Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): RN-1108: Prevent too many login attempts #5861

Open
wants to merge 42 commits into
base: dev
Choose a base branch
from
Open

feat(security): RN-1108: Prevent too many login attempts #5861

wants to merge 42 commits into from

Conversation

tcaiger
Copy link
Contributor

@tcaiger tcaiger commented Aug 26, 2024
edited
Loading

Issue #: feat(security): RN-1108: Prevent too many login attempts

Changes:

  • Install rate-limiter-flexible package
  • Add login_attempts table to store rate limiting state based on node-rate-limiter docs
  • Create a new TupaiaRateLimiter class that handles rate limiting logic
  • Update authenticate endpoint handler to apply rate limiting

Screenshots:

Screenshot 2024-08-27 at 11 14 14 AM

rohan-bes
rohan-bes requested changes Aug 27, 2024
View reviewed changes
Copy link
Collaborator

@rohan-bes rohan-bes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really clean @tcaiger 🙏 Had a few comments, but also realised we totally forgot about the other auth methods, so might wanna chat about how we wanna handle them 👍

packages/central-server/src/apiV2/authenticate/TupaiaRateLimiter.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/TupaiaRateLimiter.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/TupaiaRateLimiter.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/authenticate.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/TupaiaRateLimiter.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/TupaiaRateLimiter.js Outdated Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/authenticate.js Show resolved Hide resolved
packages/central-server/src/apiV2/authenticate/authenticate.js Outdated Show resolved Hide resolved
packages/central-server/src/tests/apiV2/authenticate/authenticate.test.js Show resolved Hide resolved
rohan-bes
rohan-bes approved these changes Sep 9, 2024
View reviewed changes
Copy link
Collaborator

@rohan-bes rohan-bes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! One comment about needing to check that it's password auth when checking if rate limited, but pre-approving 👍

packages/central-server/src/apiV2/authenticate/authenticate.js Show resolved Hide resolved
@tcaiger
Copy link
Contributor Author

tcaiger commented Sep 10, 2024

@rohan-bes This is ready for another review. I started working on adding the RateLimiting to the server-boilerplate middleware but then I decided that it is quite a big increase in scope since this ticket is called login rate limiting. Since the middleware change would involve adding rate limit handling to all micro-service requests, I think it should be a new ticket and be refined if it's something that we intend to do.

tcaiger and others added 18 commits October 15, 2024 16:07
@tcaiger
trust proxy
6ae1b73
@tcaiger
add public ip
363aa48
@tcaiger
update orchestration server
3acdc19
@tcaiger
add proxy to config
0a80d98
@tcaiger
use older version of public-ip
6fc4efe
@tcaiger
update central server
d2bd526
@tcaiger
remove console logs
fba35ef
@tcaiger
update type for custom headers
7489745
@tcaiger
temp rollback ip changes
f64b91e
@tcaiger
Merge branch 'dev' into rn-1108-prevent-too-many-login-attempts
2280165
@tcaiger
fix(auth): RN-1108: Securely read client ip for rate limiting (#5962)
cfe6f07 
* forward client ip to auth server when logging in

* set trust proxy in central server

* Update ApiBuilder.ts

* Update createApp.js
@tcaiger
Merge branch 'dev' into rn-1108-prevent-too-many-login-attempts
e2627bf
@tcaiger
Update authenticate.js
72194eb
@tcaiger
finish merge
ae94818
@tcaiger
Update createApp.js
def422e
@tcaiger
Update errors.test.ts
51c2af1
@avaek
Merge pull request #5983 from beyondessential/dev
8c12512 
merge: update branch with latest dev
@avaek
Merge pull request #5988 from beyondessential/dev
99847c9 
merge: update branch with latest dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohan-bes rohan-bes Awaiting requested review from rohan-bes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tcaiger @rohan-bes @avaek