From f9d2bb6a74d732786888441cd1c6b2ab924aa890 Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Wed, 21 Sep 2022 07:47:00 +0200 Subject: [PATCH 1/6] inceased number of attempts for requests --- .../api/src/util/single-window-rate-limiters.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/verification/curator-service/api/src/util/single-window-rate-limiters.ts b/verification/curator-service/api/src/util/single-window-rate-limiters.ts index 6c78a463f..8e4a7947e 100644 --- a/verification/curator-service/api/src/util/single-window-rate-limiters.ts +++ b/verification/curator-service/api/src/util/single-window-rate-limiters.ts @@ -2,7 +2,7 @@ import rateLimit from 'express-rate-limit'; export const loginLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 4, // Limit each IP to 4 requests per `window` (here, per 20 minutes) + max: 6, // Limit each IP to 4 requests per `window` (here, per 20 minutes) standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers legacyHeaders: false, // Disable the `X-RateLimit-*` headers handler: function (req, res /*next*/) { @@ -15,7 +15,7 @@ export const loginLimiter = rateLimit({ export const registerLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 4, + max: 6, standardHeaders: true, legacyHeaders: false, handler: function (req, res) { @@ -29,7 +29,7 @@ export const registerLimiter = rateLimit({ export const resetPasswordLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 4, + max: 6, standardHeaders: true, legacyHeaders: false, handler: function (req, res) { @@ -57,7 +57,7 @@ export const forgotPasswordLimiter = rateLimit({ export const resetPasswordWithTokenLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 4, + max: 6, standardHeaders: true, legacyHeaders: false, handler: function (req, res) { From 2ba0fb50f850ad3289ec7754230ecb309200245e Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Fri, 23 Sep 2022 15:22:47 +0200 Subject: [PATCH 2/6] attempts reset on single-window-limiters for successfull requests, deleted skipping successfull attempts for signup and reset password link request --- verification/curator-service/api/src/controllers/auth.ts | 6 +++++- .../api/src/util/single-window-rate-limiters.ts | 2 -- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/verification/curator-service/api/src/controllers/auth.ts b/verification/curator-service/api/src/controllers/auth.ts index 363e7134c..df7a856b3 100644 --- a/verification/curator-service/api/src/controllers/auth.ts +++ b/verification/curator-service/api/src/controllers/auth.ts @@ -282,7 +282,7 @@ export class AuthController { req.logIn(user, (err) => { if (err) return next(err); }); - + loginLimiter.resetKey(req.ip); res.status(200).json(user); }, )(req, res, next); @@ -475,6 +475,8 @@ export class AuthController { .json({ message: 'Old password is incorrect' }); } + resetPasswordLimiter.resetKey(req.ip); + updateFailedAttempts( currentUser._id, AttemptName.ResetPassword, @@ -682,6 +684,8 @@ export class AuthController { // Send confirmation email to the user const user = result.value as IUser; + resetPasswordWithTokenLimiter.resetKey(req.ip); + updateFailedAttempts( userId, AttemptName.ResetPasswordWithToken, diff --git a/verification/curator-service/api/src/util/single-window-rate-limiters.ts b/verification/curator-service/api/src/util/single-window-rate-limiters.ts index 8e4a7947e..eb1e119af 100644 --- a/verification/curator-service/api/src/util/single-window-rate-limiters.ts +++ b/verification/curator-service/api/src/util/single-window-rate-limiters.ts @@ -24,7 +24,6 @@ export const registerLimiter = rateLimit({ 'You sent too many requests. Please wait a while then try again', }); }, - skipSuccessfulRequests: true, }); export const resetPasswordLimiter = rateLimit({ @@ -52,7 +51,6 @@ export const forgotPasswordLimiter = rateLimit({ 'You sent too many requests. Please wait a while then try again', }); }, - skipSuccessfulRequests: true, }); export const resetPasswordWithTokenLimiter = rateLimit({ From 2f438327b48fda9a8b9a2264fbe9147b49ba2fff Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Mon, 26 Sep 2022 08:49:38 +0200 Subject: [PATCH 3/6] number fix --- .../curator-service/api/src/util/single-window-rate-limiters.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verification/curator-service/api/src/util/single-window-rate-limiters.ts b/verification/curator-service/api/src/util/single-window-rate-limiters.ts index eb1e119af..f76aa67d3 100644 --- a/verification/curator-service/api/src/util/single-window-rate-limiters.ts +++ b/verification/curator-service/api/src/util/single-window-rate-limiters.ts @@ -42,7 +42,7 @@ export const resetPasswordLimiter = rateLimit({ export const forgotPasswordLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 4, + max: 6, standardHeaders: true, legacyHeaders: false, handler: function (req, res) { From 0d547ef933bb35e12198f11f1570d9068cb27537 Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Mon, 26 Sep 2022 12:37:56 +0200 Subject: [PATCH 4/6] updating comment --- .../curator-service/api/src/util/single-window-rate-limiters.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verification/curator-service/api/src/util/single-window-rate-limiters.ts b/verification/curator-service/api/src/util/single-window-rate-limiters.ts index f76aa67d3..5af8f46e3 100644 --- a/verification/curator-service/api/src/util/single-window-rate-limiters.ts +++ b/verification/curator-service/api/src/util/single-window-rate-limiters.ts @@ -2,7 +2,7 @@ import rateLimit from 'express-rate-limit'; export const loginLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 60 minutes - max: 6, // Limit each IP to 4 requests per `window` (here, per 20 minutes) + max: 6, // Limit each IP to 6 requests per `window` (here, per 60 minutes) standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers legacyHeaders: false, // Disable the `X-RateLimit-*` headers handler: function (req, res /*next*/) { From 43eb7b336f5b17b4a7677b52538b217a3c489753 Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Mon, 26 Sep 2022 16:26:03 +0200 Subject: [PATCH 5/6] test fix --- .../ui/cypress/integration/components/LandingPage.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts b/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts index ac094b28a..56147bc08 100644 --- a/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts +++ b/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts @@ -230,7 +230,7 @@ describe('LandingPage', function () { cy.contains('Sign in!').click(); cy.get('#email').type('test@example.com'); cy.get('#password').type('test'); - for (let i = 0; i < 5; i++) { + for (let i = 0; i < 7; i++) { // eslint-disable-next-line cypress/no-unnecessary-waiting cy.wait(1500); cy.get('button[data-testid="sign-in-button"]').click(); From 02c2b9b5c008501ac369305a2d6ce017bcb5739b Mon Sep 17 00:00:00 2001 From: Oskar Kocjan Date: Mon, 26 Sep 2022 16:57:20 +0200 Subject: [PATCH 6/6] test fix 2 --- .../ui/cypress/integration/components/LandingPage.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts b/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts index 56147bc08..7743886d9 100644 --- a/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts +++ b/verification/curator-service/ui/cypress/integration/components/LandingPage.spec.ts @@ -218,7 +218,7 @@ describe('LandingPage', function () { cy.get('#password').type('tT$5aaaaak'); cy.get('#passwordConfirmation').type('tT$5aaaaak'); cy.get('#isAgreementChecked').check(); - for (let i = 0; i < 5; i++) { + for (let i = 0; i < 7; i++) { // eslint-disable-next-line cypress/no-unnecessary-waiting cy.wait(1500); cy.get('button[data-testid="sign-up-button"]').click();