chore: Rate limiter audit (#3965)

* chore: Rate limiter audit api/users * Make requests required * api/collections * Remove checkRateLimit on FileOperation (now done at route level through rate limiter) * auth rate limit * Add metric logging when rate limit exceeded * Refactor to shared configs * test
2022-08-14 16:04:04 +01:00
parent 9338328a82
commit a326e0ee88
14 changed files with 367 additions and 282 deletions
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -5,12 +5,15 @@ import bodyParser from "koa-body";
 import Router from "koa-router";
 import { AuthenticationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
+import { defaultRateLimiter } from "@server/middlewares/rateLimiter";
 import { Collection, Team, View } from "@server/models";
 import providers from "./providers";

 const app = new Koa();
 const router = new Router();
+
 router.use(passport.initialize());
+router.use(defaultRateLimiter());

 // dynamically load available authentication provider routes
 providers.forEach((provider) => {
--- a/server/routes/auth/providers/email.ts
+++ b/server/routes/auth/providers/email.ts
@@ -1,7 +1,7 @@
-import { subMinutes } from "date-fns";
 import Router from "koa-router";
 import { find } from "lodash";
 import { parseDomain } from "@shared/utils/domains";
+import { RateLimiterStrategy } from "@server/RateLimiter";
 import InviteAcceptedEmail from "@server/emails/templates/InviteAcceptedEmail";
 import SigninEmail from "@server/emails/templates/SigninEmail";
 import WelcomeEmail from "@server/emails/templates/WelcomeEmail";
@@ -9,6 +9,7 @@ import env from "@server/env";
 import { AuthorizationError } from "@server/errors";
 import errorHandling from "@server/middlewares/errorHandling";
 import methodOverride from "@server/middlewares/methodOverride";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { User, Team } from "@server/models";
 import { signIn } from "@server/utils/authentication";
 import { getUserForEmailSigninToken } from "@server/utils/jwt";
@@ -23,102 +24,94 @@ export const config = {

 router.use(methodOverride());

-router.post("email", errorHandling(), async (ctx) => {
-  const { email } = ctx.body;
-  assertEmail(email, "email is required");
-  const users = await User.scope("withAuthentications").findAll({
-    where: {
-      email: email.toLowerCase(),
-    },
-  });
-
-  if (users.length) {
-    let team!: Team | null;
-    const domain = parseDomain(ctx.request.hostname);
-
-    if (domain.custom) {
-      team = await Team.scope("withAuthenticationProviders").findOne({
-        where: {
-          domain: ctx.request.hostname,
-        },
-      });
-    } else if (env.SUBDOMAINS_ENABLED && domain.teamSubdomain) {
-      team = await Team.scope("withAuthenticationProviders").findOne({
-        where: {
-          subdomain: domain.teamSubdomain,
-        },
-      });
-    }
-
-    // If there are multiple users with this email address then give precedence
-    // to the one that is active on this subdomain/domain (if any)
-    let user = users.find((user) => team && user.teamId === team.id);
-
-    // A user was found for the email address, but they don't belong to the team
-    // that this subdomain belongs to, we load their team and allow the logic to
-    // continue
-    if (!user) {
-      user = users[0];
-      team = await Team.scope("withAuthenticationProviders").findByPk(
-        user.teamId
-      );
-    }
-
-    if (!team) {
-      team = await Team.scope("withAuthenticationProviders").findByPk(
-        user.teamId
-      );
-    }
-
-    if (!team) {
-      ctx.redirect(`/?notice=auth-error`);
-      return;
-    }
-
-    // If the user matches an email address associated with an SSO
-    // provider then just forward them directly to that sign-in page
-    if (user.authentications.length) {
-      const authProvider = find(team.authenticationProviders, {
-        id: user.authentications[0].authenticationProviderId,
-      });
-      ctx.body = {
-        redirect: `${team.url}/auth/${authProvider?.name}`,
-      };
-      return;
-    }
-
-    if (!team.emailSigninEnabled) {
-      throw AuthorizationError();
-    }
-
-    // basic rate limit of endpoint to prevent send email abuse
-    if (
-      user.lastSigninEmailSentAt &&
-      user.lastSigninEmailSentAt > subMinutes(new Date(), 2)
-    ) {
-      ctx.body = {
-        redirect: `${team.url}?notice=email-auth-ratelimit`,
-        message: "Rate limit exceeded",
-        success: false,
-      };
-      return;
-    }
-
-    // send email to users registered address with a short-lived token
-    await SigninEmail.schedule({
-      to: user.email,
-      token: user.getEmailSigninToken(),
-      teamUrl: team.url,
+router.post(
+  "email",
+  errorHandling(),
+  rateLimiter(RateLimiterStrategy.TenPerHour),
+  async (ctx) => {
+    const { email } = ctx.body;
+    assertEmail(email, "email is required");
+    const users = await User.scope("withAuthentications").findAll({
+      where: {
+        email: email.toLowerCase(),
+      },
    });
-    user.lastSigninEmailSentAt = new Date();
-    await user.save();
-  }

-  // respond with success regardless of whether an email was sent
-  ctx.body = {
-    success: true,
-  };
-});
+    if (users.length) {
+      let team!: Team | null;
+      const domain = parseDomain(ctx.request.hostname);
+
+      if (domain.custom) {
+        team = await Team.scope("withAuthenticationProviders").findOne({
+          where: {
+            domain: ctx.request.hostname,
+          },
+        });
+      } else if (env.SUBDOMAINS_ENABLED && domain.teamSubdomain) {
+        team = await Team.scope("withAuthenticationProviders").findOne({
+          where: {
+            subdomain: domain.teamSubdomain,
+          },
+        });
+      }
+
+      // If there are multiple users with this email address then give precedence
+      // to the one that is active on this subdomain/domain (if any)
+      let user = users.find((user) => team && user.teamId === team.id);
+
+      // A user was found for the email address, but they don't belong to the team
+      // that this subdomain belongs to, we load their team and allow the logic to
+      // continue
+      if (!user) {
+        user = users[0];
+        team = await Team.scope("withAuthenticationProviders").findByPk(
+          user.teamId
+        );
+      }
+
+      if (!team) {
+        team = await Team.scope("withAuthenticationProviders").findByPk(
+          user.teamId
+        );
+      }
+
+      if (!team) {
+        ctx.redirect(`/?notice=auth-error`);
+        return;
+      }
+
+      // If the user matches an email address associated with an SSO
+      // provider then just forward them directly to that sign-in page
+      if (user.authentications.length) {
+        const authProvider = find(team.authenticationProviders, {
+          id: user.authentications[0].authenticationProviderId,
+        });
+        ctx.body = {
+          redirect: `${team.url}/auth/${authProvider?.name}`,
+        };
+        return;
+      }
+
+      if (!team.emailSigninEnabled) {
+        throw AuthorizationError();
+      }
+
+      // send email to users registered address with a short-lived token
+      await SigninEmail.schedule({
+        to: user.email,
+        token: user.getEmailSigninToken(),
+        teamUrl: team.url,
+      });
+      user.lastSigninEmailSentAt = new Date();
+      await user.save();
+    }
+
+    // respond with success regardless of whether an email was sent
+    ctx.body = {
+      success: true,
+    };
+  }
+);

 router.get("email.callback", async (ctx) => {
  const { token } = ctx.request.query;