Merge pull request #607 from Baroshem/chore/2.2.0

Chore/2.2.0

Author: Baroshem

docs/content/3.middleware/1.rate-limiter.md

@@ -56,6 +56,7 @@ type RateLimiter = {
   tokensPerInterval: number;
   interval: number;
   headers: boolean;
+  whiteList: string[];
   throwError: boolean;
   driver: {
     name: string;
@@ -82,11 +83,17 @@ The time value in miliseconds after which the rate limiting will be reset. For e
 
 When set to `true` it will set the response headers: `X-Ratelimit-Remaining`, `X-Ratelimit-Reset`, `X-Ratelimit-Limit` with appriopriate values.
 
+### `whiteList`
+
+- Default: `undefined`
+
+When set to `['127.0.0.1', '192.168.0.1']` it will skip rate limiting for these specific IPs.
+
 ### `throwError`
 
 - Default: `true`
 
-Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.
+Whether to throw Nuxt Error with appropriate error code and message. If set to false, it will just return the object with the error that you can handle.
 
 ### `driver`
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-security",
-  "version": "2.1.4",
+  "version": "2.2.0",
   "license": "MIT",
   "type": "module",
   "engines": {

playground/nuxt.config.ts

@@ -42,7 +42,16 @@ export default defineNuxtConfig({
           referrerPolicy: false
         }
       }
-    }
+    },
+    '/rateLimit': {
+      security: {
+        rateLimiter: {
+          tokensPerInterval:1,
+          interval: 1000,
+          whiteList: ['127.0.0.1'],
+        },
+      },
+    },
   },
 
   // Global configuration

playground/pages/rateLimit.vue

@@ -0,0 +1,5 @@
+<template>
+  <div>
+    RateLimit tests Route
+  </div>
+</template>

src/defaultConfig.ts

@@ -55,6 +55,7 @@ export const defaultSecurityConfig = (serverlUrl: string, strict: boolean) => {
       driver: {
         name: 'lruCache'
       },
+      whiteList: undefined,
       ...defaultThrowErrorValue
     },
     xssValidator: {

src/runtime/nitro/plugins/40-cspSsrNonce.ts

@@ -3,6 +3,7 @@ import { resolveSecurityRules } from '../context'
 import { generateRandomNonce } from '../../../utils/crypto'
 
 const LINK_RE = /<link([^>]*?>)/gi
+const NONCE_RE = /nonce="[^"]+"/i
 const SCRIPT_RE = /<script([^>]*?>)/gi
 const STYLE_RE = /<style([^>]*?>)/gi
 
@@ -58,6 +59,9 @@ export default defineNitroPlugin((nitroApp) => {
         }
         // Add nonce to all link tags
         element = element.replace(LINK_RE, (match, rest) => {
+          if (NONCE_RE.test(rest)) {
+            return match.replace(NONCE_RE, `nonce="${nonce}"`);
+          }
           return `<link nonce="${nonce}"` + rest
         })
         // Add nonce to all script tags

src/runtime/server/middleware/basicAuth.ts

@@ -16,10 +16,9 @@ export type BasicAuth = {
   message: string;
 }
 
-const securityConfig = useRuntimeConfig().private
-
 export default defineEventHandler((event) => {
   const credentials = getCredentials(event.node.req)
+  const securityConfig = useRuntimeConfig(event).private
   const basicAuthConfig = securityConfig.basicAuth
 
   if (!basicAuthConfig) {

src/runtime/server/middleware/rateLimiter.ts

@@ -28,6 +28,9 @@ export default defineEventHandler(async(event) => {
       defaultRateLimiter
     )
     const ip = getIP(event)
+    if(rateLimiter.whiteList && rateLimiter.whiteList.includes(ip)){
+      return
+    }
     const url = ip + route
 
     let storageItem = await storage.getItem(url) as StorageItem

src/types/middlewares.ts

@@ -19,6 +19,7 @@ export type RateLimiter = {
       options?:  BuiltinDriverOptions[driverName] }
   }[BuiltinDriverName];
   headers?: boolean;
+  whiteList?: string[];
   throwError?: boolean;
 };
 

test/fixtures/rateLimiter/nuxt.config.ts

@@ -15,6 +15,68 @@ export default defineNuxtConfig({
           tokensPerInterval: 10,
         }
       }
-    }
+    },
+    '/whitelistBase': {
+      security: {
+        rateLimiter: {
+          tokensPerInterval: 1,
+          interval: 300000,
+          whiteList: [
+            '127.0.0.1',
+            '192.168.0.1',
+            '172.16.0.1',
+            '10.0.0.1',
+          ],
+        }
+      }
+    },
+    '/whitelistEmpty': {
+      security: {
+        rateLimiter: {
+          tokensPerInterval: 1,
+          interval: 300000,
+          whiteList: [],
+        }
+      }
+    },
+    '/whitelistNotListed': {
+      security: {
+        rateLimiter: {
+          tokensPerInterval: 1,
+          interval: 300000,
+          whiteList: [
+            '10.0.0.1',
+            '10.0.1.1',
+            '10.0.2.1',
+            '10.0.3.1',
+            '10.0.4.1',
+            '10.0.5.1',
+            '10.0.6.1',
+            '10.0.7.1',
+            '10.0.8.1',
+            '10.0.9.1',
+            '10.1.0.1',
+            '10.2.0.1',
+            '10.3.0.1',
+            '10.4.0.1',
+            '10.5.0.1',
+            '10.6.0.1',
+            '10.7.0.1',
+            '10.8.0.1',
+            '10.9.0.1',
+            '192.168.0.1',
+            '192.168.1.1',
+            '192.168.2.1',
+            '192.168.3.1',
+            '192.168.4.1',
+            '192.168.5.1',
+            '192.168.6.1',
+            '192.168.7.1',
+            '192.168.8.1',
+            '192.168.9.1',
+          ],
+        }
+      }
+    },
   }
 })

test/fixtures/rateLimiter/pages/whitelistBase.vue

@@ -0,0 +1,3 @@
+<template>
+  <div>whitelist base test</div>
+</template>

test/fixtures/rateLimiter/pages/whitelistEmpty.vue

@@ -0,0 +1,3 @@
+<template>
+  <div>whitelist empty test</div>
+</template>

test/fixtures/rateLimiter/pages/whitelistNotListed.vue

@@ -0,0 +1,3 @@
+<template>
+  <div>whitelist not listed test</div>
+</template>

test/rateLimiter.test.ts

@@ -63,4 +63,43 @@ describe('[nuxt-security] Rate Limiter', async () => {
     expect(res6.status).toBe(200)
     expect(res6.statusText).toBe('OK')
   })
+
+  it ('should return 200 OK after multiple requests for a route with localhost ip whitelisted', async () => {
+    const res1 = await fetch('/whitelistBase')
+    await fetch('/whitelistBase')
+    await fetch('/whitelistBase')
+    await fetch('/whitelistBase')
+    const res5 = await fetch('/whitelistBase')
+
+    expect(res1).toBeDefined()
+    expect(res1).toBeTruthy()
+    expect(res5.status).toBe(200)
+    expect(res5.statusText).toBe('OK')
+  })
+
+  it ('should return 429 when limit reached with an empty whitelist array', async () => {
+    const res1 = await fetch('/whitelistEmpty')
+    await fetch('/whitelistEmpty')
+    await fetch('/whitelistEmpty')
+    await fetch('/whitelistEmpty')
+    const res5 = await fetch('/whitelistEmpty')
+
+    expect(res1).toBeDefined()
+    expect(res1).toBeTruthy()
+    expect(res5.status).toBe(429)
+    expect(res5.statusText).toBe('Too Many Requests')
+  })
+
+  it ('should return 429 when limit reached as localhost ip is not whitelisted', async () => {
+    const res1 = await fetch('/whitelistNotListed')
+    await fetch('/whitelistNotListed')
+    await fetch('/whitelistNotListed')
+    await fetch('/whitelistNotListed')
+    const res5 = await fetch('/whitelistNotListed')
+
+    expect(res1).toBeDefined()
+    expect(res1).toBeTruthy()
+    expect(res5.status).toBe(429)
+    expect(res5.statusText).toBe('Too Many Requests')
+  })
 })