Add ip-based rate limiting on all POST auth APIs.

This is an effort to improve abuse protection, e.g. sign-up bombing. Logins where already rate-limited on email address.

Author: ignatz

Cargo.lock

@@ -85,6 +85,7 @@ tokio = { workspace = true }
 tokio-rustls = { version = "0.26.1", default-features = false }
 tower = "0.5.0"
 tower-cookies = "0.11.0"
+tower_governor = { version = "0.8.0", default-features = false, features = ["axum"] }
 tower-http = { version = "^0.6.0", default-features = false, features = ["cors", "trace", "fs", "limit"] }
 tower-service = { version = "0.3.3", default-features = false }
 tracing = { workspace = true }

crates/core/Cargo.toml

@@ -75,7 +75,7 @@ pub async fn change_email_request_handler(
     const RATE_LIMIT_SEC: i64 = 10;
     let age: chrono::Duration = chrono::Utc::now() - timestamp;
     if age < chrono::Duration::seconds(RATE_LIMIT_SEC) {
-      return Err(AuthError::BadRequest("verification sent already"));
+      return Err(AuthError::TooManyRequests);
     }
   }
 

crates/core/src/auth/api/change_email.rs

@@ -282,7 +282,7 @@ pub async fn check_credentials(
     return AuthError::Unauthorized;
   })?;
 
-  // Validate password.
+  // Validates password and rate limits attempts.
   check_user_password(&db_user, password, state.demo_mode())?;
 
   return Ok(());
@@ -301,7 +301,7 @@ pub(crate) async fn login_with_password(
     return AuthError::Unauthorized;
   })?;
 
-  // Validate password.
+  // Validates password and rate limits attempts.
   check_user_password(&db_user, password, state.demo_mode())?;
 
   let user_id = db_user.uuid();

crates/core/src/auth/api/login.rs

@@ -58,7 +58,7 @@ pub async fn reset_password_request_handler(
 
     let age: chrono::Duration = chrono::Utc::now() - timestamp;
     if age < chrono::Duration::seconds(RATE_LIMIT_SEC) {
-      return Err(AuthError::BadRequest("Password reset sent already"));
+      return Err(AuthError::TooManyRequests);
     }
   }
 

crates/core/src/auth/api/reset_password.rs

@@ -47,7 +47,7 @@ pub async fn request_email_verification_handler(
 
     let age: chrono::Duration = chrono::Utc::now() - timestamp;
     if age < chrono::Duration::seconds(RATE_LIMIT_SEC) {
-      return Err(AuthError::BadRequest("verification sent already"));
+      return Err(AuthError::BadRequest("verification already sent"));
     }
   }
 

crates/core/src/auth/api/verify_email.rs

@@ -20,6 +20,8 @@ pub enum AuthError {
   OAuthProviderNotFound,
   #[error("Bad request: {0}")]
   BadRequest(&'static str),
+  #[error("Too many requests")]
+  TooManyRequests,
   #[error("Failed dependency: {0}")]
   FailedDependency(Box<dyn std::error::Error + Send + Sync>),
   #[error("Internal: {0}")]
@@ -71,6 +73,7 @@ impl IntoResponse for AuthError {
       Self::NotFound => (StatusCode::NOT_FOUND, None),
       Self::OAuthProviderNotFound => (StatusCode::METHOD_NOT_ALLOWED, None),
       Self::BadRequest(msg) => (StatusCode::BAD_REQUEST, Some(msg.to_string())),
+      Self::TooManyRequests => (StatusCode::TOO_MANY_REQUESTS, None),
       Self::FailedDependency(err) if cfg!(debug_assertions) => {
         (StatusCode::FAILED_DEPENDENCY, Some(err.to_string()))
       }

crates/core/src/auth/error.rs

@@ -105,7 +105,7 @@ pub fn check_user_password(
   let attempts = ATTEMPTS.get(&db_user.email);
 
   if !is_demo && attempts.as_ref().map(|a| a.tries).unwrap_or(0) >= LOGIN_RATE_LIMIT {
-    return Err(AuthError::Unauthorized);
+    return Err(AuthError::TooManyRequests);
   }
 
   let parsed_hash = PasswordHash::new(&db_user.password_hash)

crates/core/src/auth/password.rs

@@ -0,0 +1,53 @@
+use axum::extract::ConnectInfo;
+use axum::http::Request;
+use std::net::IpAddr;
+use tower_governor::GovernorError;
+use tower_governor::key_extractor::KeyExtractor;
+
+pub fn extract_ip<T>(req: &Request<T>) -> Option<std::net::IpAddr> {
+  let headers = req.headers();
+
+  // NOTE: This code is mimicking axum_client_ip's pre v1 `InsecureClientIp::from`:
+  return client_ip::rightmost_x_forwarded_for(headers)
+    .or_else(|_| client_ip::x_real_ip(headers))
+    .or_else(|_| client_ip::fly_client_ip(headers))
+    .or_else(|_| client_ip::true_client_ip(headers))
+    .or_else(|_| client_ip::cf_connecting_ip(headers))
+    .or_else(|_| client_ip::cloudfront_viewer_address(headers))
+    .ok()
+    .or_else(|| {
+      req
+        .extensions()
+        .get::<ConnectInfo<std::net::SocketAddr>>()
+        .map(|ConnectInfo(addr)| addr.ip())
+    });
+}
+
+#[derive(Debug, Clone)]
+pub struct RealIpKeyExtractor;
+
+impl KeyExtractor for RealIpKeyExtractor {
+  type Key = IpAddr;
+
+  fn extract<T>(&self, req: &Request<T>) -> Result<Self::Key, GovernorError> {
+    return extract_ip(req).ok_or_else(|| GovernorError::UnableToExtractKey);
+  }
+
+  // fn name(&self) -> &'static str {
+  //   "smart IP"
+  // }
+
+  // fn key_name(&self, key: &Self::Key) -> Option<String> {
+  //   Some(key.to_string())
+  // }
+}
+
+#[allow(unused)]
+pub fn ipv6_privacy_mask(ip: IpAddr) -> IpAddr {
+  return match ip {
+    IpAddr::V4(ip) => IpAddr::V4(ip),
+    IpAddr::V6(ip) => IpAddr::V6(From::from(
+      ip.to_bits() & 0xFFFF_FFFF_FFFF_FFFF_0000_0000_0000_0000,
+    )),
+  };
+}

crates/core/src/extract/ip.rs

@@ -1,4 +1,5 @@
 mod either;
+pub mod ip;
 mod multipart;
 pub mod protobuf;