chore: adding rate limit on device account creation

GaloyMoney · Nov 18, 2023 · 3469677 · 3469677
1 parent 09de196
commit 3469677
Show file tree

Hide file tree

Showing 12 changed files with 71 additions and 18 deletions.
diff --git a/core/api/dev/ory/oathkeeper.yml b/core/api/dev/ory/oathkeeper.yml
@@ -73,6 +73,12 @@ mutators:
   noop:
     enabled: true
 
+  header:
+    enabled: true
+    config:
+      headers:
+        X-User: "{{ print .Subject }}"
+
 errors:
   fallback:
     - json

diff --git a/core/api/src/config/schema.ts b/core/api/src/config/schema.ts
@@ -263,6 +263,7 @@ export const configSchema = {
         invoiceCreateAttempt: rateLimitConfigSchema,
         invoiceCreateForRecipientAttempt: rateLimitConfigSchema,
         onChainAddressCreateAttempt: rateLimitConfigSchema,
+        deviceAccountCreateAttempt: rateLimitConfigSchema,
       },
       required: [
         "requestCodePerLoginIdentifier",
@@ -272,6 +273,7 @@ export const configSchema = {
         "invoiceCreateAttempt",
         "invoiceCreateForRecipientAttempt",
         "onChainAddressCreateAttempt",
+        "deviceAccountCreateAttempt",
       ],
       additionalProperties: false,
       default: {
@@ -310,6 +312,11 @@ export const configSchema = {
           duration: 3600,
           blockDuration: 14400,
         },
+        deviceAccountCreateAttempt: {
+          points: 1,
+          duration: 86400,
+          blockDuration: 86400,
+        },
       },
     },
     accounts: {

diff --git a/core/api/src/config/schema.types.d.ts b/core/api/src/config/schema.types.d.ts
@@ -77,6 +77,7 @@ type YamlSchema = {
     invoiceCreateAttempt: RateLimitInput
     invoiceCreateForRecipientAttempt: RateLimitInput
     onChainAddressCreateAttempt: RateLimitInput
+    deviceAccountCreateAttempt: RateLimitInput
   }
   accounts: {
     initialStatus: string

diff --git a/core/api/src/config/yaml.ts b/core/api/src/config/yaml.ts
@@ -206,6 +206,9 @@ export const getInvoiceCreateForRecipientAttemptLimits = () =>
 export const getOnChainAddressCreateAttemptLimits = () =>
   getRateLimits(yamlConfig.rateLimits.onChainAddressCreateAttempt)
 
+export const getDeviceAccountCreateAttemptLimits = () =>
+  getRateLimits(yamlConfig.rateLimits.deviceAccountCreateAttempt)
+
 export const getOnChainWalletConfig = () => ({
   dustThreshold: yamlConfig.onChainWallet.dustThreshold,
 })

diff --git a/core/api/src/domain/authentication/index.types.d.ts b/core/api/src/domain/authentication/index.types.d.ts
@@ -1,4 +1,5 @@
 type SessionId = string & { readonly brand: unique symbol }
+type AppcheckJti = string & { readonly brand: unique symbol }
 
 type AuthenticationError = import("./errors").AuthenticationError
 

diff --git a/core/api/src/domain/rate-limit/errors.ts b/core/api/src/domain/rate-limit/errors.ts
@@ -16,3 +16,4 @@ export class UserLoginIdentifierRateLimiterExceededError extends RateLimiterExce
 export class InvoiceCreateRateLimiterExceededError extends RateLimiterExceededError {}
 export class InvoiceCreateForRecipientRateLimiterExceededError extends RateLimiterExceededError {}
 export class OnChainAddressCreateRateLimiterExceededError extends RateLimiterExceededError {}
+export class DeviceAccountCreateRateLimiterExceededError extends RateLimiterExceededError {}
diff --git a/core/api/src/domain/rate-limit/index.ts b/core/api/src/domain/rate-limit/index.ts
@@ -6,9 +6,11 @@ import {
   UserLoginIdentifierRateLimiterExceededError,
   UserCodeAttemptIpRateLimiterExceededError,
   UserCodeAttemptIdentifierRateLimiterExceededError,
+  DeviceAccountCreateRateLimiterExceededError,
 } from "./errors"
 
 import {
+  getDeviceAccountCreateAttemptLimits,
   getFailedLoginAttemptPerIpLimits,
   getFailedLoginAttemptPerLoginIdentifierLimits,
   getInvoiceCreateAttemptLimits,
@@ -26,9 +28,12 @@ export const RateLimitPrefix = {
   invoiceCreate: "invoice_create",
   invoiceCreateForRecipient: "invoice_create_for_recipient",
   onChainAddressCreate: "onchain_address_create",
+  deviceAccountCreate: "device_account_create",
 } as const
 
-export const RateLimitConfig: { [key: string]: RateLimitConfig } = {
+type RateLimitPrefixKey = keyof typeof RateLimitPrefix
+
+export const RateLimitConfig: { [key in RateLimitPrefixKey]: RateLimitConfig } = {
   requestCodeAttemptPerLoginIdentifier: {
     key: RateLimitPrefix.requestCodeAttemptPerLoginIdentifier,
     limits: getRequestCodePerLoginIdentifierLimits(),
@@ -64,4 +69,9 @@ export const RateLimitConfig: { [key: string]: RateLimitConfig } = {
     limits: getOnChainAddressCreateAttemptLimits(),
     error: OnChainAddressCreateRateLimiterExceededError,
   },
+  deviceAccountCreate: {
+    key: RateLimitPrefix.deviceAccountCreate,
+    limits: getDeviceAccountCreateAttemptLimits(),
+    error: DeviceAccountCreateRateLimiterExceededError,
+  },
 }
diff --git a/core/api/src/graphql/error-map.ts b/core/api/src/graphql/error-map.ts
@@ -213,6 +213,10 @@ export const mapError = (error: ApplicationError): CustomGraphQLError => {
         "Too many onchain addresses creation, please wait for a while and try again."
       return new TooManyRequestError({ message, logger: baseLogger })
 
+    case "DeviceAccountCreateRateLimiterExceededError":
+      message = "Too many device account creation, please wait for a while and try again."
+      return new TooManyRequestError({ message, logger: baseLogger })
+
     case "UserCodeAttemptIdentifierRateLimiterExceededError":
       message = "Too many request code attempts, please wait for a while and try again."
       return new TooManyRequestError({ message, logger: baseLogger })

diff --git a/core/api/src/servers/authentication/index.ts b/core/api/src/servers/authentication/index.ts
@@ -39,9 +39,14 @@ import {
   EmailValidationSubmittedTooOftenError,
 } from "@/domain/authentication/errors"
 
-import { UserLoginIpRateLimiterExceededError } from "@/domain/rate-limit/errors"
+import {
+  RateLimiterExceededError,
+  UserLoginIpRateLimiterExceededError,
+} from "@/domain/rate-limit/errors"
 
 import { registerCaptchaGeetest } from "@/app/captcha"
+import { consumeLimiter } from "@/services/rate-limit"
+import { RateLimitConfig } from "@/domain/rate-limit"
 
 const authRouter = express.Router({ caseSensitive: true })
 
@@ -75,6 +80,19 @@ authRouter.use((req: Request, res: Response, next: NextFunction) => {
 })
 
 authRouter.post("/create/device-account", async (req: Request, res: Response) => {
+  const appcheckJti = req.headers["x-appcheck-jti"]
+  if (!appcheckJti || typeof appcheckJti !== "string" || appcheckJti === "") {
+    return res.status(400).send({ error: "missing or invalid appcheck jti" })
+  }
+
+  const check = await checkDeviceLoginAttemptPerAppcheckJtiLimits(
+    appcheckJti as AppcheckJti,
+  )
+
+  if (check instanceof Error) {
+    return res.status(429).send({ error: "too many requests" })
+  }
+
   const ip = req.originalIp
   const user = basicAuth(req)
 
@@ -320,3 +338,11 @@ authRouter.post("/phone/login", async (req: Request, res: Response) => {
 })
 
 export default authRouter
+
+const checkDeviceLoginAttemptPerAppcheckJtiLimits = async (
+  appcheckJti: AppcheckJti,
+): Promise<true | RateLimiterExceededError> =>
+  consumeLimiter({
+    rateLimitConfig: RateLimitConfig.deviceAccountCreate,
+    keyToConsume: appcheckJti,
+  })
diff --git a/core/api/src/services/rate-limit/index.ts b/core/api/src/services/rate-limit/index.ts
@@ -50,7 +50,7 @@ export const consumeLimiter = async ({
   keyToConsume,
 }: {
   rateLimitConfig: RateLimitConfig
-  keyToConsume: IpAddress | LoginIdentifier | AccountId | ""
+  keyToConsume: IpAddress | LoginIdentifier | AccountId | AppcheckJti | ""
 }) => {
   const limiter = RedisRateLimitService({
     keyPrefix: rateLimitConfig.key,

diff --git a/dev/config/ory/oathkeeper.yml b/dev/config/ory/oathkeeper.yml
@@ -74,6 +74,9 @@ mutators:
   noop:
     enabled: true
 
+  header:
+    enabled: true
+
 errors:
   fallback:
     - json

diff --git a/dev/config/ory/oathkeeper_rules.yaml b/dev/config/ory/oathkeeper_rules.yaml
@@ -2,21 +2,8 @@
   upstream:
     url: "http://bats-tests:4012"
   match:
-    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/auth/<(clearCookies|login|logout|email/code|email/login|totp/validate|email/login/cookie|phone/captcha|phone/code|phone/login)>"
+    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/auth/<.*>"
     methods: ["GET", "POST", "OPTIONS"]
-  authenticators:
-    - handler: anonymous
-  authorizer:
-    handler: allow
-  mutators:
-    - handler: noop
-
-- id: device-login
-  upstream:
-    url: "http://bats-tests:4012"
-  match:
-    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/auth/create/device-account"
-    methods: ["POST"]
   authenticators:
     - handler: jwt
       config:
@@ -29,10 +16,14 @@
           - file:///home/ory/jwks.json # ONLY FOR DEV, DO NOT USE IN PRODUCTION
         token_from:
           header: Appcheck
+    - handler: anonymous
   authorizer:
     handler: allow
   mutators:
-    - handler: noop
+    - handler: header
+      config:
+        headers:
+          X-Appcheck-Jti: "{{ print .Extra.jti }}"
 
 - id: galoy-ws
   upstream:
-Original file line number
+Diff line change
@@ Expand Up / @@ -74,6 +74,9 @@ mutators: @@
       noop:
         enabled: true
+      header:
+        enabled: true
     errors:
       fallback:
         - json
@@ Expand Down @@