diff --git a/packages/server/modules/core/services/ratelimiter.ts b/packages/server/modules/core/services/ratelimiter.ts index 41769e45f..8246c2d00 100644 --- a/packages/server/modules/core/services/ratelimiter.ts +++ b/packages/server/modules/core/services/ratelimiter.ts @@ -29,6 +29,7 @@ export enum RateLimitAction { 'GET /objects/:streamId/:objectId' = 'GET /objects/:streamId/:objectId', 'GET /objects/:streamId/:objectId/single' = 'GET /objects/:streamId/:objectId/single', 'POST /graphql' = 'POST /graphql', + 'GET /auth/local' = 'GET /auth/local', 'GET /auth/azure' = 'GET /auth/azure', 'GET /auth/gh' = 'GET /auth/gh', 'GET /auth/google' = 'GET /auth/google', @@ -178,84 +179,94 @@ export const LIMITS: RateLimiterOptions = { duration: 1 * TIME.minute } }, - 'GET /auth/azure': { + 'GET /auth/local': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute + } + }, + 'GET /auth/azure': { + regularOptions: { + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute + }, + burstOptions: { + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/gh': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/google': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/oidc': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/azure/callback': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/gh/callback': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/google/callback': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } }, 'GET /auth/oidc/callback': { regularOptions: { - limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '2'), - duration: 1 * TIME.second + limitCount: getIntFromEnv('RATELIMIT_GET_AUTH', '4'), + duration: 10 * TIME.minute }, burstOptions: { - limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '20'), - duration: 1 * TIME.minute + limitCount: getIntFromEnv('RATELIMIT_BURST_GET_AUTH', '10'), + duration: 30 * TIME.minute } } } diff --git a/utils/helm/speckle-server/values.schema.json b/utils/helm/speckle-server/values.schema.json index 8746ba0bf..a7006c197 100644 --- a/utils/helm/speckle-server/values.schema.json +++ b/utils/helm/speckle-server/values.schema.json @@ -953,13 +953,13 @@ }, "get_auth": { "type": "number", - "description": "The maximum number of requests that can be made to the Speckle server to authenticate in a moving one second window.", - "default": 2 + "description": "The maximum number of requests that can be made to the Speckle server to authenticate in a moving 10 minute window.", + "default": 4 }, "burst_get_auth": { "type": "number", - "description": "If the regular limit is exceeded, the limit is increased to the burst limit. This is the maximum number of requests that can be made to the Speckle server to authenticate in a moving one minute window.", - "default": 20 + "description": "If the regular limit is exceeded, the limit is increased to the burst limit. This is the maximum number of requests that can be made to the Speckle server to authenticate in a moving thirty minute window.", + "default": 10 } } }, diff --git a/utils/helm/speckle-server/values.yaml b/utils/helm/speckle-server/values.yaml index 3d44ce72a..a8939d845 100644 --- a/utils/helm/speckle-server/values.yaml +++ b/utils/helm/speckle-server/values.yaml @@ -632,10 +632,10 @@ server: post_graphql: 50 ## @param server.ratelimiting.burst_post_graphql If the regular limit is exceeded, the limit is increased to the burst limit. This is the maximum number of requests that can be made to the GraphQL API in a moving one minute window. burst_post_graphql: 200 - ## @param server.ratelimiting.get_auth The maximum number of requests that can be made to the Speckle server to authenticate in a moving one second window. - get_auth: 2 - ## @param server.ratelimiting.burst_get_auth If the regular limit is exceeded, the limit is increased to the burst limit. This is the maximum number of requests that can be made to the Speckle server to authenticate in a moving one minute window. - burst_get_auth: 20 + ## @param server.ratelimiting.get_auth The maximum number of requests that can be made to the Speckle server to authenticate in a moving 10 minute window. + get_auth: 4 + ## @param server.ratelimiting.burst_get_auth If the regular limit is exceeded, the limit is increased to the burst limit. This is the maximum number of requests that can be made to the Speckle server to authenticate in a moving thirty minute window. + burst_get_auth: 10 serviceAccount: ## @param server.serviceAccount.create If enabled, a Kubernetes Service Account will be created for this pod. ## This provides additional security by limiting this pod's access to the Kubernetes API and to Secrets on the Kubernetes cluster.