Use Privacy Access Tokens, CAPTCHA, and Rack to rate limit sign ins and sign ups

app/controllers/concerns/captcha_verifiable.rb

@@ -0,0 +1,37 @@
+module CaptchaVerifiable
+  extend ActiveSupport::Concern
+
+  private
+
+  def verified_captcha?
+    HcaptchaVerifier.call(captcha_response, request.remote_ip)
+  end
+
+  def create_catpcha_user(id: nil, user_params: nil)
+    session[:captcha_user] = if user_params
+                               user_params.to_h
+                             else
+                               id
+                             end
+  end
+
+  def user_from_captcha_user
+    User.find(session[:captcha_user])
+  end
+
+  def captcha_user_params_present?
+    session[:captcha_user].present? && session[:captcha_user].is_a?(Hash)
+  end
+
+  def user_params_from_captcha_user
+    session[:captcha_user].symbolize_keys
+  end
+
+  def delete_captcha_user_from_session
+    session.delete(:captcha_user)
+  end
+
+  def captcha_response
+    params.permit("h-captcha-response")["h-captcha-response"]
+  end
+end

app/controllers/concerns/privacy_pass_supportable.rb

@@ -0,0 +1,32 @@
+module PrivacyPassSupportable
+  extend ActiveSupport::Concern
+
+  private
+
+  def setup_privacy_pass_challenge
+    return unless privacy_pass_enabled?
+
+    tokenizer = PrivacyPassTokenizer.new
+    tokenizer.register_challenge_for_redemption(session.id)
+    challenge = tokenizer.challenge_token
+    response.set_header("WWW-Authenticate", "PrivateToken challenge=#{challenge}, token-key=#{PrivacyPassTokenizer.issuer_public_key}")
+  end
+
+  def valid_privacy_pass_redemption?
+    return false unless privacy_pass_enabled?
+    return session[:redeemed_privacy_pass] if session.key?(:redeemed_privacy_pass)
+
+    success = PrivacyPassRedeemer.call(request.headers["Authorization"], session.id)
+    session[:redeemed_privacy_pass] = success
+    success
+  end
+
+  def delete_privacy_pass_token_redemption
+    session.delete(:redeemed_privacy_pass)
+  end
+
+  def privacy_pass_enabled?
+    ld_context = LaunchDarkly::LDContext.with_key(self.class.name, "controller")
+    Rails.configuration.launch_darkly_client.variation("gemcutter.privacy_pass.enabled", ld_context, false)
+  end
+end

app/controllers/sessions_controller.rb

@@ -1,23 +1,22 @@
 class SessionsController < Clearance::SessionsController
   include MfaExpiryMethods
+  include CaptchaVerifiable
+  include PrivacyPassSupportable
 
   before_action :redirect_to_signin, unless: :signed_in?, only: %i[verify authenticate]
   before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?, only: %i[verify authenticate]
   before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?, only: %i[verify authenticate]
   before_action :ensure_not_blocked, only: :create
+  before_action :present_privacy_pass_challenge, unless: :valid_privacy_pass_redemption?, only: :new
   after_action :delete_mfa_expiry_session, only: %i[webauthn_create mfa_create]
 
   def create
     @user = find_user
-
-    if @user && (@user.mfa_enabled? || @user.webauthn_credentials.any?)
-      setup_webauthn_authentication
-      setup_mfa_authentication
-
-      session[:mfa_login_started_at] = Time.now.utc.to_s
-      create_new_mfa_expiry
-
-      render "sessions/prompt"
+    if @user && !valid_privacy_pass_redemption? && HcaptchaVerifier.should_verify_sign_in?(who)
+      setup_captcha_verification
+      render "sessions/captcha"
+    elsif @user && (@user.mfa_enabled? || @user.webauthn_credentials.any?)
+      webauthn_and_mfa_new
     else
       do_login
     end
@@ -76,6 +75,18 @@ def mfa_create
     session.delete(:mfa_login_started_at)
   end
 
+  def captcha_create
+    if verified_captcha?
+      @user = user_from_captcha_user
+      delete_captcha_user_from_session
+      should_mfa = @user && (@user.mfa_enabled? || @user.webauthn_credentials.any?)
+
+      should_mfa ? webauthn_and_mfa_new : do_login
+    else
+      login_failure(t("captcha.invalid"))
+    end
+  end
+
   def verify
   end
 
@@ -100,10 +111,21 @@ def verify_password_params
     params.require(:verify_password).permit(:password)
   end
 
+  def webauthn_and_mfa_new
+    setup_webauthn_authentication
+    setup_mfa_authentication
+
+    session[:mfa_login_started_at] = Time.now.utc.to_s
+    create_new_mfa_expiry
+
+    render "sessions/prompt"
+  end
+
   def do_login
     sign_in(@user) do |status|
       if status.success?
         StatsD.increment "login.success"
+        delete_privacy_pass_token_redemption
         redirect_back_or(url_after_create)
       else
         login_failure(status.failure_message)
@@ -172,6 +194,16 @@ def setup_mfa_authentication
     session[:mfa_user] = @user.id
   end
 
+  def setup_captcha_verification
+    create_catpcha_user(id: @user.id)
+  end
+
+  def present_privacy_pass_challenge
+    setup_privacy_pass_challenge
+    status = privacy_pass_enabled? ? :unauthorized : :ok
+    render "sessions/new", status: status
+  end
+
   def login_conditions_met?
     @user&.mfa_enabled? && @user&.otp_verified?(params[:otp]) && session_active?
   end

app/controllers/users_controller.rb

@@ -1,22 +1,61 @@
 class UsersController < Clearance::UsersController
+  include CaptchaVerifiable
+  include PrivacyPassSupportable
+
+  before_action :present_privacy_pass_challenge, unless: :valid_privacy_pass_redemption?, only: :new
+
   def new
     @user = user_from_params
   end
 
   def create
     @user = user_from_params
-    if @user.save
-      Mailer.email_confirmation(@user).deliver_later
-      flash[:notice] = t(".email_sent")
-      redirect_back_or url_after_create
+    render template: "users/new" and return unless @user.valid?
+    if !valid_privacy_pass_redemption? && HcaptchaVerifier.should_verify_sign_up?(request.remote_ip)
+      setup_captcha_verification
+      render "users/captcha"
+    elsif @user.save
+      handle_user_after_save
+    else
+      render template: "users/new"
+    end
+  end
+
+  def captcha_create
+    @user = user_from_params
+    verified = verified_captcha?
+    if verified && @user.save
+      handle_user_after_save
+      delete_captcha_user_from_session
     else
+      flash[:notice] = t("captcha.invalid") unless verified
       render template: "users/new"
     end
   end
 
   private
 
+  def handle_user_after_save
+    Mailer.email_confirmation(@user).deliver_later
+    flash[:notice] = t("users.create.email_sent")
+    delete_privacy_pass_token_redemption
+    redirect_back_or url_after_create
+  end
+
+  def setup_captcha_verification
+    create_catpcha_user(user_params: user_params)
+  end
+
+  def present_privacy_pass_challenge
+    @user = user_from_params
+    setup_privacy_pass_challenge
+    status = privacy_pass_enabled? ? :unauthorized : :ok
+    render "users/new", status: status
+  end
+
   def user_params
-    params.permit(user: Array(User::PERMITTED_ATTRS)).fetch(:user, {})
+    @user_params = params.permit(user: Array(User::PERMITTED_ATTRS)).fetch(:user, {})
+    @user_params = user_params_from_captcha_user if @user_params.empty? && captcha_user_params_present?
+    @user_params
   end
 end

app/helpers/hcaptcha_helper.rb

@@ -0,0 +1,5 @@
+module HcaptchaHelper
+  def hcaptcha_site_key
+    Rails.application.secrets.hcaptcha_site_key
+  end
+end

app/views/sessions/captcha.html.erb

@@ -0,0 +1,15 @@
+<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
+<% @title = t('captcha.verification') %>
+
+<div class="mfa__container">
+  <div class="mfa__option">
+    <%= form_tag captcha_create_session_path, method: :post, class: "mfa-form" do %>
+      <div class="h-captcha" data-sitekey="<%= hcaptcha_site_key %>"></div>
+      <div class="form_bottom">
+        <%= submit_tag t('captcha.submit'), data: { disable_with: t('form_disable_with') }, class: 'form__submit' %>
+      </div>
+    <% end %>
+  </div>
+</div>
+
+

app/views/users/captcha.html.erb

@@ -0,0 +1,9 @@
+<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
+<% @title = t('captcha.verification') %>
+
+<%= form_tag captcha_create_user_path, method: :post do %>
+  <div class="h-captcha" data-sitekey="<%= hcaptcha_site_key %>"></div>
+  <%= submit_tag t('captcha.submit'), data: { disable_with: t('form_disable_with') }, class: 'form__submit' %>
+<% end %>
+
+

config/deploy/production/secrets.ejson

@@ -30,7 +30,9 @@
         "datadog_csp_api_key": "EJ[1:MJLOVnheQZD8mqT8Q5xlN8u6Qd9eH4sbO1kcsg/TTR4=:0eAj1g7msiS86qexeMNsWU+1vy3pXSKK:4YT1qDTiBirwkNsbNdhN90lPlF51qiMNChue7uMpEYuAiKTI3TnwOWJd7sk0PmARVsIn]",
         "hook_relay_account_id": "EJ[1:Px+UVqbFzeNGqkAlgQ9Vz00tXWKza1XmLLHD/iQT5wM=:JsT1PTsSpMaxE0FV7ODyJ5E1FQAzv9v/:tMUgIFIUJH+WhT+kHS5pne5Uw9qvdLqLd2aAfJ9EehzIYpH6Bl6EQg==]",
         "hook_relay_hook_id": "EJ[1:Px+UVqbFzeNGqkAlgQ9Vz00tXWKza1XmLLHD/iQT5wM=:Vt1tMd8/9ZhSHL80yrWIWUy2wMOh8Iqt:MUwOcVrjWl7i8RRNg68Sb/Fa+RYsLL54yc+adRK84i5jWWa9fmSgRg==]",
-        "launch_darkly_sdk_key": "EJ[1:RM2yVm4yMZPQR0lgPaM4pw8dBEvD3rts+nLnn9E7ZRs=:mR2ODNG9w0B71T5ivgrKahW0vm5QDWjv:NQTLulKnLIbRtmxOXUWM1LVQ3sJzoB9C6eslf6Y8WHYJJTWeuTgfRvpcQraZf0rC+eE/guR2d/U=]"
+        "launch_darkly_sdk_key": "EJ[1:RM2yVm4yMZPQR0lgPaM4pw8dBEvD3rts+nLnn9E7ZRs=:mR2ODNG9w0B71T5ivgrKahW0vm5QDWjv:NQTLulKnLIbRtmxOXUWM1LVQ3sJzoB9C6eslf6Y8WHYJJTWeuTgfRvpcQraZf0rC+eE/guR2d/U=]",
+        "hcaptcha_site_key": "EJ[1:GxA7d6SAg1+14PhKoqY92Iuib4LFE7z3XC6q6TmTdTc=:7cKJMCC2pivG1YQfK+2MWzXla516/WPQ:e9Rs1KmgZ8tswaaGpu6ZHm5k31JGFx5Sa6KchDq77Hhwadc1hSuWBh/SMK29Izsa/zWpnA==]",
+        "hcaptcha_secret": "EJ[1:GxA7d6SAg1+14PhKoqY92Iuib4LFE7z3XC6q6TmTdTc=:z3+lerodhE7cWBYVuw9PgEHMt6Cr0Nv7:tnypqluf/JcKjGdkFwTasLGVMTfxvVT9SzWnv2G4roBfCSsdD2Q4ycKnKFyj8i+RzLf8BsltjCyoWA==]"
       }
     }
   }

config/deploy/staging/secrets.ejson

@@ -30,7 +30,9 @@
         "datadog_csp_api_key": "EJ[1:M1xidXJHz2i/vKthLOnwYbEnkFjYneq+d6Ryj6TXdFQ=:fxMZfI3MptOYF/hXcrnrWK/SDTU1SzZC:Gn807pB1wSTTNIyTJ5cpGCvN5+vplIZUxi/a8/s+UFDJE52zeM5KyhvmK6f0J8mDa2vh]",
         "hook_relay_account_id": "EJ[1:JT93bSSDxXR0tIyvuhE4hVVEav3DdVDYtCuhLTlwwUw=:OUkdjS28VFFsXWnK0c2zBubgen83JLIZ:r9s3A3e3UuNrYRelD3HzIKsNvEGlGhvKmZayZt7wZGHrxB+yTb8gQQ==]",
         "hook_relay_hook_id": "EJ[1:JT93bSSDxXR0tIyvuhE4hVVEav3DdVDYtCuhLTlwwUw=:n1YqUGXM5FdcwoAJjIXXgHxWqiF/voeL:sj7Gbn405v2hw4CKkU6N7Fhgb3J/5RnrAZpp+Xcn61ZTNJq0qFXBiA==]",
-        "launch_darkly_sdk_key": "EJ[1:4JArBqOhUkobGC64JyCBRb/ceJYjVQ0E0EA3xMzo1mQ=:aBhPiBN5Tw168oFguBxtcehteIzHlRi4:bKn0Qxs1fdJklK0SVA0ngAg9C1lMWtaXnh/HP9ohYd6tu1vLvjhj7svdRVVugeKaXm/+Dslf+E8=]"
+        "launch_darkly_sdk_key": "EJ[1:4JArBqOhUkobGC64JyCBRb/ceJYjVQ0E0EA3xMzo1mQ=:aBhPiBN5Tw168oFguBxtcehteIzHlRi4:bKn0Qxs1fdJklK0SVA0ngAg9C1lMWtaXnh/HP9ohYd6tu1vLvjhj7svdRVVugeKaXm/+Dslf+E8=]",
+        "hcaptcha_site_key": "EJ[1:3EizOQsxA5KO7RtgDfeNZlzZZLq15TLCDuMZ9k/we38=:3byruZUtIMoJVrfX2faBwJyWEKrfiuGv:Vs+meAbSYuYgqckEg89TA/Jb5LKoSq1CY+/6gLrT1Gog7EY+GWipKsmXRm4qzHYQiANeHw==]",
+        "hcaptcha_secret": "EJ[1:3EizOQsxA5KO7RtgDfeNZlzZZLq15TLCDuMZ9k/we38=:FMHaYtI1/GTb0iod68At+h9fX6Q4QEh7:X00sJDfMcCtcTAE70UQLlhWFzJFb+8UJGlH9gQITwZH9uSMw7ARC40Av2CED2WN99KHCuOltD+d5QQ==]"
       }
     },
     "nginx-basic-auth": {

config/deploy/web.yaml.erb

@@ -191,6 +191,26 @@ spec:
               secretKeyRef:
                 name: <%= environment %>
                 key: launch_darkly_sdk_key
+          - name: HCAPTCHA_SITE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: <%= environment %>
+                key: hcaptcha_site_key
+          - name: HCAPTCHA_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: <%= environment %>
+                key: hcaptcha_secret
+          # - name: PRIVACY_PASS_ISSUER_PUBLIC_KEY
+          #   valueFrom:
+          #     secretKeyRef:
+          #       name: <%= environment %>
+          #       key: privacy_pass_issuer_public_key
+          # - name: PRIVACY_PASS_ISSUER_NAME
+          #   valueFrom:
+          #     secretKeyRef:
+          #       name: <%= environment %>
+          #       key: privacy_pass_issuer_name
           <% if environment == 'staging' %>
           - name: DISABLE_SIGNUP
             value: "true"

config/initializers/content_security_policy.rb

@@ -10,11 +10,13 @@
   policy.img_src     :self, "https://secure.gaug.es", "https://gravatar.com", "https://www.gravatar.com", "https://secure.gravatar.com",
     "https://*.fastly-insights.com", "https://avatars.githubusercontent.com"
   policy.object_src  :none
-  policy.script_src  :self, "https://secure.gaug.es", "https://www.fastly-insights.com"
-  policy.style_src   :self, "https://fonts.googleapis.com"
-  policy.connect_src :self, "https://s3-us-west-2.amazonaws.com/rubygems-dumps/", "https://*.fastly-insights.com", "https://fastly-insights.com", "https://api.github.com"
+  policy.script_src  :self, "https://secure.gaug.es", "https://www.fastly-insights.com", "https://hcaptcha.com", "https://*.hcaptcha.com"
+  policy.style_src   :self, "https://fonts.googleapis.com", "https://hcaptcha.com", "https://*.hcaptcha.com"
+  policy.connect_src :self, "https://s3-us-west-2.amazonaws.com/rubygems-dumps/", "https://*.fastly-insights.com", "https://fastly-insights.com",
+    "https://api.github.com", "https://hcaptcha.com", "https://*.hcaptcha.com"
   policy.form_action :self, "https://github.com/login/oauth/authorize"
   policy.frame_ancestors :self
+  policy.frame_src :self, "https://hcaptcha.com", "https://*.hcaptcha.com"
 
   # Specify URI for violation reports
   policy.report_uri lambda {

config/initializers/rack_attack.rb

@@ -11,6 +11,12 @@ class Rack::Attack
   EXP_BACKOFF_LEVELS = [1, 2].freeze
   PUSH_EXP_THROTTLE_KEY = "api/exp/push/ip".freeze
   PUSH_THROTTLE_PER_USER_KEY = "api/exp/push/user".freeze
+  SIGN_UP_THROTTLE_PER_IP_KEY = "sign_up/ip".freeze
+  SIGN_UP_LIMIT = 50
+  SIGN_UP_LIMIT_PERIOD = 1.hour
+  LOGIN_THROTTLE_PER_USER_KEY = "logins/handle".freeze
+  LOGIN_LIMIT = 15
+  LOGIN_LIMIT_PERIOD = 1.hour
 
   ### Prevent Brute-Force Login Attacks ###
 
@@ -171,11 +177,17 @@ def self.api_hashed_key(req)
   # on wood!)
   protected_sessions_action = [{ controller: "sessions", action: "create" }]
 
-  throttle("logins/handle", limit: REQUEST_LIMIT, period: LIMIT_PERIOD) do |req|
+  throttle(LOGIN_THROTTLE_PER_USER_KEY, limit: LOGIN_LIMIT, period: LOGIN_LIMIT_PERIOD) do |req|
     protected_route = protected_route?(protected_sessions_action, req.path, req.request_method)
     User.normalize_email(req.params['session']['who']).presence if protected_route && req.params['session']
   end
 
+  protected_sign_ups_action = [{ controller: "users", action: "create" }]
+
+  throttle(SIGN_UP_THROTTLE_PER_IP_KEY, limit: SIGN_UP_LIMIT, period: SIGN_UP_LIMIT_PERIOD) do |req|
+    req.ip if protected_route?(protected_sign_ups_action, req.path, req.request_method)
+  end
+
   throttle("api_key/basic_auth", limit: REQUEST_LIMIT, period: LIMIT_PERIOD) do |req|
     if protected_route?(protected_api_key_actions, req.path, req.request_method)
       action_dispatch_req = ActionDispatch::Request.new(req.env)

config/locales/de.yml

@@ -103,6 +103,10 @@ de:
       invalid_key:
     all_gems:
     gem_ownership_removed:
+  captcha:
+    verification:
+    submit:
+    invalid:
   clearance_mailer:
     change_password:
       title:

config/locales/en.yml

@@ -112,6 +112,10 @@ en:
       invalid_key: An invalid API key cannot be edited. Please delete it and create a new one.
     all_gems: All Gems
     gem_ownership_removed: Ownership of %{rubygem_name} has been removed after being scoped to this key.
+  captcha:
+    verification: Verify you're human
+    submit: Verify
+    invalid: Unable to verify CAPTCHA
   clearance_mailer:
     change_password:
       title: CHANGE PASSWORD

config/locales/es.yml

@@ -114,6 +114,10 @@ es:
       invalid_key:
     all_gems:
     gem_ownership_removed:
+  captcha:
+    verification:
+    submit:
+    invalid:
   clearance_mailer:
     change_password:
       title: CAMBIAR CONTRASEÑA