From 5b78f948ccd0fb7711b695b78fd5c9249de43898 Mon Sep 17 00:00:00 2001 From: Ahmed Haitham Date: Sun, 1 Jun 2025 05:55:51 +0300 Subject: [PATCH] Potential fix for code scanning alert no. 39: Missing rate limiting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- package.json | 3 ++- routes/GenericRoutes.js | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 49901b22..35658381 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,8 @@ "pdfkit": "^0.14.0", "socket.io": "^4.7.2", "stripe": "^14.4.0", - "uuid": "^11.1.0" + "uuid": "^11.1.0", + "express-rate-limit": "^7.5.0" }, "devDependencies": { "@types/debug": "^4.1.9", diff --git a/routes/GenericRoutes.js b/routes/GenericRoutes.js index 10614473..513d328d 100644 --- a/routes/GenericRoutes.js +++ b/routes/GenericRoutes.js @@ -1,5 +1,6 @@ const express = require("express"); const router = express.Router(); +const rateLimit = require("express-rate-limit"); // ========================== // Controllers @@ -10,12 +11,20 @@ const { createPaymentIntent, } = require("../functions/CreatePaymentIntent.js"); +// ========================== +// Rate Limiter +// ========================== +const resetPasswordLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 5, // limit each IP to 5 requests per windowMs +}); + // ========================== // Routes // ========================== router.post("/login", LoginController.login); router.post("/logout", LoginController.logout); -router.post("/resetPassword", resetPassword); +router.post("/resetPassword", resetPasswordLimiter, resetPassword); router.post("/payment/payment-intent", createPaymentIntent); module.exports = router;