feat: Fix rate limit issue

Signed-off-by: ABHAY PANDEY <pandeyabhay967@gmail.com>

Author: Ferryx349

resources/default-settings.yaml

@@ -112,6 +112,19 @@ limits:
       - "::1"
       - "10.10.10.1"
       - "::ffff:10.10.10.1"
+  admin:
+    rateLimits:
+      - description: 30 admin requests/min
+        period: 60000
+        rate: 30
+    loginRateLimits:
+      - description: 10 login attempts per 15 minutes
+        period: 900000
+        rate: 10
+    ipWhitelist:
+      - "::1"
+      - "10.10.10.1"
+      - "::ffff:10.10.10.1"
   connection:
     rateLimits:
       - period: 1000

src/@types/settings.ts

@@ -141,10 +141,17 @@ export interface AdmissionCheckLimits {
   ipWhitelist?: string[]
 }
 
+export interface AdminLimits {
+  rateLimits?: RateLimit[]
+  loginRateLimits?: RateLimit[]
+  ipWhitelist?: string[]
+}
+
 export interface Limits {
   rateLimiter?: RateLimiterSettings
   invoice?: InvoiceLimits
   admissionCheck?: AdmissionCheckLimits
+  admin?: AdminLimits
   connection?: ConnectionLimits
   client?: ClientLimits
   event?: EventLimits

src/handlers/request-handlers/admin-rate-limit-middleware.ts

@@ -0,0 +1,27 @@
+import { NextFunction, Request, Response } from 'express'
+
+import { createSettings } from '../../factories/settings-factory'
+import { rateLimiterFactory } from '../../factories/rate-limiter-factory'
+import { isAdminRateLimited } from '../../utils/admin-rate-limit'
+
+const sendTooManyRequests = (response: Response) => {
+  response.status(429).setHeader('content-type', 'application/json').send(JSON.stringify({ error: 'Too many requests' }))
+}
+
+export const adminLoginRateLimitMiddleware = async (request: Request, response: Response, next: NextFunction) => {
+  if (await isAdminRateLimited(request, createSettings(), rateLimiterFactory, 'login')) {
+    sendTooManyRequests(response)
+    return
+  }
+
+  next()
+}
+
+export const adminRateLimitMiddleware = async (request: Request, response: Response, next: NextFunction) => {
+  if (await isAdminRateLimited(request, createSettings(), rateLimiterFactory, 'admin')) {
+    sendTooManyRequests(response)
+    return
+  }
+
+  next()
+}

src/routes/admin/index.ts

@@ -5,6 +5,10 @@ import { createGetAdminHealthController } from '../../factories/controllers/get-
 import { createGetAdminSessionController } from '../../factories/controllers/get-admin-session-controller-factory'
 import { createPostAdminLoginController } from '../../factories/controllers/post-admin-login-controller-factory'
 import { createSettings } from '../../factories/settings-factory'
+import {
+  adminLoginRateLimitMiddleware,
+  adminRateLimitMiddleware,
+} from '../../handlers/request-handlers/admin-rate-limit-middleware'
 import { rateLimiterMiddleware } from '../../handlers/request-handlers/rate-limiter-middleware'
 import { withController } from '../../handlers/request-handlers/with-controller-request-handler'
 
@@ -32,8 +36,8 @@ const requireAdminAuth = (request: Request, response: Response, next: NextFuncti
 router.use(requireAdminEnabled)
 router.use(rateLimiterMiddleware)
 
-router.post('/login', json(), withController(createPostAdminLoginController))
-router.get('/session', requireAdminAuth, withController(createGetAdminSessionController))
-router.get('/health', requireAdminAuth, withController(createGetAdminHealthController))
+router.post('/login', adminLoginRateLimitMiddleware, json(), withController(createPostAdminLoginController))
+router.get('/session', adminRateLimitMiddleware, requireAdminAuth, withController(createGetAdminSessionController))
+router.get('/health', adminRateLimitMiddleware, requireAdminAuth, withController(createGetAdminHealthController))
 
 export default router

src/utils/admin-rate-limit.ts

@@ -0,0 +1,38 @@
+import { path } from 'ramda'
+import { Request } from 'express'
+
+import { Settings } from '../@types/settings'
+import { IRateLimiter } from '../@types/utils'
+import { createLogger } from '../factories/logger-factory'
+import { getRemoteAddress } from './http'
+
+const logger = createLogger('admin-rate-limit')
+
+export async function isAdminRateLimited(
+  request: Request,
+  settings: Settings,
+  rateLimiterFactory: () => IRateLimiter,
+  scope: 'login' | 'admin',
+): Promise<boolean> {
+  const rateLimitsKey = scope === 'login' ? 'loginRateLimits' : 'rateLimits'
+  const rateLimits = path(['limits', 'admin', rateLimitsKey], settings)
+  if (!Array.isArray(rateLimits) || !rateLimits.length) {
+    return false
+  }
+
+  const ipWhitelist = path(['limits', 'admin', 'ipWhitelist'], settings)
+  const remoteAddress = getRemoteAddress(request, settings)
+
+  let limited = false
+  if (Array.isArray(ipWhitelist) && !ipWhitelist.includes(remoteAddress)) {
+    const rateLimiter = rateLimiterFactory()
+    for (const { rate, period } of rateLimits) {
+      if (await rateLimiter.hit(`${remoteAddress}:admin-${scope}:${period}`, 1, { period, rate })) {
+        logger('rate limited %s: %d in %d milliseconds', remoteAddress, rate, period)
+        limited = true
+      }
+    }
+  }
+
+  return limited
+}

test/unit/routes/admin.spec.ts

@@ -5,6 +5,7 @@ import Sinon from 'sinon'
 
 import * as getAdminHealthControllerFactory from '../../../src/factories/controllers/get-admin-health-controller-factory'
 import { hashAdminPassword } from '../../../src/utils/admin-password'
+import * as adminRateLimitMiddleware from '../../../src/handlers/request-handlers/admin-rate-limit-middleware'
 import * as rateLimiterMiddleware from '../../../src/handlers/request-handlers/rate-limiter-middleware'
 import * as settingsFactory from '../../../src/factories/settings-factory'
 
@@ -14,6 +15,8 @@ describe('admin router', () => {
   let createGetAdminHealthControllerStub: Sinon.SinonStub
   let createSettingsStub: Sinon.SinonStub
   let rateLimiterMiddlewareStub: Sinon.SinonStub
+  let adminRateLimitMiddlewareStub: Sinon.SinonStub
+  let adminLoginRateLimitMiddlewareStub: Sinon.SinonStub
   let server: any
 
   const loadAdminRouter = () => {
@@ -43,9 +46,12 @@ describe('admin router', () => {
       },
     } as any)
     createSettingsStub = Sinon.stub(settingsFactory, 'createSettings').returns(settings as any)
-    rateLimiterMiddlewareStub = Sinon.stub(rateLimiterMiddleware, 'rateLimiterMiddleware').callsFake(async (_request, _response, next) => {
+    const passthrough = async (_request: any, _response: any, next: any) => {
       next()
-    })
+    }
+    rateLimiterMiddlewareStub = Sinon.stub(rateLimiterMiddleware, 'rateLimiterMiddleware').callsFake(passthrough)
+    adminRateLimitMiddlewareStub = Sinon.stub(adminRateLimitMiddleware, 'adminRateLimitMiddleware').callsFake(passthrough)
+    adminLoginRateLimitMiddlewareStub = Sinon.stub(adminRateLimitMiddleware, 'adminLoginRateLimitMiddleware').callsFake(passthrough)
     const router = loadAdminRouter()
     const app = express()
     app.use('/admin', router)
@@ -61,6 +67,8 @@ describe('admin router', () => {
     createGetAdminHealthControllerStub?.restore()
     createSettingsStub?.restore()
     rateLimiterMiddlewareStub?.restore()
+    adminRateLimitMiddlewareStub?.restore()
+    adminLoginRateLimitMiddlewareStub?.restore()
     delete require.cache[require.resolve('../../../src/routes/admin/index')]
     delete require.cache[require.resolve('../../../src/routes/admin')]
 

test/unit/utils/admin-rate-limit.spec.ts

@@ -0,0 +1,64 @@
+import chai from 'chai'
+import sinon from 'sinon'
+import sinonChai from 'sinon-chai'
+
+import { isAdminRateLimited } from '../../../src/utils/admin-rate-limit'
+
+chai.use(sinonChai)
+const { expect } = chai
+
+describe('isAdminRateLimited', () => {
+  const baseSettings = {
+    network: {
+      remoteIpHeader: 'x-forwarded-for',
+    },
+    limits: {
+      admin: {
+        rateLimits: [{ rate: 30, period: 60000 }],
+        loginRateLimits: [{ rate: 10, period: 900000 }],
+        ipWhitelist: [],
+      },
+    },
+  }
+
+  const makeRequest = (remoteAddress = '1.2.3.4') =>
+    ({
+      headers: {},
+      connection: { remoteAddress },
+      socket: { remoteAddress },
+    }) as any
+
+  it('returns false when no rate limits are configured', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(false) }
+    const settings = { ...baseSettings, limits: { admin: { ipWhitelist: [] } } }
+
+    const limited = await isAdminRateLimited(makeRequest(), settings as any, () => rateLimiter, 'admin')
+
+    expect(limited).to.equal(false)
+    expect(rateLimiter.hit).not.to.have.been.called
+  })
+
+  it('returns true when login rate limit is exceeded', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(true) }
+
+    const limited = await isAdminRateLimited(makeRequest(), baseSettings as any, () => rateLimiter, 'login')
+
+    expect(limited).to.equal(true)
+    expect(rateLimiter.hit).to.have.been.calledOnceWithExactly('1.2.3.4:admin-login:900000', 1, {
+      period: 900000,
+      rate: 10,
+    })
+  })
+
+  it('returns true when admin route rate limit is exceeded', async () => {
+    const rateLimiter = { hit: sinon.stub().resolves(true) }
+
+    const limited = await isAdminRateLimited(makeRequest(), baseSettings as any, () => rateLimiter, 'admin')
+
+    expect(limited).to.equal(true)
+    expect(rateLimiter.hit).to.have.been.calledOnceWithExactly('1.2.3.4:admin-admin:60000', 1, {
+      period: 60000,
+      rate: 30,
+    })
+  })
+})