tmdinosaurcenter/kiosk-guestbook
1
0
Fork 0
mirror of https://github.com/tmdinosaurcenter/kiosk-guestbook.git synced 2026-06-04 01:50:03 -06:00
Code Issues Packages Projects Releases Wiki Activity

fix: rate-limit admin login and API endpoint

Browse Source 
Limits POST to /admin/login to 10 requests/minute to block brute-force
attacks. Limits GET /api/guests to 100 requests/hour to prevent bulk
data exfiltration.
This commit is contained in:
Steve Dogiakos
2026-03-28 23:16:08 -06:00
parent 4d58e0f0a1
commit 61a298a735
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app.py
+2
View File
@@ -295,6 +295,7 @@ def _admin_configured():
return bool(os.environ.get('ADMIN_USER') and os.environ.get('ADMIN_PASSWORD')) return bool(os.environ.get('ADMIN_USER') and os.environ.get('ADMIN_PASSWORD'))
@app.route('/admin/login', methods=['GET', 'POST']) @app.route('/admin/login', methods=['GET', 'POST'])
@limiter.limit("10 per minute", methods=["POST"])
def admin_login(): def admin_login():
if not _admin_configured(): if not _admin_configured():
abort(503) abort(503)
@@ -450,6 +451,7 @@ def admin_users_delete(user_id):
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@app.route('/api/guests', methods=['GET']) @app.route('/api/guests', methods=['GET'])
@limiter.limit("100 per hour")
def api_guests(): def api_guests():
api_key = request.headers.get('X-API-Key') api_key = request.headers.get('X-API-Key')
if api_key != os.environ.get("API_KEY"): if api_key != os.environ.get("API_KEY"):