change: security with ENV

src/routes/index.ts

@@ -22,17 +22,34 @@ import authenticateAPI from "../middleware/authenticateAPI";
 import server from "./server";
 import PermissionHelper from "../helpers/permissionHelper";
 import preventWebapiAccess from "../middleware/preventWebApiAccess";
+import ms from "ms";
+import {
+  SECURITY_LIMIT_REQUEST_COUNT,
+  SECURITY_LIMIT_WINDOW,
+  SECURITY_STRICT_LIMIT_REQUEST_COUNT,
+  SECURITY_STRICT_LIMIT_WINDOW,
+  USE_SECURITY_LIMIT,
+  USE_SECURITY_STRICT_LIMIT,
+} from "../env.defaults";
 
 const strictLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 10,
-  message: "Zu viele Anmeldeversuche innerhalb von 15 Minuten. Bitte warten.",
+  windowMs: ms(SECURITY_STRICT_LIMIT_WINDOW),
+  max: SECURITY_STRICT_LIMIT_REQUEST_COUNT,
+  message: `Zu viele Anmeldeversuche innerhalb von ${SECURITY_STRICT_LIMIT_WINDOW}. Bitte warten.`,
+  skipSuccessfulRequests: true,
+  skip: () => {
+    return USE_SECURITY_STRICT_LIMIT == "false";
+  },
 });
 
 const generalLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 500,
-  message: "Zu viele Anfragen innerhalb von 1 Minute. Bitte warten.",
+  windowMs: ms(SECURITY_LIMIT_WINDOW),
+  max: SECURITY_LIMIT_REQUEST_COUNT,
+  message: `Zu viele Anfragen innerhalb von ${SECURITY_LIMIT_WINDOW}. Bitte warten.`,
+  skipSuccessfulRequests: true,
+  skip: () => {
+    return USE_SECURITY_LIMIT == "false";
+  },
 });
 
 function excludePaths(middleware: RequestHandler, excludedPaths: Array<string>) {