[Enhance] Some config options & Login limiter

- Add limiter for login and API login - Add some config options - Delete `setting.py` files
2026-02-06 23:57:50 +08:00 · 2022-10-16 17:07:32 +08:00
parent ba36190f30
commit d150553e6b
8 changed files with 50 additions and 273 deletions
--- a/version/core/api_user.py
+++ b/version/core/api_user.py
@@ -2,7 +2,9 @@ from hashlib import sha256
 from os import urandom
 from time import time

-from .error import NoAccess, NoData, UserBan
+from .config_manager import Config
+from .error import NoAccess, NoData, RateLimit, UserBan
+from .limiter import ArcLimiter
 from .user import UserOnline


@@ -57,6 +59,8 @@ class Role:


 class APIUser(UserOnline):
+    limiter = ArcLimiter(Config.API_LOGIN_RATE_LIMIT, 'api_login')
+
    def __init__(self, c=None, user_id=None) -> None:
        super().__init__(c, user_id)
        self.api_token: str = None
@@ -109,6 +113,9 @@ class APIUser(UserOnline):
            self.password = password
        if ip is not None:
            self.ip = ip
+        if not self.limiter.hit(name):
+            raise RateLimit('Too many login attempts', api_error_code=-205)
+
        self.c.execute('''select user_id, password from user where name = :a''', {
                       'a': self.name})
        x = self.c.fetchone()
--- a/version/core/config_manager.py
+++ b/version/core/config_manager.py
@@ -6,6 +6,10 @@ class Config:
    HOST = '0.0.0.0'
    PORT = 80

+    USE_GEVENT_WSGI = False
+    USE_PROXY_FIX = False
+    USE_CORS = False
+
    GAME_API_PREFIX = '/join/21'

    ALLOW_APPVERSION = []  # list[str]
@@ -36,6 +40,9 @@ class Config:

    DOWNLOAD_LINK_PREFIX = ''

+    DOWNLOAD_USE_NGINX_X_ACCEL_REDIRECT = False
+    NGINX_X_ACCEL_REDIRECT_PREFIX = '/nginx_download/'
+
    DOWNLOAD_TIMES_LIMIT = 3000
    DOWNLOAD_TIME_GAP_LIMIT = 1000

@@ -69,6 +76,9 @@ class Config:
    SONGLIST_FILE_PATH = './database/songs/songlist'
    SQLITE_DATABASE_PATH = './database/arcaea_database.db'

+    GAME_LOGIN_RATE_LIMIT = '30/5 minutes'
+    API_LOGIN_RATE_LIMIT = '10/5 minutes'
+

 class ConfigManager:

--- a/version/core/limiter.py
+++ b/version/core/limiter.py
@@ -7,12 +7,12 @@ class ArcLimiter:
    strategy = strategies.FixedWindowRateLimiter(storage)

    def __init__(self, limit_str: str = None, namespace: str = None):
-        self._limits = None
+        self._limits: list = None
        self.limits = limit_str
        self.namespace = namespace

    @property
-    def limits(self):
+    def limits(self) -> list:
        return self._limits

    @limits.setter
--- a/version/core/user.py
+++ b/version/core/user.py
@@ -7,8 +7,9 @@ from .character import UserCharacter, UserCharacterList
 from .config_manager import Config
 from .constant import Constant
 from .error import (ArcError, DataExist, FriendError, InputError, NoAccess,
-                    NoData, UserBan)
+                    NoData, RateLimit, UserBan)
 from .item import UserItemList
+from .limiter import ArcLimiter
 from .score import Score
 from .sql import Connect
 from .world import Map, UserMap, UserStamina
@@ -143,6 +144,8 @@ class UserRegister(User):

 class UserLogin(User):
    # 密码和token的加密方式为 SHA-256
+    limiter = ArcLimiter(Config.GAME_LOGIN_RATE_LIMIT, 'game_login')
+
    def __init__(self, c) -> None:
        super().__init__()
        self.c = c
@@ -219,6 +222,9 @@ class UserLogin(User):
        if ip:
            self.set_ip(ip)

+        if not self.limiter.hit(name):
+            raise RateLimit('Too many login attempts.', 123)
+
        self.c.execute('''select user_id, password, ban_flag from user where name = :name''', {
                       'name': self.name})
        x = self.c.fetchone()