mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-19 04:32:31 -06:00
300d331562
POST /api/provision (the routes/provisioning.js router endpoint) pairs a device by pairing_code with no rate limit - the limit at server.js:287 was bound only to the /api/provision/pair override. An authenticated user could brute-force 6-digit pairing codes against the bare endpoint to claim devices in the unclaimed pool. Bind the rate limit to the /api/provision mount so it covers both pairing paths. Verified: 6 rapid POSTs to /api/provision now 429 on the 6th (was unlimited); /api/provision/pair still 429s on the 6th. Closes #88 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| config | ||
| db | ||
| lib | ||
| middleware | ||
| player | ||
| routes | ||
| scripts | ||
| services | ||
| test | ||
| ws | ||
| .gitignore | ||
| config.js | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||
| version.js | ||