feat: [CHK-3719] enable recaptcha for checkout auth service login api (…

…#2806) * feat: enable recaptcha check for checkout login api * chore: remove comment * chore: remove comment * feat: adding rate limit to the login inbound policies * chore: policy api name construction * fix: renaming checkout api group * fix: renaming checkout api group - using local values * fix: redefine inbound policies for checkout auth service * chore: use locals to centralize api-related value definition * chore: pre-commit run * fix: change recaptcha secret named value * fix: google recaptcha secrets fix * fix: fixing api name in operation policy for checkout auth service --------- Co-authored-by: Simone infante <[email protected]> Co-authored-by: ciuffagianluca <[email protected]> Co-authored-by: Pietro Tota <[email protected]>
pagopa · Feb 25, 2025 · 3bf7afc · 3bf7afc
1 parent 62176d0
commit 3bf7afc
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 5 deletions.
diff --git a/src/domains/checkout-app/04_apim_checkout_authentication.tf b/src/domains/checkout-app/04_apim_checkout_authentication.tf
@@ -26,7 +26,7 @@ module "apim_checkout_authentication" {
 }
 
 resource "azurerm_api_management_api_version_set" "checkout_auth_service_api_v1" {
-  name                = "${local.parent_project}-auth-service-api"
+  name                = "${local.project_short}-auth-service-api"
   resource_group_name = data.azurerm_resource_group.rg_api.name
   api_management_name = data.azurerm_api_management.apim.name
   display_name        = local.apim_checkout_auth_service.display_name
@@ -36,7 +36,7 @@ resource "azurerm_api_management_api_version_set" "checkout_auth_service_api_v1"
 module "apim_checkout_auth_service_v1" {
   source = "./.terraform/modules/__v3__/api_management_api"
 
-  name                  = "${local.parent_project}-auth-service-api"
+  name                  = "${local.project_short}-auth-service-api"
   api_management_name   = data.azurerm_api_management.apim.name
   resource_group_name   = data.azurerm_resource_group.rg_api.name
   product_ids           = [module.apim_checkout_authentication.product_id]
@@ -59,4 +59,13 @@ module "apim_checkout_auth_service_v1" {
     checkout_ingress_hostname = var.checkout_ingress_hostname,
     checkout_origin           = "https://${var.dns_zone_checkout}.${var.external_domain}"
   })
-}
+}
+
+resource "azurerm_api_management_api_operation_policy" "checkout_auth_login_api" {
+  api_name            = "${local.project_short}-auth-service-api-v1"
+  api_management_name = data.azurerm_api_management.apim.name
+  resource_group_name = data.azurerm_resource_group.rg_api.name
+  operation_id        = "authLogin"
+
+  xml_content = file("./api/checkout/checkout_auth_service/v1/_recaptcha_check.xml.tpl")
+}
diff --git a/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_base_policy.xml.tpl b/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_base_policy.xml.tpl
@@ -1,6 +1,13 @@
 <policies>
 
   <inbound>
+    <!-- Rate limit policy -->
+    <rate-limit-by-key
+      calls="150"
+      renewal-period="10"
+      counter-key="@(context.Request.Headers.GetValueOrDefault("X-Forwarded-For"))"
+    />
+    <!-- End rate limit policy -->
       <cors>
         <allowed-origins>
           <origin>${checkout_origin}</origin>

diff --git a/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_openapi.json.tpl b/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_openapi.json.tpl
@@ -21,7 +21,7 @@
         }
     ],
     "paths": {
-        "/v1/auth/login": {
+        "/auth/login": {
             "get": {
                 "tags": [
                     "authService"
@@ -84,7 +84,7 @@
                 }
             }
         },
-        "/v1/auth/users": {
+        "/auth/users": {
             "get": {
                 "tags": [
                     "authService"

diff --git a/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_recaptcha_check.xml.tpl b/src/domains/checkout-app/api/checkout/checkout_auth_service/v1/_recaptcha_check.xml.tpl
@@ -0,0 +1,41 @@
+<policies>
+    <inbound>
+      <base />
+      <!-- Check google reCAPTCHA token validity START -->
+      <set-variable name="recaptchaSecret" value="{{ecommerce-for-checkout-google-recaptcha-secret}}" />
+      <set-variable name="recaptchaToken" value="@(context.Request.OriginalUrl.Query.GetValueOrDefault("recaptcha"))" />
+      <choose>
+          <when condition="@(context.Variables["recaptchaToken"] == null || context.Variables["recaptchaToken"] == "")">
+              <return-response>
+                  <set-status code="401" reason="Unauthorized" />
+              </return-response>
+          </when>
+      </choose>
+      <send-request ignore-error="true" timeout="10" response-variable-name="recaptcha-check" mode="new">
+          <set-url>https://www.google.com/recaptcha/api/siteverify</set-url>
+          <set-method>POST</set-method>
+          <set-header name="Content-Type" exists-action="override">
+             <value>application/x-www-form-urlencoded</value>
+          </set-header>
+          <set-body>@($"secret={(string)context.Variables["recaptchaSecret"]}&response={(string)context.Variables["recaptchaToken"]}")</set-body>
+      </send-request>
+      <set-variable name="recaptcha-check-body" value="@(((IResponse)context.Variables["recaptcha-check"]).Body.As<JObject>())" />
+      <choose>
+        <when condition="@(((IResponse)context.Variables["recaptcha-check"]).StatusCode != 200 || ((bool) ((JObject) context.Variables["recaptcha-check-body"])["success"]) != true)">
+          <return-response>
+            <set-status code="401" reason="Unauthorized" />
+            </return-response>
+        </when>
+      </choose>
+      <!-- Check google reCAPTCHA token validity END -->
+    </inbound>
+    <outbound>
+      <base />
+    </outbound>
+    <backend>
+      <base />
+    </backend>
+    <on-error>
+      <base />
+    </on-error>
+  </policies>