Merge pull request #2401 from PineappleIOnic/fix-improve-recovery-rate-limit

Update abuse-key for password recovery to add IP
2024-06-01 10:29:48 +12:00 · 2021-12-31 10:52:28 +02:00 · 2021-12-31 10:52:28 +02:00 · b766ec5a4a
parent 2a279c1b1a 7e20dc5863
commit b766ec5a4a
2 changed files with 35 additions and 26 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -1733,7 +1733,7 @@ App::post('/v1/account/recovery')
    ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
    ->label('sdk.response.model', Response::MODEL_TOKEN)
    ->label('abuse-limit', 10)
-    ->label('abuse-key', 'url:{url},email:{param-email}')
+    ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}'])
    ->param('email', '', new Email(), 'User email.')
    ->param('url', '', function ($clients) { return new Host($clients); }, 'URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients'])
    ->inject('request')
--- a/app/controllers/shared/api.php
+++ b/app/controllers/shared/api.php
@ -37,41 +37,50 @@ App::init(function ($utopia, $request, $response, $project, $user, $register, $e
    /*
     * Abuse Check
     */
-    $timeLimit = new TimeLimit($route->getLabel('abuse-key', 'url:{url},ip:{ip}'), $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $db);
-    $timeLimit->setNamespace('app_'.$project->getId());
-    $timeLimit
-        ->setParam('{userId}', $user->getId())
-        ->setParam('{userAgent}', $request->getUserAgent(''))
-        ->setParam('{ip}', $request->getIP())
-        ->setParam('{url}', $request->getHostname().$route->getPath())
-    ;
+    $abuseKeyLabel = $route->getLabel('abuse-key', 'url:{url},ip:{ip}');
+    $timeLimitArray = [];

-    //TODO make sure we get array here
+    $abuseKeyLabel = (!is_array($abuseKeyLabel)) ? [$abuseKeyLabel] : $abuseKeyLabel;

-    foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
-        if(!empty($value)) {
-            $timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value);
-        }
-    }
-
-    $abuse = new Abuse($timeLimit);
-
-    if ($timeLimit->limit()) {
-        $response
-            ->addHeader('X-RateLimit-Limit', $timeLimit->limit())
-            ->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
-            ->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
-        ;
+    foreach ($abuseKeyLabel as $abuseKey) {
+        $timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $db);
+        $timeLimit->setNamespace('app_'.$project->getId());
+        $timeLimit
+            ->setParam('{userId}', $user->getId())
+            ->setParam('{userAgent}', $request->getUserAgent(''))
+            ->setParam('{ip}', $request->getIP())
+            ->setParam('{url}', $request->getHostname().$route->getPath());
+        $timeLimitArray[] = $timeLimit;
    }

+    $closestLimit = null;
    $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::$roles);
    $isAppUser = Auth::isAppUser(Authorization::$roles);

-    if (($abuse->check() // Route is rate-limited
+    foreach ($timeLimitArray as $timeLimit) {
+        foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
+            if(!empty($value)) {
+                $timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value);
+            }
+        }
+
+        $abuse = new Abuse($timeLimit);
+
+        if ($timeLimit->limit() && ($timeLimit->remaining() < $closestLimit || is_null($closestLimit))) {
+            $closestLimit = $timeLimit->remaining();
+            $response
+                ->addHeader('X-RateLimit-Limit', $timeLimit->limit())
+                ->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
+                ->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
+            ;
+        }
+    
+        if (($abuse->check() // Route is rate-limited
        && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') // Abuse is not disabled
        && (!$isAppUser && !$isPrivilegedUser)) // User is not an admin or API key
        {
-        throw new Exception('Too many requests', 429);
+            throw new Exception('Too many requests', 429);
+        }
    }

    /*