-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6012 from beyondessential/dev
merge: update branch with latest dev
- Loading branch information
Showing
24 changed files
with
785 additions
and
341 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,4 @@ | ||
|
||
JWT_SECRET= | ||
SESSION_COOKIE_SECRET= | ||
|
||
|
||
TRUSTED_PROXY_IPS= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
94 changes: 94 additions & 0 deletions
94
packages/central-server/src/apiV2/authenticate/BruteForceRateLimiter.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
* Tupaia | ||
* Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd | ||
*/ | ||
|
||
import { RateLimiterPostgres } from 'rate-limiter-flexible'; | ||
|
||
// Limit the number of wrong attempts per day per IP to 100 for the unit tests | ||
const MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = 100; | ||
|
||
/** | ||
* Singleton instances of RateLimiterPostgres | ||
*/ | ||
let postgresRateLimiter = null; | ||
|
||
/** | ||
* Rate limiter which limits the number of wrong attempts per day per IP | ||
*/ | ||
export class BruteForceRateLimiter { | ||
constructor(database) { | ||
if (!postgresRateLimiter) { | ||
postgresRateLimiter = new RateLimiterPostgres({ | ||
tableCreated: true, | ||
tableName: 'login_attempts', | ||
storeClient: database.connection, | ||
storeType: 'knex', | ||
keyPrefix: 'login_fail_ip_per_day', | ||
points: this.getMaxAttempts(), | ||
duration: 60 * 60 * 24, | ||
blockDuration: 60 * 60 * 24, // Block for 1 day, if 100 wrong attempts per day | ||
}); | ||
} | ||
// Reset the points with getMaxAttempts for test mocking | ||
postgresRateLimiter.points = this.getMaxAttempts(); | ||
this.postgresRateLimiter = postgresRateLimiter; | ||
} | ||
|
||
/** | ||
* Get the maximum number of failed attempts allowed per day. Useful for testing. | ||
* @returns {number} | ||
*/ | ||
getMaxAttempts() { | ||
return MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY; | ||
} | ||
|
||
/** | ||
* Generate a key for the postgresRateLimiter based on the ip | ||
* @returns {string} | ||
*/ | ||
getIPkey(req) { | ||
return req.ip; | ||
} | ||
|
||
/** | ||
* Check if the user is rate limited | ||
* @returns {Promise<boolean>} | ||
*/ | ||
async checkIsRateLimited(req) { | ||
const slowBruteForceResponder = await this.postgresRateLimiter.get(this.getIPkey(req)); | ||
return ( | ||
slowBruteForceResponder !== null && | ||
slowBruteForceResponder.consumedPoints >= this.getMaxAttempts() | ||
); | ||
} | ||
|
||
/** | ||
* Get the time until the user can retry. | ||
* @returns {Promise<number>} Returns a number in milliseconds | ||
*/ | ||
async getRetryAfter(req) { | ||
try { | ||
await this.postgresRateLimiter.consume(this.getIPkey(req)); | ||
} catch (rlRejected) { | ||
return rlRejected.msBeforeNext; | ||
} | ||
} | ||
|
||
/** | ||
* Add a failed attempt to the rate limiter login_attempts table | ||
*/ | ||
async addFailedAttempt(req) { | ||
try { | ||
// Add a failed attempt to the rate limiter. Gets stored in the login_attempts table | ||
await this.postgresRateLimiter.consume(this.getIPkey(req)); | ||
} catch (rlRejected) { | ||
// node-rate-limiter is designed to reject the promise when saving failed attempts | ||
// We swallow the error here and let the original error bubble up | ||
} | ||
} | ||
|
||
async resetFailedAttempts(req) { | ||
await this.postgresRateLimiter.delete(this.getIPkey(req)); | ||
} | ||
} |
93 changes: 93 additions & 0 deletions
93
packages/central-server/src/apiV2/authenticate/ConsecutiveFailsRateLimiter.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/* | ||
* Tupaia | ||
* Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd | ||
*/ | ||
|
||
import { RateLimiterPostgres } from 'rate-limiter-flexible'; | ||
|
||
const MAX_CONSECUTIVE_FAILS_BY_USERNAME = 10; | ||
|
||
/** | ||
* Singleton instances of RateLimiterPostgres | ||
*/ | ||
let postgresRateLimiter = null; | ||
|
||
/** | ||
* Rate limiter which limits the number of consecutive failed attempts by username | ||
*/ | ||
export class ConsecutiveFailsRateLimiter { | ||
constructor(database) { | ||
if (!postgresRateLimiter) { | ||
postgresRateLimiter = new RateLimiterPostgres({ | ||
tableCreated: true, | ||
tableName: 'login_attempts', | ||
storeClient: database.connection, | ||
storeType: 'knex', | ||
keyPrefix: 'login_fail_consecutive_username', | ||
points: this.getMaxAttempts(), | ||
duration: 60 * 60 * 24 * 90, // Store number for 90 days since first fail | ||
blockDuration: 60 * 15, // Block for 15 minutes | ||
}); | ||
} | ||
// Reset the points with getMaxAttempts for test mocking | ||
postgresRateLimiter.points = this.getMaxAttempts(); | ||
this.postgresRateLimiter = postgresRateLimiter; | ||
} | ||
|
||
/** | ||
* Get the maximum number of consecutive failed attempts allowed. Useful for testing. | ||
* @returns {number} | ||
*/ | ||
getMaxAttempts() { | ||
return MAX_CONSECUTIVE_FAILS_BY_USERNAME; | ||
} | ||
|
||
/** | ||
* Generate a key for the postgresRateLimiter based on the username | ||
* @returns {string} | ||
*/ | ||
getUsernameKey(req) { | ||
const { body } = req; | ||
return body.emailAddress; | ||
} | ||
|
||
/** | ||
* Check if the user is rate limited | ||
* @returns {Promise<boolean>} | ||
*/ | ||
async checkIsRateLimited(req) { | ||
const maxConsecutiveFailsResponder = await this.postgresRateLimiter.get( | ||
this.getUsernameKey(req), | ||
); | ||
return ( | ||
maxConsecutiveFailsResponder !== null && | ||
maxConsecutiveFailsResponder.consumedPoints >= this.getMaxAttempts() | ||
); | ||
} | ||
|
||
/** | ||
* Get the time until the user can retry. | ||
* @returns {Promise<number>} Returns a number in milliseconds | ||
*/ | ||
async getRetryAfter(req) { | ||
try { | ||
await this.postgresRateLimiter.consume(this.getUsernameKey(req)); | ||
} catch (rlRejected) { | ||
return rlRejected.msBeforeNext; | ||
} | ||
} | ||
|
||
async addFailedAttempt(req) { | ||
try { | ||
// Add a failed attempt to the rate limiter. Gets stored in the login_attempts table | ||
await this.postgresRateLimiter.consume(this.getUsernameKey(req)); | ||
} catch (rlRejected) { | ||
// node-rate-limiter is designed to reject the promise when saving failed attempts | ||
// We swallow the error here and let the original error bubble up | ||
} | ||
} | ||
|
||
async resetFailedAttempts(req) { | ||
await this.postgresRateLimiter.delete(this.getUsernameKey(req)); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
packages/central-server/src/apiV2/authenticate/checkUserLocationAccess.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/* | ||
* Tupaia | ||
* Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd | ||
*/ | ||
|
||
import { getCountryForTimezone } from 'countries-and-timezones'; | ||
import { createSupportTicket } from '../../utilities'; | ||
|
||
export const checkUserLocationAccess = async (req, user) => { | ||
if (!user) return; | ||
const { body, models } = req; | ||
const { timezone } = body; | ||
|
||
// The easiest way to get the country code is to use the timezone and get the most likely country using this timezone. This doesn't infringe on the user's privacy as the timezone is a very broad location. It also doesn't require the user to provide their location, which is a barrier to entry for some users. | ||
const country = getCountryForTimezone(timezone); | ||
if (!country) return; | ||
// the ID is the ISO country code. | ||
const { id, name } = country; | ||
|
||
const existingEntry = await models.userCountryAccessAttempt.findOne({ | ||
user_id: user.id, | ||
country_code: id, | ||
}); | ||
|
||
// If there is already an entry for this user and country, return | ||
if (existingEntry) return; | ||
|
||
const userEntryCount = await models.userCountryAccessAttempt.count({ | ||
user_id: user.id, | ||
}); | ||
|
||
const hasAnyEntries = userEntryCount > 0; | ||
|
||
await models.userCountryAccessAttempt.create({ | ||
user_id: user.id, | ||
country_code: id, | ||
}); | ||
|
||
// Don't send an email if this is the first time the user has attempted to login | ||
if (!hasAnyEntries) return; | ||
|
||
// create a support ticket if the user has attempted to login from a new country | ||
await createSupportTicket( | ||
'User attempted to login from a new country', | ||
`User ${user.first_name} ${user.last_name} (${user.id} - ${user.email}) attempted to access Tupaia from a new country: ${name}`, | ||
); | ||
}; |
Oops, something went wrong.