feat: rate limit TOTP submissions

zcesur · zcesur · commit fbb76830e51d · 2025-04-11T01:57:53.000+03:00
diff --git a/lib/algora/application.ex b/lib/algora/application.ex
@@ -22,6 +22,7 @@ defmodule Algora.Application do
       Algora.Github.TokenPool,
       Algora.Github.Poller.RootSupervisor,
       Algora.ScreenshotQueue,
+      Algora.RateLimit,
       # Start to serve requests, typically the last entry
       AlgoraWeb.Endpoint,
       Algora.Stargazer,
diff --git a/lib/algora/rate_limit.ex b/lib/algora/rate_limit.ex
@@ -0,0 +1,4 @@
+defmodule Algora.RateLimit do
+  @moduledoc false
+  use Hammer, backend: :ets
+end
diff --git a/lib/algora_web/controllers/user_auth.ex b/lib/algora_web/controllers/user_auth.ex
@@ -382,4 +382,18 @@ defmodule AlgoraWeb.UserAuth do
       (NimbleTOTP.valid?(secret, code, period: totp_period(), time: time) or
          NimbleTOTP.valid?(secret, code, period: totp_period(), time: time - totp_period()))
   end
+
+  def verify_totp(rate_limit_key, secret, code) do
+    case Algora.RateLimit.hit(rate_limit_key, :timer.minutes(1), 5) do
+      {:allow, _} ->
+        if valid_totp?(secret, code) do
+          :ok
+        else
+          {:error, :invalid_totp}
+        end
+
+      {:deny, _} ->
+        {:error, :rate_limit_exceeded}
+    end
+  end
 end
diff --git a/lib/algora_web/live/onboarding/dev.ex b/lib/algora_web/live/onboarding/dev.ex
@@ -181,48 +181,54 @@ defmodule AlgoraWeb.Onboarding.DevLive do
 
   @impl true
   def handle_event("send_signup_code", %{"user" => %{"signup_code" => code}}, socket) do
-    if AlgoraWeb.UserAuth.valid_totp?(socket.assigns.secret, String.trim(code)) do
-      user_handle =
-        socket.assigns.email
-        |> String.replace(~r/[^a-zA-Z0-9]/, "-")
-        |> String.downcase()
-
-      email = socket.assigns.email
-
-      tech_stack = get_field(socket.assigns.info_form.source, :tech_stack) || []
-      intentions = get_field(socket.assigns.info_form.source, :intentions) || []
-
-      opts = [
-        tech_stack: tech_stack,
-        seeking_bounties: "bounties" in intentions,
-        seeking_contracts: "contracts" in intentions,
-        seeking_jobs: "jobs" in intentions
-      ]
-
-      {:ok, user} =
-        case Repo.get_by(User, email: email) do
-          nil ->
-            %User{
-              type: :individual,
-              last_context: "personal",
-              handle: Organizations.ensure_unique_handle(user_handle),
-              avatar_url: Algora.Util.get_gravatar_url(email)
-            }
-            |> User.signup_changeset(%{email: email})
-            |> User.generate_id()
-            |> change(opts)
-            |> Repo.insert()
-
-          existing_user ->
-            existing_user
-            |> change(opts)
-            |> Repo.update()
-        end
-
-      {:noreply, redirect(socket, to: AlgoraWeb.UserAuth.generate_login_path(user.email, socket.assigns[:return_to]))}
-    else
-      throttle()
-      {:noreply, put_flash(socket, :error, "Invalid signup code")}
+    case AlgoraWeb.UserAuth.verify_totp(socket.assigns.email, socket.assigns.secret, String.trim(code)) do
+      :ok ->
+        user_handle =
+          socket.assigns.email
+          |> String.replace(~r/[^a-zA-Z0-9]/, "-")
+          |> String.downcase()
+
+        email = socket.assigns.email
+
+        tech_stack = get_field(socket.assigns.info_form.source, :tech_stack) || []
+        intentions = get_field(socket.assigns.info_form.source, :intentions) || []
+
+        opts = [
+          tech_stack: tech_stack,
+          seeking_bounties: "bounties" in intentions,
+          seeking_contracts: "contracts" in intentions,
+          seeking_jobs: "jobs" in intentions
+        ]
+
+        {:ok, user} =
+          case Repo.get_by(User, email: email) do
+            nil ->
+              %User{
+                type: :individual,
+                last_context: "personal",
+                handle: Organizations.ensure_unique_handle(user_handle),
+                avatar_url: Algora.Util.get_gravatar_url(email)
+              }
+              |> User.signup_changeset(%{email: email})
+              |> User.generate_id()
+              |> change(opts)
+              |> Repo.insert()
+
+            existing_user ->
+              existing_user
+              |> change(opts)
+              |> Repo.update()
+          end
+
+        {:noreply, redirect(socket, to: AlgoraWeb.UserAuth.generate_login_path(user.email, socket.assigns[:return_to]))}
+
+      {:error, :rate_limit_exceeded} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Too many attempts. Please try again later.")}
+
+      {:error, :invalid_totp} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Invalid signup code")}
     end
   end
 
diff --git a/lib/algora_web/live/onboarding/org.ex b/lib/algora_web/live/onboarding/org.ex
@@ -376,20 +376,23 @@ defmodule AlgoraWeb.Onboarding.OrgLive do
     case changeset do
       %{valid?: true} = changeset ->
         code = get_field(changeset, :code)
+        email = get_field(socket.assigns.email_form.source, :email)
 
-        if AlgoraWeb.UserAuth.valid_totp?(socket.assigns.secret, String.trim(code)) do
-          {:noreply,
-           socket
-           |> LocalStore.assign_cached(:verification_form, to_form(changeset))
-           |> LocalStore.assign_cached(:code_valid?, true)
-           |> LocalStore.assign_cached(:step, :preferences)}
-        else
-          throttle()
-
-          {:noreply,
-           socket
-           |> LocalStore.assign_cached(:verification_form, to_form(changeset))
-           |> LocalStore.assign_cached(:code_valid?, false)}
+        case AlgoraWeb.UserAuth.verify_totp(email, socket.assigns.secret, String.trim(code)) do
+          :ok ->
+            {:noreply,
+             socket
+             |> LocalStore.assign_cached(:verification_form, to_form(changeset))
+             |> LocalStore.assign_cached(:code_valid?, true)
+             |> LocalStore.assign_cached(:step, :preferences)}
+
+          {:error, :rate_limit_exceeded} ->
+            throttle()
+            {:noreply, put_flash(socket, :error, "Too many attempts. Please try again later.")}
+
+          {:error, :invalid_totp} ->
+            throttle()
+            {:noreply, put_flash(socket, :error, "Invalid verification code")}
         end
 
       %{valid?: false} = changeset ->
diff --git a/lib/algora_web/live/org/dashboard_live.ex b/lib/algora_web/live/org/dashboard_live.ex
@@ -28,7 +28,6 @@ defmodule AlgoraWeb.Org.DashboardLive do
   alias AlgoraWeb.Forms.BountyForm
   alias AlgoraWeb.Forms.ContractForm
   alias AlgoraWeb.Forms.TipForm
-  alias Swoosh.Email
 
   require Logger
 
@@ -827,31 +826,37 @@ defmodule AlgoraWeb.Org.DashboardLive do
 
   @impl true
   def handle_event("send_login_code", %{"user" => %{"login_code" => code}}, socket) do
-    if AlgoraWeb.UserAuth.valid_totp?(socket.assigns.secret, String.trim(code)) do
-      handle =
-        socket.assigns.email
-        |> Organizations.generate_handle_from_email()
-        |> Organizations.ensure_unique_handle()
-
-      case Repo.get_by(User, email: socket.assigns.email) do
-        nil ->
-          {:ok, user} =
-            socket.assigns.current_user
-            |> Ecto.Changeset.change(handle: handle, email: socket.assigns.email)
-            |> Repo.update()
-
-          {:noreply,
-           socket
-           |> assign(:current_user, user)
-           |> assign_achievements()}
-
-        user ->
-          socket = switch_from_preview(socket, user)
-          {:noreply, socket}
-      end
-    else
-      throttle()
-      {:noreply, put_flash(socket, :error, "Invalid login code")}
+    case AlgoraWeb.UserAuth.verify_totp(socket.assigns.email, socket.assigns.secret, String.trim(code)) do
+      :ok ->
+        handle =
+          socket.assigns.email
+          |> Organizations.generate_handle_from_email()
+          |> Organizations.ensure_unique_handle()
+
+        case Repo.get_by(User, email: socket.assigns.email) do
+          nil ->
+            {:ok, user} =
+              socket.assigns.current_user
+              |> Ecto.Changeset.change(handle: handle, email: socket.assigns.email)
+              |> Repo.update()
+
+            {:noreply,
+             socket
+             |> assign(:current_user, user)
+             |> assign_achievements()}
+
+          user ->
+            socket = switch_from_preview(socket, user)
+            {:noreply, socket}
+        end
+
+      {:error, :rate_limit_exceeded} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Too many attempts. Please try again later.")}
+
+      {:error, :invalid_totp} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Invalid login code")}
     end
   end
 
diff --git a/lib/algora_web/live/sign_in_live.ex b/lib/algora_web/live/sign_in_live.ex
@@ -289,14 +289,22 @@ defmodule AlgoraWeb.SignInLive do
 
   @impl true
   def handle_event("send_login_code", %{"user" => %{"login_code" => code}}, socket) do
-    if AlgoraWeb.UserAuth.valid_totp?(socket.assigns.secret, String.trim(code)) do
-      Accounts.ensure_org_context(socket.assigns.user)
-
-      {:noreply,
-       redirect(socket, to: AlgoraWeb.UserAuth.generate_login_path(socket.assigns.user.email, socket.assigns[:return_to]))}
-    else
-      throttle()
-      {:noreply, put_flash(socket, :error, "Invalid login code")}
+    case AlgoraWeb.UserAuth.verify_totp(socket.assigns.user.email, socket.assigns.secret, String.trim(code)) do
+      :ok ->
+        Accounts.ensure_org_context(socket.assigns.user)
+
+        {:noreply,
+         redirect(socket,
+           to: AlgoraWeb.UserAuth.generate_login_path(socket.assigns.user.email, socket.assigns[:return_to])
+         )}
+
+      {:error, :rate_limit_exceeded} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Too many attempts. Please try again later.")}
+
+      {:error, :invalid_totp} ->
+        throttle()
+        {:noreply, put_flash(socket, :error, "Invalid login code")}
     end
   end
 
diff --git a/mix.exs b/mix.exs
@@ -96,6 +96,7 @@ defmodule Algora.MixProject do
       {:plug_canonical_host, "~> 2.0"},
       {:timex, "~> 3.7"},
       {:yaml_elixir, "~> 2.9"},
+      {:hammer, "~> 7.0"},
       # ex_aws
       {:ex_aws, "~> 2.1"},
       {:ex_aws_s3, "~> 2.0"},
diff --git a/mix.lock b/mix.lock
@@ -39,6 +39,7 @@
   "floki": {:hex, :floki, "0.37.1", "d7aaee758c8a5b4a7495799a4260754fec5530d95b9c383c03b27359dea117cf", [:mix], [], "hexpm", "673d040cb594d31318d514590246b6dd587ed341d3b67e17c1c0eb8ce7ca6f04"},
   "gettext": {:hex, :gettext, "0.26.2", "5978aa7b21fada6deabf1f6341ddba50bc69c999e812211903b169799208f2a8", [:mix], [{:expo, "~> 0.5.1 or ~> 1.0", [hex: :expo, repo: "hexpm", optional: false]}], "hexpm", "aa978504bcf76511efdc22d580ba08e2279caab1066b76bb9aa81c4a1e0a32a5"},
   "hackney": {:hex, :hackney, "1.23.0", "55cc09077112bcb4a69e54be46ed9bc55537763a96cd4a80a221663a7eafd767", [:rebar3], [{:certifi, "~> 2.14.0", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "~> 6.1.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "~> 1.0.0", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~> 1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:parse_trans, "3.4.1", [hex: :parse_trans, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "~> 1.1.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}, {:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "6cd1c04cd15c81e5a493f167b226a15f0938a84fc8f0736ebe4ddcab65c0b44e"},
+  "hammer": {:hex, :hammer, "7.0.1", "136edcd81af44becbe6b73a958c109e2364ab0dc026d7b19892037dc2632078c", [:mix], [], "hexpm", "796edf14ab2aa80df72080210fcf944ee5e8868d8ece7a7511264d802f58cc2d"},
   "hpax": {:hex, :hpax, "1.0.2", "762df951b0c399ff67cc57c3995ec3cf46d696e41f0bba17da0518d94acd4aac", [:mix], [], "hexpm", "2f09b4c1074e0abd846747329eaa26d535be0eb3d189fa69d812bfb8bfefd32f"},
   "httpoison": {:hex, :httpoison, "2.2.1", "87b7ed6d95db0389f7df02779644171d7319d319178f6680438167d7b69b1f3d", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "51364e6d2f429d80e14fe4b5f8e39719cacd03eb3f9a9286e61e216feac2d2df"},
   "idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
