update website config for v5.4.0 (#2813)

* update config for v5.4.0 * update config for v5.4.0 * Update config.md * update text * Update config.md * Update config.md * Update best-practices.md
2025-02-21 07:29:37 +01:00 · 2021-12-26 11:03:32 +01:00 · 2021-12-26 11:03:32 +01:00 · 508247ce70
commit 508247ce70
parent dd65119454
4 changed files with 57 additions and 3 deletions
--- a/website/docs/best-practices.md
+++ b/website/docs/best-practices.md
@ -160,7 +160,7 @@ security:
        notBefore: 0
  web:
    sign:
-      expiresIn: 7d
+      expiresIn: 1h
 ```

 **Using this configuration will override the current system and you will be able to control how long the token will live**.
@ -168,3 +168,27 @@ security:
 Using JWT also improves the performance with authentication plugins. The old system will perform an unpackage and validate the credentials on every request, while JWT will rely on the token signature instead, avoiding the overhead for the plugin.

 As a side note, be aware at **npmjs** and the **legacy** verdaccio token never expires\*\* unless you invalidate manually.
+
+### Rate Limit {#rate-limit}
+
+Since version `v5.4.0` critical endpoints have enabled by default rate limit. The following commands are considered user endpoints:
+
+- `npm token` all variants
+- `npm login/adduser`
+- `npm profile` all supported variants
+- User website `/sec/login` endpoint.
+
+The previous list of endpoints are limited to `100` request peer _15 minutes_ which is enough for a basic usage, if you need to increase this levels please check the `userRateLimit` configuration options.
+
+
+```yaml
+userRateLimit:
+  windowMs: 50000 <- (minutes * 60 * 1000)
+  max: 1000 (number of request peer windowMs)
+```
+
+The website endpoints as, _search_, _packages_, _sidebar_, and _detail_ are protected by default to 5,000 request peer 2 minutes, also configurable via web ui options.
+
+We recommend customize this values to those that addapt your needs to avoid any kind of (DDoS) or _brute-force_ attack to the critical endpoints.
+
+> The CLI API endpoints used by eg `npm install` are not limited at this point since are not considered critical, but if you find any good reason please open a discussion.
--- a/website/docs/config.md
+++ b/website/docs/config.md
@ -80,7 +80,7 @@ security:
        someProp: [value]
   web:
     sign:
-       expiresIn: 7d # 7 days by default
+       expiresIn: 1h # 1 hour by default
     verify:
     	someProp: [value]
 ```
@ -157,6 +157,32 @@ url_prefix: /verdaccio/

 > Verdaccio 5 has an improved prefix behaviour and the `VERDACCIO_PUBLIC_URL` is available for use, learn how to [here](https://verdaccio.org/blog/2021/04/14/verdaccio-5-migration-guide#url_prefix-improved-behavior).

+### User Agent {#user-agent}
+
+<small>Since: `verdaccio@5.4.0`</small>
+
+The user agent is disabled by default, in exchange the user agent client (package manager, browser, etc ...) is being bypassed to the remote. To enable the previous behaviour use boolean values.
+
+```yaml
+user_agent: true
+user_agent: false
+user_agent: 'custom user agent'
+```
+
+### User Rate Limit {#user-rate-limit}
+
+<small>Since: [verdaccio@5.4.0](https://github.com/verdaccio/verdaccio/releases/tag/v5.4.0)</small>
+
+Add default rate limit to user endpoints, `npm token`, `npm profile`, `npm loding/adduser` and login website to 100 request peer 15 min, customizable via:
+
+```
+userRateLimit:
+  windowMs: 50000
+  max: 1000
+```
+
+Additonal configuration (only feature flags) is also possible via the [middleware docs](https://github.com/nfriedly/express-rate-limit/#configuration-options).
+
 ### Max Body Size {#max-body-size}

 By default the maximum body size for a JSON document is `10mb`, if you run into errors that state `"request entity too large"` you may increase this value.
--- a/website/docs/web.md
+++ b/website/docs/web.md
@ -18,6 +18,9 @@ web:
  sort_packages: asc | desc
  darkMode: false
  favicon: http://somedomain/favicon.ico | /path/favicon.ico
+  rateLimit:
+    windowMs: 50000
+    max: 1000
 ```

 All access restrictions defined to [protect your packages](protect-your-dependencies.md) will also apply to the Web Interface.
@ -51,6 +54,7 @@ i18n:
 | scope         | string     | No       | @myscope                                                      | `>v3.x`    | If you're using this registry for a specific module scope, specify that scope to set it in the webui instructions header |
 | darkMode      | boolean    | No       | false                                                         | `>=v4.6.0` | This mode is an special theme for those want to live in the dark side                                                    |
 | favicon       | string     | No       | false                                                         | `>=v5.0.1` | Display a custom favicon, can be local resource or valid url                                                             |
+| rateLimit       | object     | No       | use `userRateLimit` configuration  | `>=v5.4.0` | Increase or decrease rate limit, by default is 5k request every 2 minutes, only limit web api endpoints, the CSS, JS, etcc are ingnored |

 > The recommended logo size is `40x40` pixels.

--- a/website/package.json
+++ b/website/package.json
@ -1,7 +1,7 @@
 {
  "private": true,
  "name": "@verdaccio/website",
-  "version": "5.3.2",
+  "version": "5.4.0",
  "scripts": {
    "docusaurus": "docusaurus",
    "start": "docusaurus start",