added corrected password needs

2025-12-01 06:55:45 +01:00 · 2025-10-28 20:13:09 +01:00
parent b3b3250f23
commit 1927937109
4 changed files with 115 additions and 77 deletions
--- a/backend/src/middleware/rateLimit.ts
+++ b/backend/src/middleware/rateLimit.ts
@@ -1,16 +1,48 @@
 import rateLimit from 'express-rate-limit';
+import { Request } from 'express';

-export const authLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 5, // Limit each IP to 5 login requests per windowMs
-  message: { error: 'Zu viele Login-Versuche, bitte versuchen Sie es später erneut' },
-  standardHeaders: true,
-  legacyHeaders: false,
-});
+// Helper to check if request should be limited
+const shouldSkipLimit = (req: Request): boolean => {
+  const skipPaths = [
+    '/api/health', 
+    '/api/setup/status',
+    '/api/auth/validate'
+  ];
+  
+  // Skip for successful GET requests (data fetching)
+  if (req.method === 'GET' && req.path.startsWith('/api/')) {
+    return true;
+  }
+  
+  return skipPaths.includes(req.path);
+};

+// Main API limiter - nur für POST/PUT/DELETE
 export const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 100, // Limit each IP to 100 requests per windowMs
+  max: 200, // 200 non-GET requests per 15 minutes
+  message: { 
+    error: 'Zu viele Anfragen, bitte verlangsamen Sie Ihre Aktionen' 
+  },
  standardHeaders: true,
  legacyHeaders: false,
+  skip: (req) => {
+    // ✅ Skip für GET requests (Data Fetching)
+    if (req.method === 'GET') return true;
+    
+    // ✅ Skip für Health/Status Checks
+    return shouldSkipLimit(req);
+  }
+});
+
+// Strict limiter for auth endpoints
+export const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: { 
+    error: 'Zu viele Login-Versuche, bitte versuchen Sie es später erneut' 
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+  skipSuccessfulRequests: true,
 });
--- a/backend/src/middleware/validation.ts
+++ b/backend/src/middleware/validation.ts
@@ -284,7 +284,7 @@ export const validateCreateFromPreset = [
  body('presetName')
    .isLength({ min: 1 })
    .withMessage('Preset name is required')
-    .isIn(['standardWeek', 'extendedWeek', 'weekendFocused', 'morningOnly', 'eveningOnly'])
+    .isIn(['standardWeek', 'extendedWeek', 'weekendFocused', 'morningOnly', 'eveningOnly', 'ZEBRA_STANDARD'])
    .withMessage('Invalid preset name'),
  
  body('name')
@@ -444,7 +444,7 @@ export const handleValidationErrors = (req: Request, res: Response, next: NextFu
    const errorMessages = errors.array().map(error => ({
      field: error.type === 'field' ? error.path : error.type,
      message: error.msg,
-      value: error
+      value: error.msg
    }));
    
    return res.status(400).json({