Inclusively cover account level probationary status using limiter values (#2076)

* Should provide additional protection from IP surfing.
* Move limiter settings to settings JSON for ease of multiple import.
* Use the earliest possible detected `now`.
* Some console logging.

Post #1893 and Applies to #2074 and Closes #2075

Auto-merge

Author: Martii

controllers/auth.js

@@ -8,13 +8,17 @@ var isDbg = require('../libs/debug').isDbg;
 //
 
 //--- Dependency inclusions
+var moment = require('moment');
 var passport = require('passport');
 var colors = require('ansi-colors');
 
 //--- Model inclusions
 var Strategy = require('../models/strategy.js').Strategy;
 var User = require('../models/user').User;
 
+//--- Configuration inclusions
+var settings = require('../models/settings.json');
+
 //--- Controller inclusions
 
 //--- Library inclusions
@@ -423,6 +427,12 @@ exports.callback = function (aReq, aRes, aNext) {
 
     aReq.logIn(aUser, function (aErr) {
       var now = null;
+      var lastAuthed = null;
+
+      var fudgeMin = settings.fudgeMin;
+      var fudgeSec = settings.fudgeSec;
+
+      var waitAuthCapMin = isDev ? settings.waitAuthCapMin.dev: settings.waitAuthCapMin.pro;
 
       if (aErr) {
         console.error('Not logged in');
@@ -447,6 +457,52 @@ exports.callback = function (aReq, aRes, aNext) {
         now.toISOString()
       );
 
+      lastAuthed = aUser.authed;
+
+      // Save the last date a user sucessfully logged in
+      aUser.authed = now;
+
+      // Check probationary status vs lastAuthed for alt IP circumvention prevention
+      if (aUser._probationary && lastAuthed) {
+        if (!moment().isAfter(moment(lastAuthed).add(waitAuthCapMin, 'minutes'))) {
+          aUser.save(function (aErr, aUser) {
+            if (aErr) {
+              // NOTE: A user could get back in quicker but still delayed from `authed`
+              console.error(
+                colors.red(
+                  'Probationary logged out failed to write current authentication date to aUser'),
+                aUser.name,
+                colors.red('at'),
+                aReq.connection.remoteAddress,
+                colors.red('on'),
+                now.toISOString()
+              );
+            }
+          });
+
+          console.log(
+            colors.red('Logged out probationary User'),
+            aUser.name,
+            colors.red('at'),
+            aReq.connection.remoteAddress,
+            colors.red('on'),
+            now.toISOString()
+          );
+
+          statusCodePage(aReq, aRes, aNext, {
+            statusCode: 429,
+            statusMessage: 'Too many requests.',
+            suppressNavigation: true,
+            isCustomView: true,
+            statusData: {
+              isListView: true,
+              retryAfter: waitAuthCapMin * 60 + (isDev ? fudgeSec : fudgeMin)
+            }
+          });
+          return;
+        }
+      }
+
       // Store the user info in the session
       aReq.session.user = aUser;
 
@@ -463,8 +519,6 @@ exports.callback = function (aReq, aRes, aNext) {
         aReq.session.passport.oujsOptions.strategy = strategy;
       }
 
-      // Save the last date a user sucessfully logged in
-      aUser.authed = new Date();
 
       // Save consent
       aUser.consented = true;

models/settings.json

@@ -28,7 +28,52 @@
   "charPreset": null
  },
 
- "NOTE": "Requires DB migration for changing below settings",
+ "NOTE1": "WATCHPOINT: ~60 second poll time in MongoDB",
+
+ "fudgeMin": 60,
+ "fudgeSec": 5,
+ "waitInstallCapMin": {
+  "dev": 1,
+  "pro": 60
+ },
+ "waitRateInstallSec": {
+  "dev": 30,
+  "pro": 60
+ },
+ "waitRateMetaSec": {
+  "dev": 30,
+  "pro": 60
+ },
+ "waitApiCapMin": {
+  "dev": 1,
+  "pro": 15
+ },
+ "waitAuthCapMin": {
+  "dev": 1,
+  "pro": 1440
+ },
+ "waitCaptchaCapMin": {
+  "dev": 1,
+  "pro": 1440
+ },
+ "waitListCapMin": {
+  "dev": 1,
+  "pro": 60
+ },
+ "waitListRateSec": {
+  "dev": 2,
+  "pro": 4
+ },
+ "waitListAnyQRateSec": {
+  "dev": 20,
+  "pro": 40
+ },
+ "waitListSameQCapMin": {
+  "dev": 5,
+  "pro": 15
+ },
+
+ "NOTE2": "Requires DB migration for changing below settings",
 
  "scriptSearchQueryStoreMaxDescription": 512,
  "scriptSearchQueryStoreMaxAbout": 256

routes.js

@@ -53,7 +53,7 @@ var statusTMR = function (aReq, aRes, aNext) {
 var fudgeMin = 60;
 var fudgeSec = 6;
 
-var waitInstallCapMin = isDev ? 1 : 60;
+var waitInstallCapMin = isDev ? settings.waitInstallCapMin.dev : settings.waitInstallCapMin.pro;
 var installCapLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/installCapLimiter'),
@@ -119,7 +119,7 @@ var installCapLimiter = rateLimit({
   }
 });
 
-var waitRateInstallSec = isDev ? 30 : 60;
+var waitRateInstallSec = isDev ? settings.waitRateInstallSec.dev : settings.waitRateInstallSec.pro;
 var installRateLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/installRateLimiter'),
@@ -167,7 +167,7 @@ var installRateLimiter = rateLimit({
 var install1Limiter = lockdown ? installCapLimiter : installRateLimiter;
 var install2Limiter = lockdown ? installRateLimiter : installCapLimiter;
 
-var waitRateMetaSec = isDev ? 30 : 60;
+var waitRateMetaSec = isDev ? settings.waitRateMetaSec.dev : settings.waitRateMetaSec.pro;
 var metaRateLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/metaRateLimiter'),
@@ -212,7 +212,7 @@ var metaRateLimiter = rateLimit({
   }
 });
 
-var waitApiCapMin = isDev ? 1: 15;
+var waitApiCapMin = isDev ? settings.waitApiCapMin.dev: settings.waitApiCapMin.pro;
 var apiCapLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/apiCapLimiter'),
@@ -235,7 +235,7 @@ var apiCapLimiter = rateLimit({
   }
 });
 
-var waitAuthCapMin = isDev ? 1: 1440;
+var waitAuthCapMin = isDev ? settings.waitAuthCapMin.dev: settings.waitAuthCapMin.pro;
 var authCapLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/authCapLimiter'),
@@ -259,7 +259,7 @@ var authCapLimiter = rateLimit({
   }
 });
 
-var waitCaptchaCapMin = isDev ? 1: 1440;
+var waitCaptchaCapMin = isDev ? settings.waitCaptchaCapMin.dev: settings.waitCaptchaCapMin.pro;
 var captchaCapLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/captchaCapLimiter'),
@@ -293,7 +293,7 @@ var captchaCapLimiter = rateLimit({
   }
 });
 
-var waitListCapMin = isDev ? 1: 60;
+var waitListCapMin = isDev ? settings.waitListCapMin.dev: settings.waitListCapMin.pro;
 var listCapLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/listCapLimiter'),
@@ -359,7 +359,7 @@ var listCapLimiter = rateLimit({
   }
 });
 
-var waitListRateSec = isDev ? parseInt(4 / 2) : 4;
+var waitListRateSec = isDev ? settings.waitListRateSec.dev : settings.waitListRateSec.pro;
 var listRateLimiter = rateLimit({
   store: (isDev ? undefined : undefined),
   windowMs: waitListRateSec * 1000, // n seconds for all stores
@@ -403,7 +403,8 @@ var list1Limiter = lockdown ? listCapLimiter : listRateLimiter;
 var list2Limiter = lockdown ? listRateLimiter : listCapLimiter;
 
 
-var waitListAnyQRateSec = isDev ? parseInt(40 / 2) : 40;
+var waitListAnyQRateSec = isDev
+  ? settings.waitListAnyQRateSec.dev : settings.waitListAnyQRateSec.pro;
 var listAnyQRateLimiter = rateLimit({
   store: (isDev ? undefined : undefined),
   windowMs: waitListAnyQRateSec * 1000, // n seconds for all stores
@@ -439,7 +440,8 @@ var listAnyQRateLimiter = rateLimit({
   }
 });
 
-var waitListSameQCapMin = isDev ? 5 : 15;
+var waitListSameQCapMin = isDev
+  ? settings.waitListSameQCapMin.dev : settings.waitListSameQCapMin.pro;
 var listSameQRateLimiter = rateLimit({
   store: (isDev ? undefined : new MongoStore({
     uri: appendUrlLeaf(limiter, '/listSameQCapLimiter'),