feat: Fix rate limit issue

Signed-off-by: ABHAY PANDEY <pandeyabhay967@gmail.com>

Author: Ferryx349

resources/default-settings.yaml

@@ -112,6 +112,19 @@ limits:
       - "::1"
       - "10.10.10.1"
       - "::ffff:10.10.10.1"
+  admin:
+    rateLimits:
+      - description: 30 admin requests/min
+        period: 60000
+        rate: 30
+    loginRateLimits:
+      - description: 10 login attempts per 15 minutes
+        period: 900000
+        rate: 10
+    ipWhitelist:
+      - "::1"
+      - "10.10.10.1"
+      - "::ffff:10.10.10.1"
   connection:
     rateLimits:
       - period: 1000

src/@types/settings.ts

@@ -141,10 +141,17 @@ export interface AdmissionCheckLimits {
   ipWhitelist?: string[]
 }
 
+export interface AdminLimits {
+  rateLimits?: RateLimit[]
+  loginRateLimits?: RateLimit[]
+  ipWhitelist?: string[]
+}
+
 export interface Limits {
   rateLimiter?: RateLimiterSettings
   invoice?: InvoiceLimits
   admissionCheck?: AdmissionCheckLimits
+  admin?: AdminLimits
   connection?: ConnectionLimits
   client?: ClientLimits
   event?: EventLimits

src/controllers/admin/get-health-controller.ts

@@ -1,10 +1,25 @@
 import { Request, Response } from 'express'
 
 import { IController } from '../../@types/controllers'
+import { Settings } from '../../@types/settings'
+import { IRateLimiter } from '../../@types/utils'
 import { collectAdminHealthSnapshot } from '../../utils/admin-health'
+import { isAdminRateLimited } from '../../utils/admin-rate-limit'
 
 export class GetAdminHealthController implements IController {
-  public async handleRequest(_request: Request, response: Response): Promise<void> {
+  public constructor(
+    private readonly settings: () => Settings,
+    private readonly rateLimiter: () => IRateLimiter,
+  ) {}
+
+  public async handleRequest(request: Request, response: Response): Promise<void> {
+    const currentSettings = this.settings()
+
+    if (await isAdminRateLimited(request, currentSettings, this.rateLimiter, 'admin')) {
+      response.status(429).setHeader('content-type', 'application/json').send(JSON.stringify({ error: 'Too many requests' }))
+      return
+    }
+
     const health = await collectAdminHealthSnapshot()
     response.status(200).setHeader('content-type', 'application/json').send(JSON.stringify(health))
   }

src/controllers/admin/get-session-controller.ts

@@ -2,11 +2,25 @@ import { Request, Response } from 'express'
 
 import { IAdminAuthProvider } from '../../@types/admin'
 import { IController } from '../../@types/controllers'
+import { Settings } from '../../@types/settings'
+import { IRateLimiter } from '../../@types/utils'
+import { isAdminRateLimited } from '../../utils/admin-rate-limit'
 
 export class GetAdminSessionController implements IController {
-  public constructor(private readonly authProvider: IAdminAuthProvider) {}
+  public constructor(
+    private readonly authProvider: IAdminAuthProvider,
+    private readonly settings: () => Settings,
+    private readonly rateLimiter: () => IRateLimiter,
+  ) {}
 
   public async handleRequest(request: Request, response: Response): Promise<void> {
+    const currentSettings = this.settings()
+
+    if (await isAdminRateLimited(request, currentSettings, this.rateLimiter, 'admin')) {
+      response.status(429).setHeader('content-type', 'application/json').send(JSON.stringify({ error: 'Too many requests' }))
+      return
+    }
+
     if (!this.authProvider.isRequestAuthenticated(request)) {
       response.status(401).setHeader('content-type', 'application/json').send(JSON.stringify({ error: 'Unauthorized' }))
       return

src/controllers/admin/post-login-controller.ts

@@ -2,11 +2,25 @@ import { Request, Response } from 'express'
 
 import { IAdminAuthProvider } from '../../@types/admin'
 import { IController } from '../../@types/controllers'
+import { Settings } from '../../@types/settings'
+import { IRateLimiter } from '../../@types/utils'
+import { isAdminRateLimited } from '../../utils/admin-rate-limit'
 
 export class PostAdminLoginController implements IController {
-  public constructor(private readonly authProvider: IAdminAuthProvider) {}
+  public constructor(
+    private readonly authProvider: IAdminAuthProvider,
+    private readonly settings: () => Settings,
+    private readonly rateLimiter: () => IRateLimiter,
+  ) {}
 
   public async handleRequest(request: Request, response: Response): Promise<void> {
+    const currentSettings = this.settings()
+
+    if (await isAdminRateLimited(request, currentSettings, this.rateLimiter, 'login')) {
+      response.status(429).setHeader('content-type', 'application/json').send(JSON.stringify({ error: 'Too many requests' }))
+      return
+    }
+
     await this.authProvider.handleLogin(request, response)
   }
 }

src/factories/controllers/get-admin-health-controller-factory.ts

@@ -1,6 +1,8 @@
 import { GetAdminHealthController } from '../../controllers/admin/get-health-controller'
 import { IController } from '../../@types/controllers'
+import { createSettings } from '../settings-factory'
+import { rateLimiterFactory } from '../rate-limiter-factory'
 
 export const createGetAdminHealthController = (): IController => {
-  return new GetAdminHealthController()
+  return new GetAdminHealthController(createSettings, rateLimiterFactory)
 }

src/factories/controllers/get-admin-session-controller-factory.ts

@@ -1,7 +1,9 @@
 import { GetAdminSessionController } from '../../controllers/admin/get-session-controller'
 import { IController } from '../../@types/controllers'
 import { createAdminAuthProvider } from '../admin-auth-provider-factory'
+import { createSettings } from '../settings-factory'
+import { rateLimiterFactory } from '../rate-limiter-factory'
 
 export const createGetAdminSessionController = (): IController => {
-  return new GetAdminSessionController(createAdminAuthProvider())
+  return new GetAdminSessionController(createAdminAuthProvider(), createSettings, rateLimiterFactory)
 }

src/factories/controllers/post-admin-login-controller-factory.ts

@@ -1,7 +1,9 @@
 import { PostAdminLoginController } from '../../controllers/admin/post-login-controller'
 import { IController } from '../../@types/controllers'
 import { createAdminAuthProvider } from '../admin-auth-provider-factory'
+import { createSettings } from '../settings-factory'
+import { rateLimiterFactory } from '../rate-limiter-factory'
 
 export const createPostAdminLoginController = (): IController => {
-  return new PostAdminLoginController(createAdminAuthProvider())
+  return new PostAdminLoginController(createAdminAuthProvider(), createSettings, rateLimiterFactory)
 }

src/utils/admin-rate-limit.ts

@@ -0,0 +1,38 @@
+import { path } from 'ramda'
+import { Request } from 'express'
+
+import { Settings } from '../@types/settings'
+import { IRateLimiter } from '../@types/utils'
+import { createLogger } from '../factories/logger-factory'
+import { getRemoteAddress } from './http'
+
+const logger = createLogger('admin-rate-limit')
+
+export async function isAdminRateLimited(
+  request: Request,
+  settings: Settings,
+  rateLimiterFactory: () => IRateLimiter,
+  scope: 'login' | 'admin',
+): Promise<boolean> {
+  const rateLimitsKey = scope === 'login' ? 'loginRateLimits' : 'rateLimits'
+  const rateLimits = path(['limits', 'admin', rateLimitsKey], settings)
+  if (!Array.isArray(rateLimits) || !rateLimits.length) {
+    return false
+  }
+
+  const ipWhitelist = path(['limits', 'admin', 'ipWhitelist'], settings)
+  const remoteAddress = getRemoteAddress(request, settings)
+
+  let limited = false
+  if (Array.isArray(ipWhitelist) && !ipWhitelist.includes(remoteAddress)) {
+    const rateLimiter = rateLimiterFactory()
+    for (const { rate, period } of rateLimits) {
+      if (await rateLimiter.hit(`${remoteAddress}:admin-${scope}:${period}`, 1, { period, rate })) {
+        logger('rate limited %s: %d in %d milliseconds', remoteAddress, rate, period)
+        limited = true
+      }
+    }
+  }
+
+  return limited
+}

test/unit/utils/admin-rate-limit.spec.ts

@@ -0,0 +1,64 @@
+import chai from 'chai'
+import sinon from 'sinon'
+import sinonChai from 'sinon-chai'
+
+import { isAdminRateLimited } from '../../../src/utils/admin-rate-limit'
+
+chai.use(sinonChai)
+const { expect } = chai
+
+describe('isAdminRateLimited', () => {
+  const baseSettings = {
+    network: {
+      remoteIpHeader: 'x-forwarded-for',
+    },
+    limits: {
+      admin: {
+        rateLimits: [{ rate: 30, period: 60000 }],
+        loginRateLimits: [{ rate: 10, period: 900000 }],
+        ipWhitelist: [],
+      },
+    },
+  }
+
+  const makeRequest = (remoteAddress = '1.2.3.4') =>
+    ({
+      headers: {},
+      connection: { remoteAddress },
+      socket: { remoteAddress },
+    }) as any
+
+  it('returns false when no rate limits are configured', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(false) }
+    const settings = { ...baseSettings, limits: { admin: { ipWhitelist: [] } } }
+
+    const limited = await isAdminRateLimited(makeRequest(), settings as any, () => rateLimiter, 'admin')
+
+    expect(limited).to.equal(false)
+    expect(rateLimiter.hit).not.to.have.been.called
+  })
+
+  it('returns true when login rate limit is exceeded', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(true) }
+
+    const limited = await isAdminRateLimited(makeRequest(), baseSettings as any, () => rateLimiter, 'login')
+
+    expect(limited).to.equal(true)
+    expect(rateLimiter.hit).to.have.been.calledOnceWithExactly('1.2.3.4:admin-login:900000', 1, {
+      period: 900000,
+      rate: 10,
+    })
+  })
+
+  it('returns true when admin route rate limit is exceeded', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(true) }
+
+    const limited = await isAdminRateLimited(makeRequest(), baseSettings as any, () => rateLimiter, 'admin')
+
+    expect(limited).to.equal(true)
+    expect(rateLimiter.hit).to.have.been.calledOnceWithExactly('1.2.3.4:admin-admin:60000', 1, {
+      period: 60000,
+      rate: 30,
+    })
+  })
+})