 29 Mar 2023 22:05:29 +0500
Subject: [PATCH] chore: quick fix

---
 api/.env.example             | 8 ++++++--
 api/src/utils/rateLimiter.ts | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/api/.env.example b/api/.env.example
index c61dec2..6e0ce24 100644
--- a/api/.env.example
+++ b/api/.env.example
@@ -24,8 +24,12 @@ LDAP_BIND_PASSWORD = <password>
 LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
 LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
 
-MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=[100] default value is 100
-MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=[10] default value is 10 
+
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=100 
+#default value is 100
+
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=10
+#default value is 10
 
 RUN_TIMES=[sas,js,py | js,py | sas | sas,js] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
diff --git a/api/src/utils/rateLimiter.ts b/api/src/utils/rateLimiter.ts
index fd13d76..e836cd2 100644
--- a/api/src/utils/rateLimiter.ts
+++ b/api/src/utils/rateLimiter.ts
@@ -63,12 +63,12 @@ export class RateLimiter {
     // Check if IP or Username + IP is already blocked
     if (
       resSlowByIP !== null &&
-      resSlowByIP.consumedPoints >= this.maxWrongAttemptsByIpPerDay
+      resSlowByIP.consumedPoints > this.maxWrongAttemptsByIpPerDay
     ) {
       return Math.ceil(resSlowByIP.msBeforeNext / 1000)
     } else if (
       resUsernameAndIP !== null &&
-      resUsernameAndIP.consumedPoints >= this.maxConsecutiveFailsByUsernameAndIp
+      resUsernameAndIP.consumedPoints > this.maxConsecutiveFailsByUsernameAndIp
     ) {
       return Math.ceil(resUsernameAndIP.msBeforeNext / 1000)
     }
@@ -98,6 +98,10 @@ export class RateLimiter {
       if (rlRejected instanceof Error) {
         throw rlRejected
       } else {
+        // based upon the implementation of consume method of RateLimiterMongo
+        // we are sure that rlRejected will contain msBeforeNext
+        // for further reference,
+        // see https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#login-endpoint-protection
         return Math.ceil(rlRejected.msBeforeNext / 1000)
       }
     }