Add separate player creation rate limiting (addresses @sydseter feedback)

immortal71 · immortal71 · commit 77d680e26872 · 2025-12-27T03:50:07.000-08:00
-->Added :player_creation action to RateLimiter with separate limits --> Default: 20 players per IP per hour (separate from game creation) --> Applied rate limiting to PlayerLive.FormComponent --> Added comprehensive tests for player creation limits --> Updated documentation with implementation details Fixes #1877
diff --git a/RATE_LIMITING_IMPLEMENTATION.md b/RATE_LIMITING_IMPLEMENTATION.md
@@ -0,0 +1,108 @@
+# Rate Limiting Implementation for Player Creation
+
+## Overview
+This implementation addresses GitHub Issue #1877 by adding IP-based rate limiting for player creation, separate from the existing game creation rate limit, to protect against CAPEC 212 (Functionality Misuse) attacks.
+
+## Changes Made
+
+### 1. Rate Limiter Module (`lib/copi/rate_limiter.ex`)
+
+**Added player_creation action:**
+- Updated `check_rate/2` to accept `:player_creation` action
+- Updated `record_action/2` to accept `:player_creation` action
+- Added player creation configuration with default limits:
+  - Maximum players per IP: 20
+  - Time window: 3600 seconds (1 hour)
+
+**Configuration:**
+```elixir
+player_creation: %{
+  max_requests: get_env(:max_players_per_ip, 20),
+  window_seconds: get_env(:player_creation_window_seconds, 3600)
+}
+```
+
+### 2. Player Form Component (`lib/copi_web/live/player_live/form_component.ex`)
+
+**Added rate limiting to player creation:**
+- Added `get_connect_ip/1` helper function to extract IP address from socket
+- Modified `save_player/3` for `:new` action to:
+  1. Get the connecting IP address
+  2. Check rate limit before creating player
+  3. Only create player if rate limit is not exceeded
+  4. Record the action after successful creation
+  5. Display user-friendly error message if rate limited
+
+**Error message shown to users:**
+```
+"Rate limit exceeded. Too many players created from your IP address. 
+Please try again in X seconds. This limit helps ensure service 
+availability for all users."
+```
+
+### 3. Tests (`test/copi/rate_limiter_test.exs`)
+
+**Added comprehensive test coverage:**
+- Test that player creation is allowed under the limit
+- Test that player creation is blocked when limit is exceeded
+- Test that player creation limit is separate from game creation limit
+- Updated configuration test to verify player_creation config exists
+
+## Key Features
+
+### Separate Limits
+The player creation rate limit is maintained **separately** from the game creation rate limit. This means:
+- An IP that has exhausted its game creation quota can still create players
+- An IP that has exhausted its player creation quota can still create games
+- Each limit is tracked independently in the GenServer state
+
+### Configurable Limits
+The limits can be configured via application environment:
+```elixir
+config :copi, Copi.RateLimiter,
+  max_players_per_ip: 20,
+  player_creation_window_seconds: 3600
+```
+
+### User-Friendly Error Handling
+When rate limited, users receive:
+- Clear explanation of why they were blocked
+- Time until they can try again (retry_after in seconds)
+- Explanation that this protects service availability
+
+## Security Benefits
+
+1. **CAPEC 212 Mitigation**: Prevents functionality misuse by limiting the rate of player creation from a single IP
+2. **DoS Protection**: Helps maintain service availability under attack
+3. **Resource Conservation**: Prevents database and system resource exhaustion
+4. **Granular Control**: Separate limits allow fine-tuned protection for different actions
+
+## Default Limits Summary
+
+| Action | Max Requests | Time Window |
+|--------|--------------|-------------|
+| Game Creation | 10 | 1 hour |
+| Player Creation | 20 | 1 hour |
+| Connection | 50 | 5 minutes |
+
+## Testing
+
+Run the test suite:
+```bash
+mix test test/copi/rate_limiter_test.exs
+```
+
+All tests should pass, including the new player creation rate limiting tests.
+
+## Future Enhancements
+
+As mentioned in the issue, if this is still insufficient, the next step would be:
+- Implement authentication
+- Associate rate limits with user accounts in addition to IP addresses
+- Track browser fingerprints along with IP addresses
+
+---
+
+**Issue Reference:** OWASP/cornucopia#1877  
+**Related Security Control:** CAPEC-212 (Functionality Misuse)  
+**Implemented by:** @immortal71
diff --git a/copi.owasp.org/lib/copi/rate_limiter.ex b/copi.owasp.org/lib/copi/rate_limiter.ex
@@ -2,7 +2,7 @@ defmodule Copi.RateLimiter do
   @moduledoc """
   Rate limiter to prevent abuse by limiting requests per IP address.
   
-  This module implements rate limiting for game creation and user connections
+  This module implements rate limiting for game creation, player creation, and user connections
   to protect against CAPEC 212 (Functionality Misuse) attacks.
   """
 
@@ -25,14 +25,14 @@ defmodule Copi.RateLimiter do
   
   Returns `{:ok, remaining}` if allowed, `{:error, :rate_limited, retry_after}` if blocked.
   """
-  def check_rate(ip_address, action) when action in [:game_creation, :connection] do
+  def check_rate(ip_address, action) when action in [:game_creation, :player_creation, :connection] do
     GenServer.call(__MODULE__, {:check_rate, ip_address, action})
   end
 
   @doc """
   Records a successful action for rate limiting tracking.
   """
-  def record_action(ip_address, action) when action in [:game_creation, :connection] do
+  def record_action(ip_address, action) when action in [:game_creation, :player_creation, :connection] do
     GenServer.cast(__MODULE__, {:record_action, ip_address, action})
   end
 
@@ -62,6 +62,10 @@ defmodule Copi.RateLimiter do
         max_requests: get_env(:max_games_per_ip, 10),
         window_seconds: get_env(:game_creation_window_seconds, 3600)
       },
+      player_creation: %{
+        max_requests: get_env(:max_players_per_ip, 20),
+        window_seconds: get_env(:player_creation_window_seconds, 3600)
+      },
       connection: %{
         max_requests: get_env(:max_connections_per_ip, 50),
         window_seconds: get_env(:connection_window_seconds, 300)
diff --git a/copi.owasp.org/lib/copi_web/live/player_live/form_component.ex b/copi.owasp.org/lib/copi_web/live/player_live/form_component.ex
@@ -74,23 +74,52 @@ defmodule CopiWeb.PlayerLive.FormComponent do
   end
 
   defp save_player(socket, :new, player_params) do
-    case Cornucopia.create_player(player_params) do
-      {:ok, player} ->
-
-        {:ok, updated_game} = Cornucopia.Game.find(socket.assigns.player.game_id)
-        CopiWeb.Endpoint.broadcast(topic(updated_game.id), "game:updated", updated_game)
-
+    # Get the IP address for rate limiting
+    ip_address = get_connect_ip(socket)
+    
+    # Check rate limit before creating player
+    case Copi.RateLimiter.check_rate(ip_address, :player_creation) do
+      {:ok, _remaining} ->
+        case Cornucopia.create_player(player_params) do
+          {:ok, player} ->
+            # Record the action after successful creation
+            Copi.RateLimiter.record_action(ip_address, :player_creation)
+
+            {:ok, updated_game} = Cornucopia.Game.find(socket.assigns.player.game_id)
+            CopiWeb.Endpoint.broadcast(topic(updated_game.id), "game:updated", updated_game)
+
+            {:noreply,
+             socket
+             |> assign(:game, updated_game)
+             |> push_navigate(to: ~p"/games/#{player.game_id}/players/#{player.id}")}
+
+          {:error, %Ecto.Changeset{} = changeset} ->
+            {:noreply, assign_form(socket, changeset)}
+        end
+        
+      {:error, :rate_limited, retry_after} ->
         {:noreply,
          socket
-         |> assign(:game, updated_game)
-         |> push_navigate(to: ~p"/games/#{player.game_id}/players/#{player.id}")}
-
-      {:error, %Ecto.Changeset{} = changeset} ->
-        {:noreply, assign_form(socket, changeset)}
+         |> put_flash(
+           :error,
+           "Rate limit exceeded. Too many players created from your IP address. " <>
+           "Please try again in #{retry_after} seconds. " <>
+           "This limit helps ensure service availability for all users."
+         )
+         |> assign_form(socket.assigns.form.source)}
     end
   end
 
   def topic(game_id) do
     "game:#{game_id}"
   end
+
+  defp get_connect_ip(socket) do
+    case get_connect_info(socket, :peer_data) do
+      %{address: {a, b, c, d}} -> "#{a}.#{b}.#{c}.#{d}"
+      %{address: {a, b, c, d, e, f, g, h}} -> 
+        "#{Integer.to_string(a, 16)}:#{Integer.to_string(b, 16)}:#{Integer.to_string(c, 16)}:#{Integer.to_string(d, 16)}:#{Integer.to_string(e, 16)}:#{Integer.to_string(f, 16)}:#{Integer.to_string(g, 16)}:#{Integer.to_string(h, 16)}"
+      _ -> "unknown"
+    end
+  end
 end
diff --git a/copi.owasp.org/test/copi/rate_limiter_test.exs b/copi.owasp.org/test/copi/rate_limiter_test.exs
@@ -96,6 +96,53 @@ defmodule Copi.RateLimiterTest do
     end
   end
 
+  describe "player creation rate limiting" do
+    test "allows player creation under the limit" do
+      ip = "192.168.2.1"
+      
+      assert {:ok, remaining} = RateLimiter.check_rate(ip, :player_creation)
+      assert remaining >= 0
+      
+      RateLimiter.record_action(ip, :player_creation)
+      
+      assert {:ok, _remaining} = RateLimiter.check_rate(ip, :player_creation)
+    end
+
+    test "blocks player creation over the limit" do
+      ip = "192.168.2.2"
+      config = RateLimiter.get_config()
+      max_players = config.player_creation.max_requests
+      
+      # Make max_requests number of player creations
+      for _i <- 1..max_players do
+        assert {:ok, _remaining} = RateLimiter.check_rate(ip, :player_creation)
+        RateLimiter.record_action(ip, :player_creation)
+      end
+      
+      # Next request should be blocked
+      assert {:error, :rate_limited, retry_after} = RateLimiter.check_rate(ip, :player_creation)
+      assert retry_after > 0
+    end
+
+    test "player creation limit is separate from game creation limit" do
+      ip = "192.168.2.3"
+      config = RateLimiter.get_config()
+      max_games = config.game_creation.max_requests
+      
+      # Exhaust game creation limit
+      for _i <- 1..max_games do
+        RateLimiter.check_rate(ip, :game_creation)
+        RateLimiter.record_action(ip, :game_creation)
+      end
+      
+      # Game creation should be blocked
+      assert {:error, :rate_limited, _} = RateLimiter.check_rate(ip, :game_creation)
+      
+      # Player creation should still be allowed (separate limit)
+      assert {:ok, _remaining} = RateLimiter.check_rate(ip, :player_creation)
+    end
+  end
+
   describe "rate limit window expiration" do
     test "allows requests after window expires" do
       ip = "192.168.100.1"
@@ -118,11 +165,15 @@ defmodule Copi.RateLimiterTest do
       
       assert is_map(config)
       assert Map.has_key?(config, :game_creation)
+      assert Map.has_key?(config, :player_creation)
       assert Map.has_key?(config, :connection)
       
       assert config.game_creation.max_requests > 0
       assert config.game_creation.window_seconds > 0
       
+      assert config.player_creation.max_requests > 0
+      assert config.player_creation.window_seconds > 0
+      
       assert config.connection.max_requests > 0
       assert config.connection.window_seconds > 0
     end
