Add minimal anti-bruteforce measures

trilitech · Oct 21, 2024 · ce6af87 · ce6af87
1 parent ae08e86
commit ce6af87
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 9 deletions.
diff --git a/packages/crypto/jest.config.ts b/packages/crypto/jest.config.ts
@@ -4,8 +4,8 @@ import type { Config } from "jest";
 const config: Config = {
  ...baseConfig,
 
- testEnvironment: "node",
  testTimeout: 10000,
  rootDir: "./",
+ setupFilesAfterEnv: ["<rootDir>/src/setupTests.ts"],
 };
 export default config;
diff --git a/packages/crypto/package.json b/packages/crypto/package.json
@@ -58,6 +58,7 @@
  ]
  },
  "dependencies": {
- "@taquito/utils": "^20.0.1"
+ "@taquito/utils": "^20.0.1",
+ "date-fns": "^4.1.0"
  }
 }
diff --git a/packages/crypto/src/AES.test.ts b/packages/crypto/src/AES.test.ts
@@ -1,6 +1,6 @@
 import { mnemonic1, recoveredPhrases, umamiBackup } from "@umami/test-utils";
 
-import { decrypt, encrypt } from "./AES";
+import { TOO_MANY_ATTEMPTS_ERROR, decrypt, encrypt } from "./AES";
 
 const password = "password";
 
@@ -14,7 +14,7 @@ describe("AES", () => {
  expect(decrypted).toEqual(mnemonic1);
  });
 
- it("decryption restores mnemonic from v1 backup file", async () => {
+ it("decrypts from v1 backup file", async () => {
  for (let i = 0; i < umamiBackup.recoveryPhrases.length; i++) {
  const encrypted = umamiBackup.recoveryPhrases[i];
  const expected = recoveredPhrases[i];
@@ -29,16 +29,24 @@ describe("AES", () => {
  await expect(decrypt(encrypted, password, "V1")).rejects.toThrow(DECRYPTION_ERROR_MESSAGE);
  });
 
- it("decryption fails with cyclic password", async () => {
+ it("fails the decryption with cyclic password", async () => {
  // Used to work in V1. Now it fails.
  const encrypted = await encrypt(mnemonic1, "abc");
 
  await expect(decrypt(encrypted, "abcabc")).rejects.toThrow(DECRYPTION_ERROR_MESSAGE);
  });
 
- it("decryption fails with wrong password", async () => {
+ it("fails the decryption with wrong password", async () => {
  const encrypted = await encrypt(mnemonic1, password);
 
  await expect(decrypt(encrypted, `wrong ${password}`)).rejects.toThrow(DECRYPTION_ERROR_MESSAGE);
  });
+
+ it("throws too many attempts error", async () => {
+ const encrypted = await encrypt(mnemonic1, password);
+ for (let i = 0; i < 3; i++) {
+ await expect(decrypt(encrypted, "wrong password")).rejects.toThrow(DECRYPTION_ERROR_MESSAGE);
+ }
+ await expect(decrypt(encrypted, "wrong password")).rejects.toThrow(TOO_MANY_ATTEMPTS_ERROR);
+ });
 });
diff --git a/packages/crypto/src/AES.ts b/packages/crypto/src/AES.ts
@@ -1,4 +1,5 @@
 import { buf2hex, hex2Bytes } from "@taquito/utils";
+import { differenceInMinutes } from "date-fns";
 
 import { AES_MODE } from "./AES_MODE";
 import { derivePasswordBasedKeyV1, derivePasswordBasedKeyV2 } from "./KDF";
@@ -33,13 +34,25 @@ export const encrypt = async (data: string, password: string): Promise<Encrypted
 
 type DecryptMode = "V1" | "V2";
 
+export const TOO_MANY_ATTEMPTS_ERROR =
+ "Too many unsuccessful attempts. Please wait a few minutes before trying again.";
+
 export const decrypt = async (
  data: EncryptedData,
  password: string,
  mode: DecryptMode = "V2"
 ): Promise<string> => {
  const { iv, salt, data: encrypted } = data;
  try {
+ if (getAttemptsCount() >= 3) {
+ const minutesSinceLastAttempt = differenceInMinutes(
+ new Date(),
+ new Date(localStorage.getItem("failedDecryptTime")!)
+ );
+ if (minutesSinceLastAttempt < 5) {
+ throw new Error(TOO_MANY_ATTEMPTS_ERROR);
+ }
+ }
  const derivedKey =
  mode === "V2"
  ? await derivePasswordBasedKeyV2(password, hex2Bytes(salt))
@@ -52,8 +65,18 @@ export const decrypt = async (
  derivedKey,
  hex2Bytes(encrypted)
  );
+ setAttemptsCount(0);
+ localStorage.removeItem("failedDecryptTime");
  return Buffer.from(decrypted).toString("utf-8");
- } catch (_) {
+ } catch (err: any) {
+ if (err?.message === TOO_MANY_ATTEMPTS_ERROR) {
+ throw err;
+ }
+ setAttemptsCount(getAttemptsCount() + 1);
+ localStorage.setItem("failedDecryptTime", new Date().toISOString());
  throw new Error("Error decrypting data: Invalid password");
  }
 };
+
+const getAttemptsCount = () => Number(localStorage.getItem("passwordAttempts") || 0);
+const setAttemptsCount = (count: number) => localStorage.setItem("passwordAttempts", String(count));
diff --git a/packages/crypto/src/setupTests.ts b/packages/crypto/src/setupTests.ts
@@ -0,0 +1,25 @@
+import { webcrypto } from "crypto";
+
+Object.defineProperties(global, {
+ crypto: { value: webcrypto, writable: true },
+});
+
+const mockLocalStorage = () => {
+ const store: { [key: string]: string } = {};
+
+ return {
+ getItem: (key: string) => store[key] || null,
+ setItem: (key: string, value: string) => {
+ store[key] = value.toString();
+ },
+ removeItem: (key: string) => {
+ delete store[key];
+ },
+ };
+};
+
+beforeEach(() => {
+ Object.defineProperty(window, "localStorage", {
+ value: mockLocalStorage(),
+ });
+});
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml