Skip to content

Commit

Permalink
refactor(restrictor.js): status 401 only can be used on token revoke,…
Browse files Browse the repository at this point in the history 
… use 403 instead
  • Loading branch information
@supersonictw
supersonictw committed Oct 25, 2024
1 parent f7e4df7 commit ad157f2
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 32 deletions.
20 changes: 10 additions & 10 deletions src/middleware/restrictor.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ function getPathKey(req, isParam) {
// ttl is the seconds to unblock the IP address if there no request comes.
// if ttl set as 0, it will be blocked forever until the software restarted.
// isParam is the flag to remove the last path from the key.
// customUnauthorizedStatus is the custom status code
// for unauthorized request, optional.
module.exports = (max, ttl, isParam, customUnauthorizedStatus=null) =>
// customForbiddenStatus is the custom status code
// for forbidden request, optional.
module.exports = (max, ttl, isParam, customForbiddenStatus=null) =>
(req, res, next) => {
const pathKey = getPathKey(req, isParam);
const visitorKey = getIPAddress(req);
Expand All @@ -55,7 +55,7 @@ module.exports = (max, ttl, isParam, customUnauthorizedStatus=null) =>
if (!isProduction()) {
// Debug message
console.warn(
"Too many unauthorized requests received:",
"Too many forbidden requests received:",
`actual "${keyValue}"`,
`expect "${max}"`,
);
Expand All @@ -65,20 +65,20 @@ module.exports = (max, ttl, isParam, customUnauthorizedStatus=null) =>
return;
}

let unauthorizedStatus = StatusCodes.UNAUTHORIZED;
if (customUnauthorizedStatus) {
unauthorizedStatus = customUnauthorizedStatus;
let forbiddenStatus = StatusCodes.FORBIDDEN;
if (customForbiddenStatus) {
forbiddenStatus = customForbiddenStatus;
}

res.on("finish", () => {
if (res.statusCode !== unauthorizedStatus) {
if (res.statusCode !== forbiddenStatus) {
return;
}
if (!isProduction()) {
// Debug message
console.warn(
"An unauthorized request detected:",
unauthorizedStatus,
"An forbidden request detected:",
forbiddenStatus,
queryKey,
);
}
Expand Down
16 changes: 8 additions & 8 deletions src/routes/tokens.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,8 +250,8 @@ router.post("/",
* 201:
* description: Returns a header named
* "x-sara-refresh" that contains the access token.
* 401:
* description: Returns "Unauthorized"
* 403:
* description: Returns "Forbidden"
* if the user's identity cannot be verified.
* 404:
* description: Returns "Not Found" if the user cannot be found.
Expand All @@ -269,7 +269,7 @@ router.patch("/",

if (metadata === null) {
// Check metadata
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
} else {
// Remove session
Expand Down Expand Up @@ -473,8 +473,8 @@ router.post("/passkeys",
* 201:
* description: Returns a header named
* "x-sara-refresh" that contains the access token.
* 401:
* description: Returns "Unauthorized"
* 403:
* description: Returns "Forbidden"
* if the user's identity cannot be verified.
* 404:
* description: Returns "Not Found" if the user cannot be found.
Expand All @@ -491,7 +491,7 @@ router.patch("/passkeys",

if (metadata === null) {
// Check metadata
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
} else {
// Remove session
Expand Down Expand Up @@ -525,12 +525,12 @@ router.patch("/passkeys",
});
} catch (error) {
console.error(error);
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
}

if (!verification.verified) {
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
}

Expand Down
24 changes: 10 additions & 14 deletions src/routes/users.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,10 +240,6 @@ router.delete("/me",
* example: 62159db19d393b330e57ca63
* 400:
* description: Invalid request body
* 401:
* description: Unauthorized
* 403:
* description: Rate limit exceeded
* 409:
* description: Email address already in use
* 500:
Expand Down Expand Up @@ -348,7 +344,7 @@ router.put("/me/email",
* responses:
* 201:
* description: The email is updated successfully.
* 401:
* 403:
* description: Invalid verification code or session ID.
* 404:
* description: The user is not found.
Expand All @@ -367,7 +363,7 @@ router.patch("/me/email",

if (metadata === null) {
// Check metadata
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
} else {
// Remove session
Expand Down Expand Up @@ -560,8 +556,8 @@ router.post("/me/passkeys",
* 201:
* description: Returns a header named
* "x-sara-refresh" that contains the access token.
* 401:
* description: Returns "Unauthorized"
* 403:
* description: Returns "Forbidden"
* if the user's identity cannot be verified.
* 404:
* description: Returns "Not Found" if the user cannot be found.
Expand All @@ -582,7 +578,7 @@ router.patch("/me/passkeys",

if (metadata === null) {
// Check metadata
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
} else {
// Remove session
Expand Down Expand Up @@ -961,14 +957,14 @@ router.post("/",
* code: "1234567"
* session_id: "abc123"
* responses:
* '201':
* 201:
* description: Returns a 201 status code with
* a 'x-sara-refresh' token in the header.
* '401':
* description: Returns a 401 status code
* 403:
* description: Returns a 403 status code
* if the provided code and session ID
* do not match or are invalid.
* '409':
* 409:
* description: Returns a 409 status code if a user
* with the provided email address already exists.
*/
Expand All @@ -985,7 +981,7 @@ router.patch("/",

if (metadata === null) {
// Check metadata
res.sendStatus(StatusCodes.UNAUTHORIZED);
res.sendStatus(StatusCodes.FORBIDDEN);
return;
} else {
// Remove session
Expand Down

0 comments on commit ad157f2

Please sign in to comment.