Open
Description
New Issue Checklist
- Report security issues confidentially.
- Any contribution is under this license.
- Before posting search existing issues.
Issue Description
When setting rate limit per user (by setting zone: 'user'), the rate limit uses the ip zone instead.
Steps to reproduce
Set a rate limit of 1 per user, to a cloud functions for instance. Then call it with one user (using session token) and then with another one.
Actual Outcome
The rate limit is stored for the ip address.
Expected Outcome
The rate limit should be stored for the ID of the user and not the ip address.
Environment
Server
- Parse Server version:
8.0.0 - Operating system:
macOS - Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc):
localandAWS
Database
- System (MongoDB or Postgres):
MongoDB - Database version:
8 - Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc):
MongoDB Atlas
Client
- SDK (iOS, Android, JavaScript, PHP, Unity, etc):
JavaScriptandcurl - SDK version:
latest
Logs
I can see where the bug is located. In the middlewares.js file, there is a keyGenerator that checks if request.zone === 'user' instead of checking route.zone
keyGenerator: async request => {
if (route.zone === _node.default.Server.RateLimitZone.global) {
return request.config.appId;
}
const token = request.info.sessionToken;
if (route.zone === _node.default.Server.RateLimitZone.session && token) {
return token;
}
if (route.zone === _node.default.Server.RateLimitZone.user && token) {
if (!request.auth) {
await new Promise(resolve => handleParseSession(request, null, resolve));
}
if (request.auth?.user?.id && request.zone === 'user') { // <------------------------------ HERE
return request.auth.user.id;
}
}
return request.config.ip;
},Setting request.zone = 'user' in the beginning of express routing makes it work.