3 лет назад · 1226448bf8
--- a/packages/app/src/server/routes/apiv3/customize-setting.js
+++ b/packages/app/src/server/routes/apiv3/customize-setting.js
@@ -1,4 +1,6 @@
 
				 /* eslint-disable no-unused-vars */
			
 
				+import rateLimit from 'express-rate-limit';
			
 
				+
			
 
				 import loggerFactory from '~/utils/logger';
			
 
				 
			
 
				 import { apiV3FormValidator } from '../../middlewares/apiv3-form-validator';
			
@@ -13,6 +15,13 @@ const { body, query } = require('express-validator');
 
				 
			
 
				 const ErrorV3 = require('../../models/vo/error-apiv3');
			
 
				 
			
 
				+const apiLimiter = rateLimit({
			
 
				+  windowMs: 15 * 60 * 1000, // 15 minutes
			
 
				+  max: 10, // limit each IP to 10 requests per windowMs
			
 
				+  message:
			
 
				+    'Too many requests were sent from this IP. Please try a password reset request again on the password reset request form',
			
 
				+});
			
 
				+
			
 
				 /**
			
 
				  * @swagger
			
 
				  *  tags:
			
@@ -618,7 +627,7 @@ module.exports = (crowi) => {
 
				     }
			
 
				   });
			
 
				 
			
 
				-  router.put('/customize-logo', loginRequiredStrictly, adminRequired, csrf, validator.logo, apiV3FormValidator, async(req, res) => {
			
 
				+  router.put('/customize-logo', apiLimiter, loginRequiredStrictly, adminRequired, csrf, validator.logo, apiV3FormValidator, async(req, res) => {
			
 
				 
			
 
				     const {
			
 
				       isDefaultLogo, brandLogoAttachmentId, uploadedLogoSrc,
			
--- a/packages/app/src/server/routes/index.js
+++ b/packages/app/src/server/routes/index.js
@@ -190,8 +190,8 @@ module.exports = function(crowi, app) {
 
				   apiV1Router.post('/attachments.remove'               , accessTokenParser , loginRequiredStrictly , csrf, attachment.api.remove);
			
 
				   apiV1Router.post('/attachments.removeProfileImage'   , accessTokenParser , loginRequiredStrictly , csrf, attachment.api.removeProfileImage);
			
 
				   apiV1Router.get('/attachments.limit'   , accessTokenParser , loginRequiredStrictly, attachment.api.limit);
			
 
				-  apiV1Router.post('/attachments.uploadBrandLogo'   , uploads.single('file'), autoReap, accessTokenParser, loginRequiredStrictly ,csrf, attachment.api.uploadBrandLogo);
			
 
				-  apiV1Router.post('/attachments.removeBrandLogo'      , accessTokenParser , loginRequiredStrictly , csrf, attachment.api.removeBrandLogo);
			
 
				+  apiV1Router.post('/attachments.uploadBrandLogo'   , apiLimiter, uploads.single('file'), autoReap, accessTokenParser, loginRequiredStrictly ,csrf, attachment.api.uploadBrandLogo);
			
 
				+  apiV1Router.post('/attachments.removeBrandLogo'      , apiLimiter, accessTokenParser , loginRequiredStrictly , csrf, attachment.api.removeBrandLogo);
			
 
				 
			
 
				   // API v1
			
 
				   app.use('/_api', unavailableWhenMaintenanceModeForApi, apiV1Router);