auth-methods: Prevent Brute Force Attacks

Introduce a new class to block users after multiple failed login attempts and restrict frequent login attempts from the same IP address using express-rate-limit Gitlab: #213 Change-Id: I84dfbaabe71bb62b480fde221533faf4d4ea1c06

auth-methods: Prevent Brute Force Attacks
e5893403 · Léopold Chappuis · b9459db7 · e5893403 · e5893403 · e5893403
Commit e5893403 authored 6 months ago by Léopold Chappuis
--- a/client/src/contexts/AlertSnackbarProvider.tsx
+++ b/client/src/contexts/AlertSnackbarProvider.tsx
@@ -116,6 +116,7 @@ type AlertMessageKeys =
  | 'getting_oauth_clients_error'
  | 'getting_oauth_provider_info_error'
  | 'file_not_downloaded'
+  | 'too_many_requests'
 export const AlertSnackbarContext = createContext<IAlertSnackbarContext>(defaultAlertSnackbarContext)
@@ -217,6 +218,8 @@ const AlertSnackbarProvider = ({ children }: WithChildren) => {
          return t('getting_oauth_provider_info_error')
        case 'file_not_downloaded':
          return t('file_not_downloaded')
+        case 'too_many_requests':
+          return t('too_many_requests')
        default:
          return t('unknown_error_alert')
      }

--- a/client/src/services/adminQueries.ts
+++ b/client/src/services/adminQueries.ts
@@ -94,6 +94,12 @@ export const useLoginAdminMutation = () => {
          severity: 'error',
          alertOpen: true,
        })
+      } else if (e.response?.status === HttpStatusCode.TooManyRequests) {
+        setAlertContent({
+          messageI18nKey: 'too_many_requests',
+          severity: 'error',
+          alertOpen: true,
+        })
      } else {
        setAlertContent({
          messageI18nKey: 'unknown_error_alert',

--- a/client/src/services/authQueries.ts
+++ b/client/src/services/authQueries.ts
@@ -164,6 +164,8 @@ export const useLoginMutation = () => {
        //continue when the auth flow is clear
      } else if (status === HttpStatusCode.Unauthorized) {
        setAlertContent({ messageI18nKey: 'login_invalid_credentials', severity: 'error', alertOpen: true })
+      } else if (status === HttpStatusCode.TooManyRequests) {
+        setAlertContent({ messageI18nKey: 'too_many_requests', severity: 'error', alertOpen: true })
      } else {
        setAlertContent({ messageI18nKey: 'unknown_error_alert', severity: 'error', alertOpen: true })
      }

--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -47,8 +47,8 @@
    "prettier": "^3.3.3"
  },
  "dependencies": {
-    "vcard4-ts": "^0.4.1",
    "byte-size": "^9.0.0",
-    "multer": "^1.4.5-lts.1"
+    "multer": "^1.4.5-lts.1",
+    "vcard4-ts": "^0.4.1"
  }
 }
--- a/server/locale/en/translation.json
+++ b/server/locale/en/translation.json
@@ -296,6 +296,7 @@
  "share_window": "Share window",
  "size": "File size:",
  "submit": "Submit",
+  "too_many_requests": "Too many attemps, please try again later.",
  "transfer_message": "Transfer message",
  "unauthorized_access": "Unauthorized access",
  "unknown_error_alert": "An unexpected error occurred. Please try again.",

--- a/server/package.json
+++ b/server/package.json
@@ -31,7 +31,8 @@
    "typedi": "^0.10.0",
    "vcard4-ts": "^0.4.1",
    "whatwg-url": "^14.0.0",
-    "ws": "^8.18.0"
+    "ws": "^8.18.0",
+    "express-rate-limit": "7.5.0"
  },
  "devDependencies": {
    "@types/cors": "^2.8.17",

--- a/server/src/routers/admin-router.ts
+++ b/server/src/routers/admin-router.ts
@@ -19,6 +19,7 @@ import argon2 from 'argon2'
 import envPaths from 'env-paths'
 import { Router } from 'express'
 import asyncHandler from 'express-async-handler'
+import rateLimit from 'express-rate-limit'
 import { ParamsDictionary, Request, Response } from 'express-serve-static-core'
 import fs from 'fs'
 import { readdir, stat } from 'fs/promises'
@@ -96,8 +97,16 @@ adminRouter.post('/adminWizardState', (req: Request<ParamsDictionary, AdminWizar
  res.sendStatus(HttpStatusCode.Ok)
 })
+const loginlimiter = rateLimit({
+  windowMs: 10 * 60 * 5000, // 5 minutes
+  max: 3, // Limit each IP to 3 requests per `window` (here, per 5 minutes)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+})
 adminRouter.post(
  '/login',
+  loginlimiter,
  asyncHandler(async (req: Request<ParamsDictionary, AccessToken | string, Partial<AdminCredentials>>, res) => {
    const { password } = req.body
    if (password === undefined) {

--- a/server/src/routers/auth-router.ts
+++ b/server/src/routers/auth-router.ts
@@ -18,21 +18,26 @@
 import argon2 from 'argon2'
 import { Router } from 'express'
 import asyncHandler from 'express-async-handler'
+import rateLimit from 'express-rate-limit'
 import { ParamsDictionary, Request } from 'express-serve-static-core'
 import { AccessToken, AccountDetails, HttpStatusCode, UserCredentials } from 'jami-web-common'
 import { Container } from 'typedi'
 import { Jamid } from '../jamid/jamid.js'
 import { NameRegistrationEndedState, RegistrationState } from '../jamid/state-enums.js'
+import { LoginGuard } from '../services/LoginGuard.js'
 import { Accounts } from '../storage/accounts.js'
 import { AdminAccount } from '../storage/admin-account.js'
 import { OpenIdProviders } from '../storage/openid-providers.js'
 import { clearGuest, clearGuests } from '../utils/guests.js'
 import { signJwt, signJwtWithExpiration } from '../utils/jwt.js'
 import { exchangeCodeForToken, exchangeTokenForUserInfo, getBase64Picture, getJwt } from '../utils/openid.js'
 const jamid = Container.get(Jamid)
 const accounts = Container.get(Accounts)
+const guard = new LoginGuard()
 const config = Container.get(AdminAccount)
 const providers = Container.get(OpenIdProviders)
 export const authRouter = Router()
@@ -106,8 +111,17 @@ authRouter.post(
    }
  }),
 )
+const loginlimiter = rateLimit({
+  windowMs: 10 * 60 * 5000, // 5 minutes
+  max: 10, // Limit each IP to 3 requests per `window` (here, per 5 minutes)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+})
 authRouter.post(
  '/login',
+  loginlimiter,
  asyncHandler(async (req: Request<ParamsDictionary, AccessToken | string, Partial<UserCredentials>>, res) => {
    const { username, password, authMethod } = req.body
@@ -193,18 +207,25 @@ authRouter.post(
        res.status(HttpStatusCode.NotFound).send('Password not found')
        return
      }
+      const JAMSAccountId = data.accountId
+      if (guard.isBlocked(JAMSAccountId)) {
+        res.status(HttpStatusCode.TooManyRequests).send('Too many login attempts')
+        return
+      }
      const isPasswordVerified = await argon2.verify(data.password, password)
      if (!isPasswordVerified) {
+        guard.setFailedLogin(JAMSAccountId)
        res.status(HttpStatusCode.Unauthorized).send('Incorrect password')
        return
      }
-      const JAMSAccountId = data.accountId
      if (JAMSAccountId === undefined) {
        res.status(HttpStatusCode.NotFound).send('Username not found')
        return
      }
      const jwt = await signJwt(JAMSAccountId)
+      guard.resetAttempts(JAMSAccountId)
      res.status(HttpStatusCode.Ok).send({ accessToken: jwt })
      return
    } else if (authMethod === 'local') {
@@ -225,6 +246,11 @@ authRouter.post(
        return
      }
+      if (guard.isBlocked(accountId)) {
+        res.status(HttpStatusCode.TooManyRequests).send('Too many login attempts')
+        return
+      }
      if (!('password' in data)) {
        res.status(HttpStatusCode.NotFound).send('Password not found')
        return
@@ -240,10 +266,12 @@ authRouter.post(
      }
      const isPasswordVerified = await argon2.verify(hashedPassword, password)
      if (!isPasswordVerified) {
+        guard.setFailedLogin(accountId)
        res.status(HttpStatusCode.Unauthorized).send('Incorrect password')
        return
      }
      const jwt = await signJwt(accountId)
+      guard.resetAttempts(accountId)
      res.status(HttpStatusCode.Ok).send({ accessToken: jwt })
    }
  }),

--- a/server/src/services/LoginGuard.ts
+++ b/server/src/services/LoginGuard.ts
+/*
+ * Copyright (C) 2022-2025 Savoir-faire Linux Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation; either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this program.  If not, see
+ * <https://www.gnu.org/licenses/>.
+ */
+export class LoginGuard {
+  attempts: Map<string, { attempts: number; lastAttemptTime: number }>
+  maxLoginAttempts = 5
+  timeWindow = 60 * 25 * 1000 // 25 minutes in milliseconds
+  constructor() {
+    this.attempts = new Map<string, { attempts: number; lastAttemptTime: number }>()
+  }
+  setFailedLogin(account: string) {
+    if (this.isBlocked(account)) {
+      return
+    }
+    if (this.attempts.has(account)) {
+      this.attempts.get(account)!.attempts += 1
+      this.attempts.get(account)!.lastAttemptTime = Date.now()
+    } else {
+      this.attempts.set(account, { attempts: 1, lastAttemptTime: Date.now() })
+    }
+  }
+  isBlocked(account: string): boolean {
+    if (!this.attempts.has(account)) {
+      return false
+    }
+    const timeLeft = this.timeWindow - (Date.now() - this.attempts.get(account)!.lastAttemptTime)
+    if (timeLeft < 0) {
+      this.attempts.delete(account)
+      return false
+    }
+    if (this.attempts.get(account)!.attempts < this.maxLoginAttempts) {
+      return false
+    }
+    return true
+  }
+  resetAttempts(account: string) {
+    this.attempts.delete(account)
+  }
+}