feat: login limit (#3369)

* feat: login limit

* feat: env template

* fix: ts

projects/app/.env.template

@@ -43,6 +43,8 @@ LOG_LEVEL=debug
 STORE_LOG_LEVEL=warn
 
 # 安全配置
+# 启动 IP 限流(true)，部分接口增加了 ip 限流策略，防止非正常请求操作。
+USE_IP_LIMIT=false
 # 工作流最大运行次数，避免极端的死循环情况
 WORKFLOW_MAX_RUN_TIMES=500
 # 循环最大运行次数，避免极端的死循环情况

projects/app/src/pages/api/core/dataset/searchTest.ts

@@ -99,4 +99,4 @@ async function handler(req: NextApiRequest) {
   };
 }
 
-export default NextAPI(useReqFrequencyLimit(1, 2), handler);
+export default NextAPI(useReqFrequencyLimit(1, 15), handler);

projects/app/src/pages/api/support/user/account/loginByPassword.ts

@@ -1,71 +1,63 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
-import { jsonRes } from '@fastgpt/service/common/response';
 import { MongoUser } from '@fastgpt/service/support/user/schema';
 import { createJWT, setCookie } from '@fastgpt/service/support/permission/controller';
-import { connectToDatabase } from '@/service/mongo';
 import { getUserDetail } from '@fastgpt/service/support/user/controller';
 import type { PostLoginProps } from '@fastgpt/global/support/user/api.d';
 import { UserStatusEnum } from '@fastgpt/global/support/user/constant';
+import { NextAPI } from '@/service/middleware/entry';
+import { useReqFrequencyLimit } from '@fastgpt/service/common/middle/reqFrequencyLimit';
 
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
-  try {
-    await connectToDatabase();
-    const { username, password } = req.body as PostLoginProps;
+async function handler(req: NextApiRequest, res: NextApiResponse) {
+  const { username, password } = req.body as PostLoginProps;
 
-    if (!username || !password) {
-      throw new Error('缺少参数');
-    }
-
-    // 检测用户是否存在
-    const authCert = await MongoUser.findOne(
-      {
-        username
-      },
-      'status'
-    );
-    if (!authCert) {
-      throw new Error('用户未注册');
-    }
-
-    if (authCert.status === UserStatusEnum.forbidden) {
-      throw new Error('账号已停用，无法登录');
-    }
-
-    const user = await MongoUser.findOne({
-      username,
-      password
-    });
-
-    if (!user) {
-      throw new Error('密码错误');
-    }
-
-    const userDetail = await getUserDetail({
-      tmbId: user?.lastLoginTmbId,
-      userId: user._id
-    });
-
-    MongoUser.findByIdAndUpdate(user._id, {
-      lastLoginTmbId: userDetail.team.tmbId
-    });
-
-    const token = createJWT({
-      ...userDetail,
-      isRoot: username === 'root'
-    });
-
-    setCookie(res, token);
-
-    jsonRes(res, {
-      data: {
-        user: userDetail,
-        token
-      }
-    });
-  } catch (err) {
-    jsonRes(res, {
-      code: 500,
-      error: err
-    });
+  if (!username || !password) {
+    throw new Error('缺少参数');
   }
+
+  // 检测用户是否存在
+  const authCert = await MongoUser.findOne(
+    {
+      username
+    },
+    'status'
+  );
+  if (!authCert) {
+    throw new Error('用户未注册');
+  }
+
+  if (authCert.status === UserStatusEnum.forbidden) {
+    throw new Error('账号已停用，无法登录');
+  }
+
+  const user = await MongoUser.findOne({
+    username,
+    password
+  });
+
+  if (!user) {
+    throw new Error('密码错误');
+  }
+
+  const userDetail = await getUserDetail({
+    tmbId: user?.lastLoginTmbId,
+    userId: user._id
+  });
+
+  MongoUser.findByIdAndUpdate(user._id, {
+    lastLoginTmbId: userDetail.team.tmbId
+  });
+
+  const token = createJWT({
+    ...userDetail,
+    isRoot: username === 'root'
+  });
+
+  setCookie(res, token);
+
+  return {
+    user: userDetail,
+    token
+  };
 }
+
+export default NextAPI(useReqFrequencyLimit(120, 10), handler);

projects/app/src/pages/api/v1/audio/transcriptions.ts

@@ -89,7 +89,7 @@ async function handler(req: NextApiRequest, res: NextApiResponse<any>) {
   removeFilesByPaths(filePaths);
 }
 
-export default NextAPI(useReqFrequencyLimit(1, 2), handler);
+export default NextAPI(useReqFrequencyLimit(1, 1), handler);
 
 export const config = {
   api: {