Add rate limiting for /password-reset endpoint (#80)

mahnuh · web-flow · commit d780f47e6e29 · 2023-11-21T12:11:23.000+01:00
* Add rate limiting for /password-reset endpoint

* 0.20.1-0

* check whether token matches, activate config in test

* fix failing test by providing email

* 0.20.1-1

* document the changes

---------

Co-authored-by: Fynn Leitow
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## Change Log
 
+#### 0.20.X: Brute force protection
+
+##### 0.20.1
+- :sparkles: if `security.passwordResetRateLimit` is set, password reset request are rate limited per username/email and the correct username/email must be included in the password reset requests
+- :bug: sporadic session creation errors are fixed
+
+##### 0.20.0
+- :sparkles: if `security.loginRateLimit` is set, login requests are rate limited per username/email
 
 #### 0.19.X: Token validation idempotency
 
diff --git a/README.md b/README.md
@@ -376,7 +376,7 @@ It's easy to add custom fields to user documents. When added to a `profile` fiel
 
 ## Brute force protection
 
-To enable brute force protection for the `/login` route you just need to add `loginRateLimit: {}` to `security` in your `config`. Adding just the empty object uses following defaults that can be overriden as needed:
+To enable brute force protection for the `/login` route you just need to add `loginRateLimit: {}` to `security` in your `config`. The same goes for the `/password-reset` route, where you just need to add `passwordResetRateLimit: {}` accordingly. Adding just the empty object uses following defaults that can be overriden as needed:
 
 ```ts
 const config {
@@ -406,6 +406,7 @@ couch-auth uses [express-slow-down](https://www.npmjs.com/package/express-slow-d
 
 ### Important notes:
 - You won't be able to override the keyGenerator option, as we use usernameField from the config.
+- When activating rate limiting for the `/password-reset` route, `username` field is required in the request body!
 - If you want to use Redis Store instead of Memory Store you currently need to use [rate-limit-redis@2x](https://github.com/wyattjoh/rate-limit-redis/tree/v2.1.0) for now [due to known issues](https://github.com/express-rate-limit/express-slow-down/issues/40#issuecomment-1548011953) with newer versions of rate-limit-redis.
 
 ## Advanced Configuration
@@ -481,6 +482,8 @@ forgot-password `token` and new password
 ##### `POST /password-reset`
 
 Resets the password. Required fields: `token`, `password`, and `confirmPassword`.
+If `security.passwordResetRateLimit` is set, `username` (or your configured 
+username field) must be provided as for `/login`.
 
 ##### `POST /password-change`
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@perfood/couch-auth",
-  "version": "0.20.0",
+  "version": "0.20.1-1",
   "description": "Easy and secure authentication for CouchDB/Cloudant. Based on SuperLogin, updated and rewritten in Typescript.",
   "main": "./lib/index.js",
   "files": [
diff --git a/src/routes.ts b/src/routes.ts
@@ -232,9 +232,50 @@ export default function (
       }
     );
 
-  if (!disabled.includes('password-reset'))
+  if (!disabled.includes('password-reset')) {
+    const speedLimiter = slowDown({
+      windowMs:
+        config.security.passwordResetRateLimit?.windowMs || 5 * 60 * 1000,
+      delayAfter: config.security.passwordResetRateLimit?.delayAfter || 3,
+      delayMs: config.security.passwordResetRateLimit
+        ? config.security.passwordResetRateLimit.delayMs || 500
+        : 0,
+      maxDelayMs: config.security.passwordResetRateLimit?.maxDelayMs || 10000,
+      skipSuccessfulRequests:
+        config.security.passwordResetRateLimit?.skipSuccessfulRequests || true,
+      skipFailedRequests:
+        config.security.passwordResetRateLimit?.skipFailedRequests || false,
+      keyGenerator: function (req) {
+        const usernameField = config.local.usernameField || 'username';
+
+        return req.body[usernameField];
+      },
+      onLimitReached:
+        config.security.passwordResetRateLimit?.onLimitReached ||
+        function () {},
+      store: config.security.passwordResetRateLimit?.store || undefined,
+      headers: config.security.passwordResetRateLimit?.headers || false
+    });
+
     router.post(
       '/password-reset',
+      function (req: Request, res: Response, next: NextFunction) {
+        if (!config.security.passwordResetRateLimit) {
+          return next();
+        }
+
+        const usernameField = config.local.usernameField || 'username';
+
+        if (!req.body[usernameField]) {
+          return next({
+            error: 'username required',
+            status: 422
+          });
+        }
+
+        return next();
+      },
+      speedLimiter,
       function (req: Request, res: Response, next: NextFunction) {
         user.resetPassword(req.body, req).then(
           function (currentUser) {
@@ -264,6 +305,7 @@ export default function (
         );
       }
     );
+  }
 
   if (!disabled.includes('password-change'))
     router.post(
diff --git a/src/types/config.ts b/src/types/config.ts
@@ -99,6 +99,7 @@ export interface SecurityConfig {
    */
   forwardErrors?: boolean;
   loginRateLimit?: ExpressSlowDownOptions;
+  passwordResetRateLimit?: ExpressSlowDownOptions;
 }
 
 export interface LengthConstraint {
diff --git a/src/user.ts b/src/user.ts
@@ -28,15 +28,15 @@ import {
 } from './types/typings';
 import { DbManager } from './user/DbManager';
 import {
-  arrayUnion,
   EMAIL_REGEXP,
+  URLSafeUUID,
+  USER_REGEXP,
+  arrayUnion,
   extractCurrentConsents,
   getSessionKey,
   hashToken,
   hyphenizeUUID,
   removeHyphens,
-  URLSafeUUID,
-  USER_REGEXP,
   verifyConsentUpdate,
   verifySessionConfigRoles
 } from './util';
@@ -792,6 +792,20 @@ export class User {
     if (user.forgotPassword.expires < Date.now()) {
       return Promise.reject({ status: 400, error: 'Token expired' });
     }
+
+    if (this.config.security.passwordResetRateLimit) {
+      const username = form[this.config.local.usernameField || 'username'];
+      if (!username) {
+        throw { status: 400, error: 'Invalid token' };
+      }
+      const slUser = await this.getUser(
+        form[this.config.local.usernameField || 'username']
+      );
+      if (user._id !== slUser._id) {
+        throw { status: 400, error: 'Invalid token' };
+      }
+    }
+
     const hash = await this.hashPassword(form.password);
 
     if (!user.local) {
diff --git a/test/test.config.ts b/test/test.config.ts
@@ -22,7 +22,10 @@ export const config = {
   },
   security: {
     disabledRoutes: [],
-    userActivityLogSize: 10
+    userActivityLogSize: 10,
+    passwordResetRateLimit: {
+      delayMs: 500
+    }
   },
   local: {
     sendConfirmEmail: true,
diff --git a/test/test.spec.ts b/test/test.spec.ts
@@ -309,6 +309,7 @@ describe('SuperLogin', function () {
             .post(server + '/auth/password-reset')
             .send({
               token: resetToken,
+              username: newUser.email,
               password: 'newpass1',
               confirmPassword: 'newpass1'
             })

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@perfood/couch-auth",`
`3`		`- "version": "0.20.0",`
	`3`	`+ "version": "0.20.1-1",`
`4`	`4`	`"description": "Easy and secure authentication for CouchDB/Cloudant. Based on SuperLogin, updated and rewritten in Typescript.",`
`5`	`5`	`"main": "./lib/index.js",`
`6`	`6`	`"files": [`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ export interface SecurityConfig {`
`99`	`99`	`*/`
`100`	`100`	`forwardErrors?: boolean;`
`101`	`101`	`loginRateLimit?: ExpressSlowDownOptions;`
	`102`	`+ passwordResetRateLimit?: ExpressSlowDownOptions;`
`102`	`103`	`}`
`103`	`104`
`104`	`105`	`export interface LengthConstraint {`