sasjs/server
1
0
Fork 0
mirror of https://github.com/sasjs/server.git synced 2025-12-10 19:34:34 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #357 from sasjs/cosmosdb-issue

Browse Source 
fix: use RateLimiterMemory instead of RateLimiterMongo
This commit is contained in:
Allan Bowe
2023-04-27 18:56:53 +01:00
committed by GitHub
parent 70c3834022 7df9588e66
commit 77fac663c5
3 changed files with 81 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -184,7 +184,7 @@ MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = <number> default: 100;
# After this, access is blocked for an hour
# Store number for 90 days since first fail
# Store number for 24 days since first fail
# Once a successful login is attempted, it resets
MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP = <number> default: 10;

152
api/src/routes/api/spec/web.spec.ts
View File

@@ -47,6 +47,77 @@ describe('web', () => {
})
})
describe('SASLogon/authorize', () => {
let csrfToken: string
let authCookies: string
beforeAll(async () => {
;({ csrfToken } = await getCSRF(app))
await userController.createUser(user)
const credentials = {
username: user.username,
password: user.password
}
;({ authCookies } = await performLogin(app, credentials, csrfToken))
})
afterAll(async () => {
const collections = mongoose.connection.collections
const collection = collections['users']
await collection.deleteMany({})
})
it('should respond with authorization code', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({ clientId })
expect(res.body).toHaveProperty('code')
})
it('should respond with Bad Request if CSRF Token is missing', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.send({ clientId })
.expect(400)
expect(res.text).toEqual('Invalid CSRF token!')
expect(res.body).toEqual({})
})
it('should respond with Bad Request if clientId is missing', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({})
.expect(400)
expect(res.text).toEqual(`"clientId" is required`)
expect(res.body).toEqual({})
})
it('should respond with Forbidden if clientId is incorrect', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({
clientId: 'WrongClientID'
})
.expect(403)
expect(res.text).toEqual('Error: Invalid clientId.')
expect(res.body).toEqual({})
})
})
describe('SASLogon/login', () => {
let csrfToken: string
@@ -187,78 +258,6 @@ describe('web', () => {
expect(res.body).toEqual({})
})
})
describe('SASLogon/authorize', () => {
let csrfToken: string
let authCookies: string
beforeAll(async () => {
await deleteDocumentsFromLimitersCollections()
;({ csrfToken } = await getCSRF(app))
await userController.createUser(user)
const credentials = {
username: user.username,
password: user.password
}
;({ authCookies } = await performLogin(app, credentials, csrfToken))
})
afterAll(async () => {
const collections = mongoose.connection.collections
const collection = collections['users']
await collection.deleteMany({})
})
it('should respond with authorization code', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({ clientId })
expect(res.body).toHaveProperty('code')
})
it('should respond with Bad Request if CSRF Token is missing', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.send({ clientId })
.expect(400)
expect(res.text).toEqual('Invalid CSRF token!')
expect(res.body).toEqual({})
})
it('should respond with Bad Request if clientId is missing', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({})
.expect(400)
expect(res.text).toEqual(`"clientId" is required`)
expect(res.body).toEqual({})
})
it('should respond with Forbidden if clientId is incorrect', async () => {
const res = await request(app)
.post('/SASLogon/authorize')
.set('Cookie', [authCookies].join('; '))
.set('x-xsrf-token', csrfToken)
.send({
clientId: 'WrongClientID'
})
.expect(403)
expect(res.text).toEqual('Error: Invalid clientId.')
expect(res.body).toEqual({})
})
})
})
const getCSRF = async (app: Express) => {
@@ -285,12 +284,3 @@ const extractCSRF = (text: string) =>
/<script>document.cookie = 'XSRF-TOKEN=(.*); Max-Age=86400; SameSite=Strict; Path=\/;'<\/script>/.exec(
text
)![1]
const deleteDocumentsFromLimitersCollections = async () => {
const { collections } = mongoose.connection
const login_fail_ip_per_day_collection = collections['login_fail_ip_per_day']
await login_fail_ip_per_day_collection.deleteMany({})
const login_fail_consecutive_username_and_ip_collection =
collections['login_fail_consecutive_username_and_ip']
await login_fail_consecutive_username_and_ip_collection.deleteMany({})
}

21
api/src/utils/rateLimiter.ts
View File

@@ -1,10 +1,9 @@
import mongoose from 'mongoose'
import { RateLimiterMongo } from 'rate-limiter-flexible'
import { RateLimiterMemory } from 'rate-limiter-flexible'
export class RateLimiter {
private static instance: RateLimiter
private limiterSlowBruteByIP: RateLimiterMongo
private limiterConsecutiveFailsByUsernameAndIP: RateLimiterMongo
private limiterSlowBruteByIP: RateLimiterMemory
private limiterConsecutiveFailsByUsernameAndIP: RateLimiterMemory
private maxWrongAttemptsByIpPerDay: number
private maxConsecutiveFailsByUsernameAndIp: number
@@ -19,19 +18,17 @@ export class RateLimiter {
MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
)
this.limiterSlowBruteByIP = new RateLimiterMongo({
storeClient: mongoose.connection,
this.limiterSlowBruteByIP = new RateLimiterMemory({
keyPrefix: 'login_fail_ip_per_day',
points: this.maxWrongAttemptsByIpPerDay,
duration: 60 * 60 * 24,
blockDuration: 60 * 60 * 24 // Block for 1 day
})
this.limiterConsecutiveFailsByUsernameAndIP = new RateLimiterMongo({
storeClient: mongoose.connection,
this.limiterConsecutiveFailsByUsernameAndIP = new RateLimiterMemory({
keyPrefix: 'login_fail_consecutive_username_and_ip',
points: this.maxConsecutiveFailsByUsernameAndIp,
duration: 60 * 60 * 24 * 90, // Store number for 90 days since first fail
duration: 60 * 60 * 24 * 24, // Store number for 24 days since first fail
blockDuration: 60 * 60 // Block for 1 hour
})
}
@@ -60,8 +57,7 @@ export class RateLimiter {
this.limiterConsecutiveFailsByUsernameAndIP.get(usernameIPkey)
])
// NOTE: To make use of blockDuration option from RateLimiterMongo
// comparison in both following if statements should have greater than symbol
// NOTE: To make use of blockDuration option, comparison in both following if statements should have greater than symbol
// otherwise, blockDuration option will not work
// For more info see: https://github.com/animir/node-rate-limiter-flexible/wiki/Options#blockduration
@@ -103,10 +99,11 @@ export class RateLimiter {
if (rlRejected instanceof Error) {
throw rlRejected
} else {
// based upon the implementation of consume method of RateLimiterMongo
// based upon the implementation of consume method of RateLimiterMemory
// we are sure that rlRejected will contain msBeforeNext
// for further reference,
// see https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#login-endpoint-protection
// or see https://github.com/animir/node-rate-limiter-flexible#ratelimiterres-object
return Math.ceil(rlRejected.msBeforeNext / 1000)
}
}