#2812 user cannot sign in too many failed attempts change (#2893)

* inceased number of attempts for requests * attempts reset on single-window-limiters for successfull requests, deleted skipping successfull attempts for signup and reset password link request
globaldothealth · Sep 29, 2022 · 1637675 · 1637675
1 parent aa9388c
commit 1637675
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/verification/curator-service/api/src/controllers/auth.ts b/verification/curator-service/api/src/controllers/auth.ts
@@ -282,7 +282,7 @@ export class AuthController {
                         req.logIn(user, (err) => {
                             if (err) return next(err);
                         });
-
+                        loginLimiter.resetKey(req.ip);
                         res.status(200).json(user);
                     },
                 )(req, res, next);
@@ -475,6 +475,8 @@ export class AuthController {
                             .json({ message: 'Old password is incorrect' });
                     }
 
+                    resetPasswordLimiter.resetKey(req.ip);
+
                     updateFailedAttempts(
                         currentUser._id,
                         AttemptName.ResetPassword,
@@ -682,6 +684,8 @@ export class AuthController {
                     // Send confirmation email to the user
                     const user = result.value as IUser;
 
+                    resetPasswordWithTokenLimiter.resetKey(req.ip);
+
                     updateFailedAttempts(
                         userId,
                         AttemptName.ResetPasswordWithToken,

diff --git a/verification/curator-service/api/src/util/single-window-rate-limiters.ts b/verification/curator-service/api/src/util/single-window-rate-limiters.ts
@@ -2,7 +2,7 @@ import rateLimit from 'express-rate-limit';
 
 export const loginLimiter = rateLimit({
     windowMs: 60 * 60 * 1000, // 60 minutes
-    max: 4, // Limit each IP to 4 requests per `window` (here, per 20 minutes)
+    max: 6, // Limit each IP to 6 requests per `window` (here, per 60 minutes)
     standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
     legacyHeaders: false, // Disable the `X-RateLimit-*` headers
     handler: function (req, res /*next*/) {
@@ -15,7 +15,7 @@ export const loginLimiter = rateLimit({
 
 export const registerLimiter = rateLimit({
     windowMs: 60 * 60 * 1000, // 60 minutes
-    max: 4,
+    max: 6,
     standardHeaders: true,
     legacyHeaders: false,
     handler: function (req, res) {
@@ -24,12 +24,11 @@ export const registerLimiter = rateLimit({
                 'You sent too many requests. Please wait a while then try again',
         });
     },
-    skipSuccessfulRequests: true,
 });
 
 export const resetPasswordLimiter = rateLimit({
     windowMs: 60 * 60 * 1000, // 60 minutes
-    max: 4,
+    max: 6,
     standardHeaders: true,
     legacyHeaders: false,
     handler: function (req, res) {
@@ -43,7 +42,7 @@ export const resetPasswordLimiter = rateLimit({
 
 export const forgotPasswordLimiter = rateLimit({
     windowMs: 60 * 60 * 1000, // 60 minutes
-    max: 4,
+    max: 6,
     standardHeaders: true,
     legacyHeaders: false,
     handler: function (req, res) {
@@ -52,12 +51,11 @@ export const forgotPasswordLimiter = rateLimit({
                 'You sent too many requests. Please wait a while then try again',
         });
     },
-    skipSuccessfulRequests: true,
 });
 
 export const resetPasswordWithTokenLimiter = rateLimit({
     windowMs: 60 * 60 * 1000, // 60 minutes
-    max: 4,
+    max: 6,
     standardHeaders: true,
     legacyHeaders: false,
     handler: function (req, res) {

diff --git a/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts b/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts
@@ -218,7 +218,7 @@ describe('LandingPage', function () {
         cy.get('#password').type('tT$5aaaaak');
         cy.get('#passwordConfirmation').type('tT$5aaaaak');
         cy.get('#isAgreementChecked').check();
-        for (let i = 0; i < 5; i++) {
+        for (let i = 0; i < 7; i++) {
             // eslint-disable-next-line cypress/no-unnecessary-waiting
             cy.wait(1500);
             cy.get('button[data-testid="sign-up-button"]').click();
@@ -230,7 +230,7 @@ describe('LandingPage', function () {
         cy.contains('Sign in!').click();
         cy.get('#email').type('test@example.com');
         cy.get('#password').type('test');
-        for (let i = 0; i < 5; i++) {
+        for (let i = 0; i < 7; i++) {
             // eslint-disable-next-line cypress/no-unnecessary-waiting
             cy.wait(1500);
             cy.get('button[data-testid="sign-in-button"]').click();