parse-community · dblythy · Apr 14, 2023 · Apr 14, 2023 · Apr 14, 2023 · Dec 25, 2023
diff --git a/spec/RateLimit.spec.js b/spec/RateLimit.spec.js
@@ -316,6 +316,91 @@ describe('rate limit', () => {
     );
   });
 
+  it('can define default rateLimit', async () => {
+    const rateLimit = require('../lib/Options/Definitions.js').ParseServerOptions.rateLimit.default;
+    const emailAdapter = {
+      sendVerificationEmail: () => Promise.resolve(),
+      sendPasswordResetEmail: () => {},
+      sendMail: () => {},
+    };
+    await reconfigureServer({
+      rateLimit: rateLimit.map(limit => {
+        limit.includeInternalRequests = true;
+        return limit;
+      }),
+
+      appName: 'passwordPolicy',
+      emailAdapter: emailAdapter,
+      publicServerURL: 'http://localhost:8378/1',
+    });
+
+    await Promise.all([
+      Parse.User.signUp('username', 'pass'),
+      Parse.User.signUp('username2', 'pass'),
+    ]);
+    await expectAsync(Parse.User.signUp('username3', 'pass')).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+
+    const failedLogin = async () => {
+      try {
+        await Parse.User.logIn('user', 'pass');
+      } catch (e) {
+        if (e.code !== Parse.Error.OBJECT_NOT_FOUND) {
+          throw e;
+        }
+      }
+    };
+
+    await Promise.all([failedLogin(), failedLogin()]);
+    await expectAsync(failedLogin()).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+
+    await expectAsync(Parse.User.verifyPassword('username', 'password')).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+
+    const mockUser = new Parse.User();
+    mockUser.set('email', 'test@example.com');
+    mockUser.set('username', 'test');
+    mockUser.set('password', 'password');
+    await mockUser.signUp(null, { useMasterKey: true });
+
+    await Promise.all([
+      Parse.User.requestPasswordReset('test@example.com'),
+      Parse.User.requestPasswordReset('test@example.com'),
+    ]);
+    await expectAsync(Parse.User.requestPasswordReset('test@example.com')).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+    await expectAsync(Parse.User.requestEmailVerification('test@example.com')).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+
+    const getMe = async () => {
+      const headers = {
+        'Content-Type': 'application/json',
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+        'X-Parse-Session-Token': 'abc',
+      };
+      const request = require('../lib/request');
+      const res = await request({
+        headers,
+        url: 'http://localhost:8378/1/sessions/me',
+      }).catch(e => e);
+      if (res.data.code === Parse.Error.CONNECTION_FAILED) {
+        throw new Parse.Error(res.data.code, res.data.error);
+      }
+    };
+
+    await Promise.all([getMe(), getMe()]);
+    await expectAsync(getMe()).toBeRejectedWith(
+      new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+    );
+  });
+
   it('does not limit internal calls', async () => {
     await reconfigureServer({
       rateLimit: [

diff --git a/spec/helper.js b/spec/helper.js
@@ -120,6 +120,7 @@ const defaultConfiguration = {
       apiKey: 'yolo',
     },
   },
+  rateLimit: [],
   auth: {
     // Override the facebook provider
     custom: mockCustom(),

diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -471,7 +471,38 @@ module.exports.ParseServerOptions = {
     help:
       "Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>\u2139\uFE0F Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.",
     action: parsers.arrayParser,
-    default: [],
+    default: [
+      {
+        requestPath: '/users',
+        requestTimeWindow: 3600000,
+        requestCount: 2,
+        errorResponseMessage: 'Too many requests',
+      },
+      {
+        requestPath: '/login|verifyPassword',
+        requestTimeWindow: 3600000,
+        requestCount: 2,
+        errorResponseMessage: 'Too many requests',
+      },
+      {
+        requestPath: '/requestPasswordReset|verificationEmailRequest',
+        requestTimeWindow: 3600000,
+        requestCount: 2,
+        errorResponseMessage: 'Too many requests',
+      },
+      {
+        requestPath: '/sessions/me',
+        requestTimeWindow: 3600000,
+        requestCount: 2,
+        errorResponseMessage: 'Too many requests',
+      },
+      {
+        requestPath: '*',
+        requestTimeWindow: 900000,
+        requestCount: 200,
+        errorResponseMessage: 'Too many requests',
+      },
+    ],
   },
   readOnlyMasterKey: {
     env: 'PARSE_SERVER_READ_ONLY_MASTER_KEY',

diff --git a/src/Options/index.js b/src/Options/index.js
@@ -327,7 +327,7 @@ export interface ParseServerOptions {
   :DEFAULT: [{"key":"_bsontype","value":"Code"},{"key":"constructor"},{"key":"__proto__"}] */
   requestKeywordDenylist: ?(RequestKeywordDenylist[]);
   /* Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as `/requestPasswordReset` from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.<br><br>ℹ️ Mind the following limitations:<br>- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses<br>- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable<br>- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.
-  :DEFAULT: [] */
+  :DEFAULT: [{"requestPath":"/users","requestTimeWindow":3600000,"requestCount":2,"errorResponseMessage":"Too many requests"},{"requestPath":"/login|verifyPassword","requestTimeWindow":3600000,"requestCount":2,"errorResponseMessage":"Too many requests"},{"requestPath":"/requestPasswordReset|verificationEmailRequest","requestTimeWindow":3600000,"requestCount":2,"errorResponseMessage":"Too many requests"},{"requestPath":"/sessions/me","requestTimeWindow":3600000,"requestCount":2,"errorResponseMessage":"Too many requests"},{"requestPath":"*","requestTimeWindow":900000,"requestCount":200,"errorResponseMessage":"Too many requests"}] */
   rateLimit: ?(RateLimitOptions[]);
 }