Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rate limiting to login requests #1777

Merged
merged 5 commits into from
Jan 24, 2024
Merged

Add rate limiting to login requests #1777

merged 5 commits into from
Jan 24, 2024

Conversation

jayjay-w
Copy link
Contributor

@jayjay-w jayjay-w commented Jan 11, 2024
edited
Loading

Description

Add rate limiting to login requests using rack-attack. As a starting point, we are setting a limit of 5 request per minute to /api/users/sign_in.

References: CV2-4164

How has this been tested?

Tested by confirming that:

  • Repeated calls to /api/users/sign_in will result in a 429: Too many requests error. This can be validated using both the check web application or an api client. . The default limit is 10 requests per minute.
  • Repeated calls to /api/graphql will result in a 429 error as well. The default limit is 100 requests per minute.

Things to pay attention to during code review

Checklist

  • I have performed a self-review of my own code
  • I have added unit and feature tests, if the PR implements a new feature or otherwise would benefit from additional testing
  • I have added regression tests, if the PR fixes a bug
  • I have added logging, exception reporting, and custom tracing with any additional information required for debugging
  • I considered secure coding practices when writing this code. Any security concerns are noted above.
  • I have commented my code in hard-to-understand areas, if any
  • I have made needed changes to the README
  • My changes generate no new warnings
  • If I added a third party module, I included a rationale for doing so and followed our current guidelines

@jayjay-w
Add rate limiting to login requests
12293e4 
Add rate limiting to login requests using rack-attack. As a starting
point, we are setting a limit of 5 request per minute to /api/users/sign_in.
@jayjay-w
Add lockout to user authentication
0b658cd 
Enable devise lockable to lock users after 5 consecutive incorrect login attempts. Account will be unlocked automatically after 1 hour.
@jayjay-w jayjay-w force-pushed the CV2-4164-Rate-Limiting-in-Login-Mechanism branch from e60a914 to 0b658cd Compare January 17, 2024 14:19
@jayjay-w jayjay-w marked this pull request as ready for review January 23, 2024 13:13
@jayjay-w jayjay-w force-pushed the CV2-4164-Rate-Limiting-in-Login-Mechanism branch from 028a3ca to ae61d9a Compare January 23, 2024 13:21
@jayjay-w
Finalize on throttling and rate limiting
266768c 
- Moved limits to the configuration file
- Added tests for all limits
@jayjay-w jayjay-w force-pushed the CV2-4164-Rate-Limiting-in-Login-Mechanism branch from ae61d9a to 266768c Compare January 23, 2024 13:22
caiosba
caiosba requested changes Jan 23, 2024
View reviewed changes
Copy link
Contributor

@caiosba caiosba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a typo, but after I fixed it locally, I was able to verify both features:

  • User account locked after failed login attempts
  • Rate limit error when many calls are made to the GraphQL API endpoint

FYI @jayjay-w: You don't need to explicitly call .to_i when retrieving a configuration value... you can pass a :integer parameter to CheckConfig.get: https://github.com/meedan/check-api/blob/develop/app/lib/check_config.rb#L10

@jayjay-w jayjay-w force-pushed the CV2-4164-Rate-Limiting-in-Login-Mechanism branch from 6090a70 to 44de8b7 Compare January 23, 2024 18:46
@jayjay-w
Reduce the number of api calls when testing rate limiting
4b03a98 
Reduce the number of actual api calls to 2 per test when testing
rate limiting.
@jayjay-w jayjay-w requested a review from caiosba January 24, 2024 18:11
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jan 24, 2024

Code Climate has analyzed commit 4b03a98 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (100% is the threshold).

This pull request will bring the total coverage in the repository to 99.9% (0.0% change).

View more on Code Climate.

@jayjay-w jayjay-w merged commit ea0eb3f into develop Jan 24, 2024
7 of 8 checks passed
@caiosba
Copy link
Contributor

caiosba commented Jan 24, 2024

hey @jayjay-w , there was a failed test :)

Error:
SessionsControllerTest#test_should_unlock_locked_user_accounts_after_specified_time:
TypeError: ActiveSupport::TimeWithZone can't be coerced into Integer
    test/controllers/sessions_controller_test.rb:97:in `+'
    test/controllers/sessions_controller_test.rb:97:in `block in <class:SessionsControllerTest>'

@jayjay-w
Copy link
Contributor Author

Interesting...@caiosba I will fix it in a new PR.

@jayjay-w jayjay-w mentioned this pull request Jan 24, 2024
Merged
9 tasks
@jayjay-w jayjay-w deleted the CV2-4164-Rate-Limiting-in-Login-Mechanism branch March 26, 2024 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@computermacgyver computermacgyver computermacgyver left review comments

@caiosba caiosba caiosba approved these changes

@melsawy melsawy Awaiting requested review from melsawy melsawy is a code owner

@DGaffney DGaffney Awaiting requested review from DGaffney

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jayjay-w @caiosba @computermacgyver