Fixed admin rate issues

2025-08-11 14:16:44 -06:00 · 2025-08-11 14:16:44 -06:00 · b885d89ae4
commit b885d89ae4
parent d8c08c8451
2 changed files with 26 additions and 4 deletions
--- a/map/app/middleware/rateLimiter.js
+++ b/map/app/middleware/rateLimiter.js
@ -28,16 +28,20 @@ const strictLimiter = rateLimit({
    message: 'Too many write operations, please try again later.'
 });

-// Auth-specific limiter
+// Auth-specific limiter with admin bypass capability
 const authLimiter = rateLimit({
    windowMs: 15 * 60 * 1000,
-    max: config.isProduction ? 10 : 50,
+    max: config.isProduction ? 30 : 50, // Increased from 10 to 30 for production
    keyGenerator,
    standardHeaders: true,
    legacyHeaders: false,
    trustProxy: true, // Explicitly trust proxy
    message: 'Too many login attempts, please try again later.',
-    skipSuccessfulRequests: true
+    skipSuccessfulRequests: true,
+    skip: (req, res) => {
+        // Skip rate limiting for authenticated admin users on certain admin endpoints
+        return req.session?.isAdmin && req.path?.includes('/admin');
+    }
 });

 // Temp user rate limiter - stricter but allows for auto-refresh
@ -63,10 +67,22 @@ const conditionalTempLimiter = (req, res, next) => {
    return apiLimiter(req, res, next);
 };

+// Admin-friendly limiter for admin operations
+const adminLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 200, // High limit for admin operations
+    keyGenerator,
+    standardHeaders: true,
+    legacyHeaders: false,
+    trustProxy: true,
+    message: 'Rate limit exceeded for admin operations. Please try again later.'
+});
+
 module.exports = {
    apiLimiter,
    strictLimiter,
    authLimiter,
    tempUserLimiter,
-    conditionalTempLimiter
+    conditionalTempLimiter,
+    adminLimiter
 };
--- a/map/app/routes/auth.js
+++ b/map/app/routes/auth.js
@ -3,10 +3,16 @@ const router = express.Router();
 const authController = require('../controllers/authController');
 const passwordRecoveryController = require('../controllers/passwordRecoveryController');
 const { authLimiter } = require('../middleware/rateLimiter');
+const config = require('../config');

 // Login route with rate limiting
 router.post('/login', authLimiter, authController.login);

+// Debug login route without rate limiting (only in development or for testing)
+if (!config.isProduction) {
+    router.post('/debug-login', authController.login);
+}
+
 // Password recovery route with rate limiting
 router.post('/recover-password', authLimiter, passwordRecoveryController.requestPassword);