Basic rate limiting for email notifications (#6)

* Basic rate limiting for email notifications

* review fixes, real ip check, check sender and receiver npub

Author: zupzup

src/main.rs

@@ -1,6 +1,7 @@
 mod blossom;
 mod db;
 mod notification;
+mod rate_limit;
 mod relay;
 mod util;
 
@@ -20,18 +21,22 @@ use clap::Parser;
 use nostr::types::Url;
 use nostr_relay_builder::LocalRelay;
 use relay::RelayConfig;
+use tokio::sync::Mutex;
 use tower_http::{
     cors::{Any, CorsLayer},
     services::ServeDir,
 };
 use tracing::{error, info};
 
-use crate::notification::{
-    email::{
-        mailjet::{MailjetConfig, MailjetService},
-        EmailService,
+use crate::{
+    notification::{
+        email::{
+            mailjet::{MailjetConfig, MailjetService},
+            EmailService,
+        },
+        notification_store::NotificationStoreApi,
     },
-    notification_store::NotificationStoreApi,
+    rate_limit::RateLimiter,
 };
 
 #[tokio::main]
@@ -120,6 +125,7 @@ struct AppState {
     pub file_store: Arc<dyn FileStoreApi>,
     pub notification_store: Arc<dyn NotificationStoreApi>,
     pub email_service: Arc<dyn EmailService>,
+    pub rate_limiter: Arc<Mutex<RateLimiter>>,
 }
 
 impl AppState {
@@ -142,6 +148,7 @@ impl AppState {
             file_store: store.clone(),
             notification_store: store,
             email_service: Arc::new(email_service),
+            rate_limiter: Arc::new(Mutex::new(RateLimiter::new())),
         })
     }
 }

src/notification/mod.rs

@@ -18,6 +18,7 @@ use crate::{
         email::{build_email_confirmation_message, build_email_notification_message},
         preferences::{PreferencesContextContentFlag, PreferencesFlags},
     },
+    rate_limit::RealIp,
     util::{self, get_logo_link},
     AppState,
 };
@@ -150,6 +151,7 @@ pub struct ChangePreferencesReq {
 /// Send back a random challenge to the caller, which we expect to be signed with their npub to validate
 /// the request actually comes from the given npub
 pub async fn start(
+    RealIp(ip): RealIp,
     State(state): State<AppState>,
     Json(payload): Json<NotificationStartReq>,
 ) -> impl IntoResponse {
@@ -162,6 +164,22 @@ pub async fn start(
             .into_response();
     }
 
+    let mut rate_limiter = state.rate_limiter.lock().await;
+    let allowed = rate_limiter.check(&ip.to_string(), None, None, Some(&payload.npub));
+    drop(rate_limiter);
+    if !allowed {
+        warn!(
+            "Rate limited req from {} with npub {}",
+            &ip.to_string(),
+            &payload.npub
+        );
+        return (
+            StatusCode::TOO_MANY_REQUESTS,
+            Json(ErrorResp::new("Please try again later")),
+        )
+            .into_response();
+    }
+
     let mut random_bytes = [0u8; 32];
     rand::thread_rng().fill_bytes(&mut random_bytes);
     let challenge = hex::encode(random_bytes);
@@ -187,6 +205,7 @@ pub async fn start(
 /// We validate npub, email and signed challenge. If everything is OK, we send a confirmation email
 /// and we create a stub for email preferences with a token to change them later
 pub async fn register(
+    RealIp(ip): RealIp,
     State(state): State<AppState>,
     Json(payload): Json<NotificationRegisterReq>,
 ) -> impl IntoResponse {
@@ -214,6 +233,28 @@ pub async fn register(
             .into_response();
     }
 
+    let mut rate_limiter = state.rate_limiter.lock().await;
+    let allowed = rate_limiter.check(
+        &ip.to_string(),
+        Some(&payload.email),
+        None,
+        Some(&payload.npub),
+    );
+    drop(rate_limiter);
+    if !allowed {
+        warn!(
+            "Rate limited req from {} with npub {} and email {}",
+            &ip.to_string(),
+            &payload.npub,
+            &payload.email,
+        );
+        return (
+            StatusCode::TOO_MANY_REQUESTS,
+            Json(ErrorResp::new("Please try again later")),
+        )
+            .into_response();
+    }
+
     let challenge = match state
         .notification_store
         .get_challenge_for_npub(&payload.npub)
@@ -350,6 +391,7 @@ pub async fn register(
 }
 
 pub async fn send(
+    RealIp(ip): RealIp,
     State(state): State<AppState>,
     Json(req): Json<NotificationSendReq>,
 ) -> impl IntoResponse {
@@ -376,6 +418,27 @@ pub async fn send(
         }
     };
 
+    let mut rate_limiter = state.rate_limiter.lock().await;
+    let allowed = rate_limiter.check(
+        &ip.to_string(),
+        None,
+        Some(&payload.sender),
+        Some(&payload.receiver),
+    );
+    drop(rate_limiter);
+    if !allowed {
+        warn!(
+            "Rate limited req from {} with npub {}",
+            &ip.to_string(),
+            &payload.receiver
+        );
+        return (
+            StatusCode::TOO_MANY_REQUESTS,
+            Json(ErrorResp::new("Please try again later")),
+        )
+            .into_response();
+    }
+
     let notification_type = match PreferencesFlags::from_name(&payload.kind) {
         Some(nt) => nt,
         None => {

src/rate_limit.rs

@@ -0,0 +1,177 @@
+use axum::{
+    extract::{ConnectInfo, FromRequestParts},
+    http::{request::Parts, StatusCode},
+};
+use chrono::{DateTime, Duration, Utc};
+use std::{
+    collections::{HashMap, VecDeque},
+    net::{IpAddr, SocketAddr},
+};
+
+/// How often do we allow the same ip in the time frame
+const IP_LIMIT: usize = 100;
+const IP_WINDOW: Duration = Duration::seconds(10 * 60); // 10 minutes
+
+/// How often do we allow the same email to be registered in the time frame
+const EMAIL_LIMIT: usize = 30;
+const EMAIL_WINDOW: Duration = Duration::seconds(24 * 3600); //  1 day
+
+/// How often do we allow the same npub in the time frame
+const NPUB_LIMIT: usize = 100;
+const NPUB_WINDOW: Duration = Duration::seconds(10 * 60); // 10 minutes
+
+const MAX_IDLE: Duration = Duration::seconds(24 * 3600); // remove after 24h idle
+const PRUNE_INTERVAL: Duration = Duration::seconds(10 * 60); // check every 10 minutes
+
+#[derive(Debug)]
+struct SlidingWindow {
+    hits: VecDeque<DateTime<Utc>>,
+    window: Duration,
+    limit: usize,
+    last_seen: DateTime<Utc>,
+}
+
+impl SlidingWindow {
+    fn new(limit: usize, window: Duration) -> Self {
+        Self {
+            hits: VecDeque::with_capacity(limit),
+            window,
+            limit,
+            last_seen: Utc::now(),
+        }
+    }
+
+    fn allow(&mut self, now: DateTime<Utc>) -> bool {
+        // Remove expired hits
+        while let Some(&ts) = self.hits.front() {
+            if now - ts > self.window {
+                self.hits.pop_front();
+            } else {
+                break;
+            }
+        }
+        self.last_seen = now;
+
+        if self.hits.len() < self.limit {
+            self.hits.push_back(now);
+            true
+        } else {
+            false
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct RateLimiter {
+    by_ip: HashMap<String, SlidingWindow>,
+    by_email: HashMap<String, SlidingWindow>,
+    by_npub_sender: HashMap<String, SlidingWindow>,
+    by_npub_receiver: HashMap<String, SlidingWindow>,
+    last_prune: DateTime<Utc>,
+}
+
+impl RateLimiter {
+    pub fn new() -> Self {
+        Self {
+            by_ip: HashMap::new(),
+            by_email: HashMap::new(),
+            by_npub_sender: HashMap::new(),
+            by_npub_receiver: HashMap::new(),
+            last_prune: Utc::now(),
+        }
+    }
+
+    /// Check if the request is allowed
+    /// There is always an IP, but not always an email, or npub - everything that's set has to be allowed
+    /// The values are expected to be validated before getting in here
+    pub fn check(
+        &mut self,
+        ip: &str,
+        email: Option<&str>,
+        npub_sender: Option<&str>,
+        npub_receiver: Option<&str>,
+    ) -> bool {
+        let now = Utc::now();
+        self.prune_if_needed(now);
+
+        let ip_ok = self
+            .by_ip
+            .entry(ip.to_string())
+            .or_insert_with(|| SlidingWindow::new(IP_LIMIT, IP_WINDOW))
+            .allow(now);
+
+        let email_ok = if let Some(email) = email {
+            let key = email.to_lowercase();
+            self.by_email
+                .entry(key)
+                .or_insert_with(|| SlidingWindow::new(EMAIL_LIMIT, EMAIL_WINDOW))
+                .allow(now)
+        } else {
+            true // no email provided -> skip check
+        };
+
+        let npub_sender_ok = if let Some(npub) = npub_sender {
+            self.by_npub_sender
+                .entry(npub.to_string())
+                .or_insert_with(|| SlidingWindow::new(NPUB_LIMIT, NPUB_WINDOW))
+                .allow(now)
+        } else {
+            true // no sender npub provided -> skip check
+        };
+
+        let npub_receiver_ok = if let Some(npub) = npub_receiver {
+            self.by_npub_receiver
+                .entry(npub.to_string())
+                .or_insert_with(|| SlidingWindow::new(NPUB_LIMIT, NPUB_WINDOW))
+                .allow(now)
+        } else {
+            true // no received npub provided -> skip check
+        };
+
+        ip_ok && email_ok && npub_sender_ok && npub_receiver_ok
+    }
+
+    /// Every PRUNE_INTERVAL, remove outdated entries
+    fn prune_if_needed(&mut self, now: DateTime<Utc>) {
+        if now - self.last_prune < PRUNE_INTERVAL {
+            return;
+        }
+
+        self.last_prune = now;
+
+        // only keep recent entries
+        self.by_ip.retain(|_, win| now - win.last_seen <= MAX_IDLE);
+        self.by_email
+            .retain(|_, win| now - win.last_seen <= MAX_IDLE);
+        self.by_npub_sender
+            .retain(|_, win| now - win.last_seen <= MAX_IDLE);
+    }
+}
+
+pub struct RealIp(pub IpAddr);
+
+impl<S> FromRequestParts<S> for RealIp
+where
+    S: Send + Sync,
+{
+    type Rejection = (StatusCode, &'static str);
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        // Check X-FORWARDED-FOR header and take the first value for gcp as per
+        // https://cloud.google.com/functions/docs/reference/headers#x-forwarded-for
+        if let Some(forwarded) = parts.headers.get("x-forwarded-for")
+            && let Ok(s) = forwarded.to_str()
+            && let Some(ip_str) = s.split(',').next()
+            && let Ok(ip) = ip_str.trim().parse()
+        {
+            return Ok(RealIp(ip));
+        }
+
+        // Fallback to socket addr for local dev
+        if let Some(addr) = parts.extensions.get::<ConnectInfo<SocketAddr>>() {
+            return Ok(RealIp(addr.ip()));
+        }
+
+        Err((StatusCode::BAD_REQUEST, "No request IP"))
+    }
+}