feat: prevent brute force attack by rate limiting login endpoint

2026-01-10 16:00:05 +00:00 · 2023-03-28 21:43:10 +05:00
parent c4066d32a0
commit a82cabb001
13 changed files with 286 additions and 16 deletions
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -47,7 +47,7 @@ describe('web', () => {
    })
  })

-  describe('SASLogon/login', () => {
+  describe.only('SASLogon/login', () => {
    let csrfToken: string

    beforeAll(async () => {
@@ -63,6 +63,7 @@ describe('web', () => {
    it('should respond with successful login', async () => {
      await userController.createUser(user)

+      process.dbInstance = con
      const res = await request(app)
        .post('/SASLogon/login')
        .set('x-xsrf-token', csrfToken)
@@ -82,6 +83,72 @@ describe('web', () => {
      })
    })

+    it('should respond with too many requests when attempting with invalid password for a same user 10 times', async () => {
+      await userController.createUser(user)
+
+      process.dbInstance = con
+
+      const promises: request.Test[] = []
+
+      Array(10)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: user.username,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)
+    })
+
+    it.only('should respond with too many requests when attempting with invalid credentials for different users but with same ip 100 times', async () => {
+      await userController.createUser(user)
+
+      process.dbInstance = con
+
+      const promises: request.Test[] = []
+
+      Array(100)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: `user${i}`,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)
+    })
+
    it('should respond with Bad Request if CSRF Token is not present', async () => {
      await userController.createUser(user)

--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -35,7 +35,11 @@ webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
    const response = await controller.login(req, body)
    res.send(response)
  } catch (err: any) {
-    res.status(403).send(err.toString())
+    if (err instanceof Error) {
+      res.status(500).send(err.toString())
+    } else {
+      res.status(err.code).send(err.message)
+    }
  }
 })