From f1ee0663214550a2f85838640d2cf599cf857371 Mon Sep 17 00:00:00 2001
From: Evert Prants <evert@lunasqu.ee>
Date: Sat, 3 Dec 2022 11:25:49 +0200
Subject: [PATCH] add throttling to login and register forms

---
 src/guards/login-antispam.guard.ts            | 56 +++++++++++++++++++
 .../ssr-front-end/login/login.controller.ts   |  3 +
 .../register/register.controller.ts           |  3 +
 .../utility/services/iplimit.service.ts       | 47 ++++++++++++++++
 src/modules/utility/utility.module.ts         | 10 +++-
 5 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 src/guards/login-antispam.guard.ts
 create mode 100644 src/modules/utility/services/iplimit.service.ts

diff --git a/src/guards/login-antispam.guard.ts b/src/guards/login-antispam.guard.ts
new file mode 100644
index 0000000..48dfbc0
--- /dev/null
+++ b/src/guards/login-antispam.guard.ts
@@ -0,0 +1,56 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  HttpException,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { AuditAction } from 'src/modules/objects/audit/audit.enum';
+import { AuditService } from 'src/modules/objects/audit/audit.service';
+import { IPLimitService } from 'src/modules/utility/services/iplimit.service';
+
+@Injectable()
+export class LoginAntispamGuard implements CanActivate {
+  constructor(private iplimit: IPLimitService, private audit: AuditService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<Request>();
+
+    if (['GET', 'OPTIONS'].includes(request.method)) return true;
+
+    const known = this.iplimit.getAddressLimit(request.ip);
+    if (known && known.attempts >= 3) {
+      if (known.attempts >= 5) {
+        let reported = false;
+        if (!known.reported) {
+          reported = true;
+          await this.audit.insertAudit(
+            AuditAction.THROTTLE,
+            `antispam-guard ${known.attempts} attempts`,
+            undefined,
+            request.ip,
+            request.header('user-agent'),
+          );
+        }
+
+        const limitMinutes = known.attempts > 10 ? 30 : 10; // Half-Hour
+        this.iplimit.limitUntil(request.ip, limitMinutes * 60 * 1000, reported);
+
+        await new Promise((resolve) =>
+          setTimeout(resolve, known.attempts * 1000),
+        );
+
+        throw new HttpException(
+          `Too Many Requests. Try again in ${limitMinutes} minutes.`,
+          429,
+        );
+      }
+
+      await new Promise((resolve) => setTimeout(resolve, 1000));
+    }
+
+    this.iplimit.limitUntil(request.ip, 30 * 1000); // 30 seconds
+
+    return true;
+  }
+}
diff --git a/src/modules/ssr-front-end/login/login.controller.ts b/src/modules/ssr-front-end/login/login.controller.ts
index 4173dba..c851fd2 100644
--- a/src/modules/ssr-front-end/login/login.controller.ts
+++ b/src/modules/ssr-front-end/login/login.controller.ts
@@ -8,10 +8,12 @@ import {
   Req,
   Res,
   Session,
+  UseGuards,
 } from '@nestjs/common';
 import { Throttle } from '@nestjs/throttler';
 import { Request, Response } from 'express';
 import { SessionData } from 'express-session';
+import { LoginAntispamGuard } from 'src/guards/login-antispam.guard';
 import { AuditAction } from 'src/modules/objects/audit/audit.enum';
 import { AuditService } from 'src/modules/objects/audit/audit.service';
 import {
@@ -33,6 +35,7 @@ interface VerifyChallenge {
 }
 
 @Controller('/login')
+@UseGuards(LoginAntispamGuard)
 export class LoginController {
   constructor(
     private readonly userService: UserService,
diff --git a/src/modules/ssr-front-end/register/register.controller.ts b/src/modules/ssr-front-end/register/register.controller.ts
index 50bd17a..f872c08 100644
--- a/src/modules/ssr-front-end/register/register.controller.ts
+++ b/src/modules/ssr-front-end/register/register.controller.ts
@@ -8,9 +8,11 @@ import {
   Req,
   Res,
   UnauthorizedException,
+  UseGuards,
 } from '@nestjs/common';
 import { Throttle } from '@nestjs/throttler';
 import { Request, Response } from 'express';
+import { LoginAntispamGuard } from 'src/guards/login-antispam.guard';
 import { ConfigurationService } from 'src/modules/config/config.service';
 import { AuditAction } from 'src/modules/objects/audit/audit.enum';
 import { AuditService } from 'src/modules/objects/audit/audit.service';
@@ -19,6 +21,7 @@ import { FormUtilityService } from 'src/modules/utility/services/form-utility.se
 import { RegisterDto } from './register.interfaces';
 
 @Controller('/register')
+@UseGuards(LoginAntispamGuard)
 export class RegisterController {
   constructor(
     private readonly userService: UserService,
diff --git a/src/modules/utility/services/iplimit.service.ts b/src/modules/utility/services/iplimit.service.ts
new file mode 100644
index 0000000..8c1f14d
--- /dev/null
+++ b/src/modules/utility/services/iplimit.service.ts
@@ -0,0 +1,47 @@
+import { Injectable } from '@nestjs/common';
+
+export interface IPLimit {
+  ip: string;
+  attempts: number;
+  expires: number;
+  reported: boolean;
+}
+
+@Injectable()
+export class IPLimitService {
+  public limitedAddresses: IPLimit[] = [];
+
+  public getAddressLimit(ip: string) {
+    this.flush();
+    const entry = this.limitedAddresses.find((item) => item.ip === ip);
+    if (!entry) return null;
+    return entry;
+  }
+
+  public limitUntil(ip: string, expires: number, reported = false) {
+    const existing = this.limitedAddresses.find((item) => item.ip === ip);
+    if (existing) {
+      existing.attempts++;
+      existing.expires = expires + Date.now();
+      if (reported) existing.reported = true;
+      return existing;
+    }
+
+    const newObj = {
+      ip,
+      expires: expires + Date.now(),
+      attempts: 0,
+      reported,
+    };
+
+    this.limitedAddresses.push(newObj);
+
+    return newObj;
+  }
+
+  public flush() {
+    this.limitedAddresses = this.limitedAddresses.filter(
+      (entry) => entry.expires > Date.now(),
+    );
+  }
+}
diff --git a/src/modules/utility/utility.module.ts b/src/modules/utility/utility.module.ts
index d6a4042..5ba5b29 100644
--- a/src/modules/utility/utility.module.ts
+++ b/src/modules/utility/utility.module.ts
@@ -1,5 +1,6 @@
 import { Global, Module } from '@nestjs/common';
 import { FormUtilityService } from './services/form-utility.service';
+import { IPLimitService } from './services/iplimit.service';
 import { PaginationService } from './services/paginate.service';
 import { QRCodeService } from './services/qr-code.service';
 import { TokenService } from './services/token.service';
@@ -11,7 +12,14 @@ import { TokenService } from './services/token.service';
     FormUtilityService,
     QRCodeService,
     PaginationService,
+    IPLimitService,
+  ],
+  exports: [
+    TokenService,
+    FormUtilityService,
+    QRCodeService,
+    PaginationService,
+    IPLimitService,
   ],
-  exports: [TokenService, FormUtilityService, QRCodeService, PaginationService],
 })
 export class UtilityModule {}