feat(security): RN-1108: Prevent too many login attempts

packages/central-server/examples.http

@@ -9,7 +9,7 @@
 
 # @name login
 POST {{baseUrl}}/auth HTTP/2.0
-Authorization: Basic meditrak_client:{{meditrak-app-secret}}
+Authorization: Basic meditrak_client {{meditrak-app-secret}}
 content-type: {{contentType}}
 
 {

packages/central-server/package.json

@@ -63,6 +63,7 @@
     "morgan": "^1.9.0",
     "multer": "^1.4.3",
     "public-ip": "^2.5.0",
+    "rate-limiter-flexible": "^5.0.3",
     "react-autobind": "^1.0.6",
     "react-native-uuid": "^1.4.9",
     "s3urls": "^1.5.2",

packages/central-server/src/apiV2/authenticate/BruteForceRateLimiter.js

@@ -0,0 +1,94 @@
+/*
+ * Tupaia
+ *  Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
+ */
+
+import { RateLimiterPostgres } from 'rate-limiter-flexible';
+import { respond } from '@tupaia/utils';
+
+// Limit the number of wrong attempts per day per IP to 10 for the unit tests
+const MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = 100;
+
+/**
+ * Singleton instances of RateLimiterPostgres
+ */
+let postgresRateLimiter = null;
+
+/**
+ * Rate limiter which limits the number of wrong attempts per day per IP
+ */
+export class BruteForceRateLimiter {
+  constructor(database) {
+    if (!postgresRateLimiter) {
+      postgresRateLimiter = new RateLimiterPostgres({
+        tableCreated: true,
+        tableName: 'login_attempts',
+        storeClient: database.connection,
+        storeType: 'knex',
+        keyPrefix: 'login_fail_ip_per_day',
+        points: this.getMaxAttempts(),
+        duration: 60 * 60 * 24,
+        blockDuration: 60 * 60 * 24, // Block for 1 day, if 100 wrong attempts per day
+      });
+    }
+
+    this.postgresRateLimiter = postgresRateLimiter;
+  }
+
+  /**
+   * Get the maximum number of failed attempts allowed per day. Useful for testing.
+   * @returns {number}
+   */
+  getMaxAttempts() {
+    return MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY;
+  }
+
+  /**
+   * Generate a key for the postgresRateLimiter based on the ip
+   * @returns {string}
+   */
+  getIPkey(req) {
+    return req.ip;
+  }
+
+  /**
+   * Check if the user is rate limited
+   * @returns {Promise<boolean>}
+   */
+  async checkIsRateLimited(req) {
+    const slowBruteForceResponder = await this.postgresRateLimiter.get(this.getIPkey(req));
+    return (
+      slowBruteForceResponder !== null &&
+      slowBruteForceResponder.consumedPoints >= this.getMaxAttempts()
+    );
+  }
+
+  /**
+   * Get the time until the user can retry.
+   * @returns {Promise<number>}  Returns a number in milliseconds
+   */
+  async getRetryAfter(req) {
+    try {
+      await this.postgresRateLimiter.consume(this.getIPkey(req));
+    } catch (rlRejected) {
+      return rlRejected.msBeforeNext;
+    }
+  }
+
+  /**
+   * Add a failed attempt to the rate limiter login_attempts table
+   */
+  async addFailedAttempt(req) {
+    try {
+      // Add a failed attempt to the rate limiter. Gets stored in the login_attempts table
+      await this.postgresRateLimiter.consume(this.getIPkey(req));
+    } catch (rlRejected) {
+      // node-rate-limiter is designed to reject the promise when saving failed attempts
+      // We swallow the error here and let the original error bubble up
+    }
+  }
+
+  async resetFailedAttempts(req) {
+    await this.postgresRateLimiter.delete(this.getIPkey(req));
+  }
+}

packages/central-server/src/apiV2/authenticate/ConsecutiveFailsRateLimiter.js

@@ -0,0 +1,93 @@
+/*
+ * Tupaia
+ *  Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
+ */
+
+import { RateLimiterPostgres } from 'rate-limiter-flexible';
+import { respond } from '@tupaia/utils';
+
+const MAX_CONSECUTIVE_FAILS_BY_USERNAME = 10;
+
+/**
+ * Singleton instances of RateLimiterPostgres
+ */
+let postgresRateLimiter = null;
+
+/**
+ * Rate limiter which limits the number of consecutive failed attempts by username
+ */
+export class ConsecutiveFailsRateLimiter {
+  constructor(database) {
+    if (!postgresRateLimiter) {
+      postgresRateLimiter = new RateLimiterPostgres({
+        tableCreated: true,
+        tableName: 'login_attempts',
+        storeClient: database.connection,
+        storeType: 'knex',
+        keyPrefix: 'login_fail_consecutive_username',
+        points: this.getMaxAttempts(),
+        duration: 60 * 60 * 24 * 90, // Store number for 90 days since first fail
+        blockDuration: 60 * 15, // Block for 15 minutes
+      });
+    }
+
+    this.postgresRateLimiter = postgresRateLimiter;
+  }
+
+  /**
+   * Get the maximum number of consecutive failed attempts allowed. Useful for testing.
+   * @returns {number}
+   */
+  getMaxAttempts() {
+    return MAX_CONSECUTIVE_FAILS_BY_USERNAME;
+  }
+
+  /**
+   * Generate a key for the postgresRateLimiter based on the username and ip
+   * @returns {string}
+   */
+  getUsernameIPkey(req) {
+    const { ip, body } = req;
+    return `${body.emailAddress}_${ip}`;
+  }
+
+  /**
+   * Check if the user is rate limited
+   * @returns {Promise<boolean>}
+   */
+  async checkIsRateLimited(req) {
+    const maxConsecutiveFailsResponder = await this.postgresRateLimiter.get(
+      this.getUsernameIPkey(req),
+    );
+    return (
+      maxConsecutiveFailsResponder !== null &&
+      maxConsecutiveFailsResponder.consumedPoints >= this.getMaxAttempts()
+    );
+  }
+
+  /**
+   * Get the time until the user can retry.
+   * @returns {Promise<number>}  Returns a number in milliseconds
+   */
+  async getRetryAfter(req) {
+    try {
+      await this.postgresRateLimiter.consume(this.getUsernameIPkey(req));
+    } catch (rlRejected) {
+      return rlRejected.msBeforeNext;
+    }
+  }
+
+  async addFailedAttempt(req) {
+    try {
+      // Add a failed attempt to the rate limiter. Gets stored in the login_attempts table
+      await this.postgresRateLimiter.consume(this.getUsernameIPkey(req));
+    } catch (rlRejected) {
+      // node-rate-limiter is designed to reject the promise when saving failed attempts
+      // We swallow the error here and let the original error bubble up
+    }
+  }
+
+  async resetFailedAttempts(req) {
+    await this.postgresRateLimiter.delete(this.getUsernameIPkey(req));
+  }
+}

packages/central-server/src/apiV2/authenticate.js → packages/central-server/src/apiV2/authenticate/authenticate.js

@@ -1,13 +1,13 @@
-/**
- * Tupaia MediTrak
- * Copyright (c) 2017 Beyond Essential Systems Pty Ltd
+/*
+ * Tupaia
+ *  Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
  */
-
 import winston from 'winston';
-
 import { getAuthorizationObject, getUserAndPassFromBasicAuth } from '@tupaia/auth';
 import { respond, reduceToDictionary } from '@tupaia/utils';
-import { allowNoPermissions } from '../permissions';
+import { allowNoPermissions } from '../../permissions';
+import { ConsecutiveFailsRateLimiter } from './ConsecutiveFailsRateLimiter';
+import { BruteForceRateLimiter } from './BruteForceRateLimiter';
 
 const GRANT_TYPES = {
   PASSWORD: 'password',
@@ -98,6 +98,13 @@ const checkApiClientAuthentication = async req => {
   }
 };
 
+async function respondToRateLimitedUser(msBeforeNext, res) {
+  const retrySecs = Math.round(msBeforeNext / 1000) || 1;
+  const retryMins = Math.round(retrySecs / 60) || 1;
+  res.set('Retry-After', retrySecs);
+  return respond(res, { error: `Too Many Requests. Retry in ${retryMins} min(s)` }, 429);
+}
+
 /**
  * Handler for a POST to the /auth endpoint
  * By default, or if URL parameters include grantType=password, will check the email address and
@@ -108,23 +115,53 @@ const checkApiClientAuthentication = async req => {
  * and if valid, returns a new JWT token that can be used for accessing the API
  * Override grants to do recursive authentication, for example when creating a new user.
  */
+
 export async function authenticate(req, res) {
   await req.assertPermissions(allowNoPermissions);
+  const { grantType } = req.query;
+  const consecutiveFailsRateLimiter = new ConsecutiveFailsRateLimiter(req.database);
+  const bruteForceRateLimiter = new BruteForceRateLimiter(req.database);
 
-  const { refreshToken, user, accessPolicy } = await checkUserAuthentication(req);
-  const { user: apiClientUser } = await checkApiClientAuthentication(req);
+  if (await bruteForceRateLimiter.checkIsRateLimited(req)) {
+    const msBeforeNext = await bruteForceRateLimiter.getRetryAfter(req);
+    return respondToRateLimitedUser(msBeforeNext, res);
+  }
 
-  const permissionGroupsByCountryId = await extractPermissionGroupsIfLegacy(
-    req.models,
-    accessPolicy,
-  );
-  const authorizationObject = await getAuthorizationObject({
-    refreshToken,
-    user,
-    accessPolicy,
-    apiClientUser,
-    permissionGroups: permissionGroupsByCountryId,
-  });
-
-  respond(res, authorizationObject);
+  if (await consecutiveFailsRateLimiter.checkIsRateLimited(req)) {
+    const msBeforeNext = await consecutiveFailsRateLimiter.getRetryAfter(req);
+    return respondToRateLimitedUser(msBeforeNext, res);
+  }
+
+  // Check if the user is authorised
+  try {
+    const { refreshToken, user, accessPolicy } = await checkUserAuthentication(req);
+    const { user: apiClientUser } = await checkApiClientAuthentication(req);
+    const permissionGroupsByCountryId = await extractPermissionGroupsIfLegacy(
+      req.models,
+      accessPolicy,
+    );
+
+    const authorizationObject = await getAuthorizationObject({
+      refreshToken,
+      user,
+      accessPolicy,
+      apiClientUser,
+      permissionGroups: permissionGroupsByCountryId,
+    });
+
+    // Reset on successful authorisation
+    await consecutiveFailsRateLimiter.resetFailedAttempts(req);
+    await bruteForceRateLimiter.resetFailedAttempts(req);
+    respond(res, authorizationObject, 200);
+  } catch (authError) {
+    if (authError.statusCode === 401) {
+      // Record failed login attempt to rate limiter
+      await bruteForceRateLimiter.addFailedAttempt(req);
+      if (grantType === GRANT_TYPES.PASSWORD) {
+        await consecutiveFailsRateLimiter.addFailedAttempt(req);
+      }
+    }
+
+    throw authError;
+  }
 }

packages/central-server/src/apiV2/authenticate/index.js

@@ -0,0 +1,6 @@
+/*
+ * Tupaia
+ *  Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
+ */
+
+export { authenticate } from './authenticate';