server: rate limiter v1

packages/server/lib/controllers/ratelimit.middleware.ts

@@ -0,0 +1,70 @@
+import type { Request, Response, NextFunction } from 'express';
+import { createClient } from 'redis';
+import { RateLimiterRedis, RateLimiterMemory, RateLimiterRes } from 'rate-limiter-flexible';
+import { getAccount, getRedisUrl } from '@nangohq/shared';
+import { logger } from '@nangohq/shared';
+
+const rateLimiter = await (async () => {
+    const opts = {
+        keyPrefix: 'middleware',
+        points: 1200,
+        duration: 60,
+        blockDuration: 0
+    };
+    const url = getRedisUrl();
+    if (url) {
+        const redisClient = await createClient({ url: url, disableOfflineQueue: true }).connect();
+        redisClient.on('error', (err) => {
+            logger.error(`Redis (rate-limiter) error: ${err}`);
+        });
+        return new RateLimiterRedis({
+            storeClient: redisClient,
+            ...opts
+        });
+    }
+    return new RateLimiterMemory(opts);
+})();
+
+export const rateLimiterMiddleware = (req: Request, res: Response, next: NextFunction) => {
+    const setXRateLimitHeaders = (rateLimiterRes: RateLimiterRes) => {
+        const resetEpoch = Math.floor(new Date(Date.now() + rateLimiterRes.msBeforeNext).getTime() / 1000);
+        res.setHeader('X-RateLimit-Limit', rateLimiter.points);
+        res.setHeader('X-RateLimit-Remaining', rateLimiterRes.remainingPoints);
+        res.setHeader('X-RateLimit-Reset', resetEpoch);
+    };
+    const key = getKey(req, res);
+    const pointsToConsume = getPointsToConsume(req);
+    rateLimiter
+        .consume(key, pointsToConsume)
+        .then((rateLimiterRes) => {
+            setXRateLimitHeaders(rateLimiterRes);
+            next();
+        })
+        .catch((rateLimiterRes) => {
+            res.setHeader('Retry-After', Math.floor(rateLimiterRes.msBeforeNext / 1000));
+            setXRateLimitHeaders(rateLimiterRes);
+            logger.info(`Rate limit exceeded for ${key}. Request: ${req.method} ${req.path})`);
+            next();
+            // TODO:
+            // res.status(429).send('Too Many Requests');
+        });
+};
+
+function getKey(req: Request, res: Response): string {
+    try {
+        return `account-${getAccount(res)}`;
+    } catch (e) {
+        if (req.user) {
+            return `user-${req.user.id}`;
+        }
+        return `ip-${req.ip}`;
+    }
+}
+
+function getPointsToConsume(req: Request): number {
+    if (['/api/v1/signin', '/api/v1/signup', '/api/v1/forgot-password', '/api/v1/reset-password'].includes(req.path)) {
+        // limiting  to 6 requests per period to avoid brute force attacks
+        return rateLimiter.points / 6;
+    }
+    return 1;
+}

packages/server/lib/server.ts

@@ -19,6 +19,7 @@ import apiAuthController from './controllers/apiAuth.controller.js';
 import appAuthController from './controllers/appAuth.controller.js';
 import onboardingController from './controllers/onboarding.controller.js';
 import webhookController from './controllers/webhook.controller.js';
+import { rateLimiterMiddleware } from './controllers/ratelimit.middleware.js';
 import path from 'path';
 import { dirname } from './utils/utils.js';
 import { WebSocketServer, WebSocket } from 'ws';
@@ -52,14 +53,15 @@ const app = express();
 
 // Auth
 AuthClient.setup(app);
-const apiAuth = authMiddleware.secretKeyAuth.bind(authMiddleware);
-const apiPublicAuth = authMiddleware.publicKeyAuth.bind(authMiddleware);
+
+const apiAuth = [authMiddleware.secretKeyAuth, rateLimiterMiddleware];
+const apiPublicAuth = [authMiddleware.publicKeyAuth, rateLimiterMiddleware];
 const webAuth =
     isCloud() || isEnterprise()
-        ? [passport.authenticate('session'), authMiddleware.sessionAuth.bind(authMiddleware)]
+        ? [passport.authenticate('session'), authMiddleware.sessionAuth, rateLimiterMiddleware]
         : isBasicAuthEnabled()
-          ? [passport.authenticate('basic', { session: false }), authMiddleware.basicAuth.bind(authMiddleware)]
-          : [authMiddleware.noAuth.bind(authMiddleware)];
+          ? [passport.authenticate('basic', { session: false }), authMiddleware.basicAuth, rateLimiterMiddleware]
+          : [authMiddleware.noAuth, rateLimiterMiddleware];
 
 app.use(
     express.json({
@@ -139,12 +141,12 @@ app.route('/proxy/*').all(apiAuth, upload.any(), proxyController.routeCall.bind(
 
 // Webapp routes (no auth).
 if (isCloud() || isEnterprise()) {
-    app.route('/api/v1/signup').post(authController.signup.bind(authController));
-    app.route('/api/v1/signup/invite').get(authController.invitation.bind(authController));
-    app.route('/api/v1/logout').post(authController.logout.bind(authController));
-    app.route('/api/v1/signin').post(passport.authenticate('local'), authController.signin.bind(authController));
-    app.route('/api/v1/forgot-password').put(authController.forgotPassword.bind(authController));
-    app.route('/api/v1/reset-password').put(authController.resetPassword.bind(authController));
+    app.route('/api/v1/signup').post(rateLimiterMiddleware, authController.signup.bind(authController));
+    app.route('/api/v1/signup/invite').get(rateLimiterMiddleware, authController.invitation.bind(authController));
+    app.route('/api/v1/logout').post(rateLimiterMiddleware, authController.logout.bind(authController));
+    app.route('/api/v1/signin').post(rateLimiterMiddleware, passport.authenticate('local'), authController.signin.bind(authController));
+    app.route('/api/v1/forgot-password').put(rateLimiterMiddleware, authController.forgotPassword.bind(authController));
+    app.route('/api/v1/reset-password').put(rateLimiterMiddleware, authController.resetPassword.bind(authController));
 }
 
 // Webapp routes (session auth).

packages/server/package.json

@@ -47,6 +47,8 @@
         "passport-local": "^1.0.0",
         "pg": "^8.8.0",
         "posthog-node": "^3.1.3",
+        "rate-limiter-flexible": "^5.0.0",
+        "redis": "^4.6.11",
         "simple-oauth2": "^5.0.0",
         "uuid": "^9.0.0",
         "winston": "^3.8.2",