Ghost/core/server/middleware/api/spam-prevention.js

// # SpamPrevention Middleware
// Usage: spamPrevention
// After:
// Before:
// App: Admin|Blog|API
//
// Helpers to handle spam detection on signin, forgot password, and protected pages.

var _ = require('lodash'),
    errors    = require('../../errors'),
    config    = require('../../config'),
    i18n      = require('../../i18n'),
    loginSecurity = [],
    forgottenSecurity = [],
    spamPrevention;

spamPrevention = {
    /*jslint unparam:true*/
    // limit signin requests to ten failed requests per IP per hour
    signin: function signin(req, res, next) {
        var currentTime = process.hrtime()[0],
            remoteAddress = req.connection.remoteAddress,
            deniedRateLimit = '',
            ipCount = '',
            rateSigninPeriod = config.rateSigninPeriod || 3600,
            rateSigninAttempts = config.rateSigninAttempts || 10;

        if (req.body.username && req.body.grant_type === 'password') {
            loginSecurity.push({ip: remoteAddress, time: currentTime, email: req.body.username});
        } else if (req.body.grant_type === 'refresh_token' || req.body.grant_type === 'authorization_code') {
            return next();
        } else {
            return next(new errors.BadRequestError({message: i18n.t('errors.middleware.spamprevention.noUsername')}));
        }

        // filter entries that are older than rateSigninPeriod
        loginSecurity = _.filter(loginSecurity, function filter(logTime) {
            return (logTime.time + rateSigninPeriod > currentTime);
        });

        // check number of tries per IP address
        ipCount = _.chain(loginSecurity).countBy('ip').value();
        deniedRateLimit = (ipCount[remoteAddress] > rateSigninAttempts);

        if (deniedRateLimit) {
            return next(new errors.TooManyRequestsError({
                message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateSigninPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),
                context: i18n.t('errors.middleware.spamprevention.tooManySigninAttempts.error', {rateSigninAttempts: rateSigninAttempts, rateSigninPeriod: rateSigninPeriod}),
                help: i18n.t('errors.middleware.spamprevention.tooManySigninAttempts.context')
            }));
        }
        next();
    },

    // limit forgotten password requests to five requests per IP per hour for different email addresses
    // limit forgotten password requests to five requests per email address
    // @TODO: add validation check to validation middleware
    forgotten: function forgotten(req, res, next) {
        if (!req.body.passwordreset) {
            return next(new errors.BadRequestError({
                message: i18n.t('errors.api.utils.noRootKeyProvided', {docName: 'passwordreset'})
            }));
        }

        var currentTime = process.hrtime()[0],
            remoteAddress = req.connection.remoteAddress,
            rateForgottenPeriod = config.rateForgottenPeriod || 3600,
            rateForgottenAttempts = config.rateForgottenAttempts || 5,
            email = req.body.passwordreset[0].email,
            ipCount = '',
            deniedRateLimit = '',
            deniedEmailRateLimit = '',
            index = _.findIndex(forgottenSecurity, function findIndex(logTime) {
                return (logTime.ip === remoteAddress && logTime.email === email);
            });

        if (email) {
            if (index !== -1) {
                forgottenSecurity[index].count = forgottenSecurity[index].count + 1;
            } else {
                forgottenSecurity.push({ip: remoteAddress, time: currentTime, email: email, count: 0});
            }
        } else {
            return next(new errors.BadRequestError({message: i18n.t('errors.middleware.spamprevention.noEmail')}));
        }

        // filter entries that are older than rateForgottenPeriod
        forgottenSecurity = _.filter(forgottenSecurity, function filter(logTime) {
            return (logTime.time + rateForgottenPeriod > currentTime);
        });

        // check number of tries with different email addresses per IP
        ipCount = _.chain(forgottenSecurity).countBy('ip').value();
        deniedRateLimit = (ipCount[remoteAddress] > rateForgottenAttempts);

        if (index !== -1) {
            deniedEmailRateLimit = (forgottenSecurity[index].count > rateForgottenAttempts);
        }

        if (deniedEmailRateLimit) {
            return next(new errors.TooManyRequestsError({
                message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateForgottenPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),
                context: i18n.t('errors.middleware.spamprevention.forgottenPasswordEmail.error', {
                    rfa: rateForgottenAttempts,
                    rfp: rateForgottenPeriod
                }),
                help: i18n.t('errors.middleware.spamprevention.forgottenPasswordEmail.context')
            }));
        }

        if (deniedRateLimit) {
            return next(new errors.TooManyRequestsError({
                message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateForgottenPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),
                context: i18n.t('errors.middleware.spamprevention.forgottenPasswordIp.error', {rfa: rateForgottenAttempts, rfp: rateForgottenPeriod}),
                help: i18n.t('errors.middleware.spamprevention.forgottenPasswordIp.context')
            }));
        }

        next();
    },

    resetCounter: function resetCounter(email) {
        loginSecurity = _.filter(loginSecurity, function filter(logTime) {
            return (logTime.email !== email);
        });
    }
};

module.exports = spamPrevention;
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`// # SpamPrevention Middleware`
			`// Usage: spamPrevention`
			`// After:`
			`// Before:`
			`// App: Admin\|Blog\|API`
			`//`
			`// Helpers to handle spam detection on signin, forgot password, and protected pages.`

			`var _ = require('lodash'),`
🎉 Middleware refactor: Give the API its own express App (#7537) refs #4172 * 🎨 Use bodyParser only where it is needed This is a pretty extreme optimisation, however in the interests of killing middleware/index.js it seemed prudent to move towards not having in there that wasn't strictly necessary 😁 We should reassess how apps do this sort of thing, but it seems pretty sane to declare bodyParsing if and only if it is necessary. * 🎨 Move all API code to API router * 🎨 Refactor API into an App, not just a router - Apps have their own rendering engines, only the frontend & the admin panel need views - The API should be JSON only, with minimal middleware - Individual sections within the API could/should be treated as Routers * 🎨 Flatten API middleware inclusion - get rid of the weird middleware object - move the api-only middleware into the middleware/api folder 2016-10-11 11:36:00 +03:00			`errors = require('../../errors'),`
			`config = require('../../config'),`
			`i18n = require('../../i18n'),`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`loginSecurity = [],`
			`forgottenSecurity = [],`
			`spamPrevention;`

			`spamPrevention = {`
			`/jslint unparam:true/`
			`// limit signin requests to ten failed requests per IP per hour`
Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`signin: function signin(req, res, next) {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`var currentTime = process.hrtime()[0],`
			`remoteAddress = req.connection.remoteAddress,`
			`deniedRateLimit = '',`
			`ipCount = '',`
			`rateSigninPeriod = config.rateSigninPeriod \|\| 3600,`
			`rateSigninAttempts = config.rateSigninAttempts \|\| 10;`

			`if (req.body.username && req.body.grant_type === 'password') {`
			`loginSecurity.push({ip: remoteAddress, time: currentTime, email: req.body.username});`
🎨 one token endpoint (#7571) * 🎨 one token endpoint refs #7562 - delete /authentication/ghost - Ghost-Admin will use /authentication/token for all use cases (password, refresh token and ghost.org authorization code) - add new grant_type `authorization_code` * 🎨 update comment description and remove spamPrevention.resetCounter 2016-10-17 13:45:50 +03:00			`} else if (req.body.grant_type === 'refresh_token' \|\| req.body.grant_type === 'authorization_code') {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`return next();`
			`} else {`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`return next(new errors.BadRequestError({message: i18n.t('errors.middleware.spamprevention.noUsername')}));`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`}`

			`// filter entries that are older than rateSigninPeriod`
Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`loginSecurity = _.filter(loginSecurity, function filter(logTime) {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`return (logTime.time + rateSigninPeriod > currentTime);`
			`});`

			`// check number of tries per IP address`
			`ipCount = _.chain(loginSecurity).countBy('ip').value();`
			`deniedRateLimit = (ipCount[remoteAddress] > rateSigninAttempts);`

			`if (deniedRateLimit) {`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`return next(new errors.TooManyRequestsError({`
			`message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateSigninPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),`
			`context: i18n.t('errors.middleware.spamprevention.tooManySigninAttempts.error', {rateSigninAttempts: rateSigninAttempts, rateSigninPeriod: rateSigninPeriod}),`
			`help: i18n.t('errors.middleware.spamprevention.tooManySigninAttempts.context')`
			`}));`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`}`
			`next();`
			`},`

			`// limit forgotten password requests to five requests per IP per hour for different email addresses`
			`// limit forgotten password requests to five requests per email address`
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key 2016-11-07 14:18:50 +03:00			`// @TODO: add validation check to validation middleware`
Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`forgotten: function forgotten(req, res, next) {`
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key 2016-11-07 14:18:50 +03:00			`if (!req.body.passwordreset) {`
			`return next(new errors.BadRequestError({`
			`message: i18n.t('errors.api.utils.noRootKeyProvided', {docName: 'passwordreset'})`
			`}));`
			`}`

Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`var currentTime = process.hrtime()[0],`
			`remoteAddress = req.connection.remoteAddress,`
			`rateForgottenPeriod = config.rateForgottenPeriod \|\| 3600,`
			`rateForgottenAttempts = config.rateForgottenAttempts \|\| 5,`
			`email = req.body.passwordreset[0].email,`
			`ipCount = '',`
			`deniedRateLimit = '',`
			`deniedEmailRateLimit = '',`
Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`index = _.findIndex(forgottenSecurity, function findIndex(logTime) {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`return (logTime.ip === remoteAddress && logTime.email === email);`
			`});`

			`if (email) {`
			`if (index !== -1) {`
			`forgottenSecurity[index].count = forgottenSecurity[index].count + 1;`
			`} else {`
			`forgottenSecurity.push({ip: remoteAddress, time: currentTime, email: email, count: 0});`
			`}`
			`} else {`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`return next(new errors.BadRequestError({message: i18n.t('errors.middleware.spamprevention.noEmail')}));`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`}`

			`// filter entries that are older than rateForgottenPeriod`
Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`forgottenSecurity = _.filter(forgottenSecurity, function filter(logTime) {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`return (logTime.time + rateForgottenPeriod > currentTime);`
			`});`

			`// check number of tries with different email addresses per IP`
			`ipCount = _.chain(forgottenSecurity).countBy('ip').value();`
			`deniedRateLimit = (ipCount[remoteAddress] > rateForgottenAttempts);`

			`if (index !== -1) {`
			`deniedEmailRateLimit = (forgottenSecurity[index].count > rateForgottenAttempts);`
			`}`

			`if (deniedEmailRateLimit) {`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`return next(new errors.TooManyRequestsError({`
			`message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateForgottenPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),`
			`context: i18n.t('errors.middleware.spamprevention.forgottenPasswordEmail.error', {`
			`rfa: rateForgottenAttempts,`
			`rfp: rateForgottenPeriod`
			`}),`
			`help: i18n.t('errors.middleware.spamprevention.forgottenPasswordEmail.context')`
			`}));`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`}`

			`if (deniedRateLimit) {`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`return next(new errors.TooManyRequestsError({`
			`message: i18n.t('errors.middleware.spamprevention.tooManyAttempts') + rateForgottenPeriod === 3600 ? i18n.t('errors.middleware.spamprevention.waitOneHour') : i18n.t('errors.middleware.spamprevention.tryAgainLater'),`
			`context: i18n.t('errors.middleware.spamprevention.forgottenPasswordIp.error', {rfa: rateForgottenAttempts, rfp: rateForgottenPeriod}),`
			`help: i18n.t('errors.middleware.spamprevention.forgottenPasswordIp.context')`
			`}));`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`}`

			`next();`
			`},`

Ensure middleware functions are named refs #5091 - adds names to all middleware functions, for debugging purposes 2015-05-30 23:18:26 +03:00			`resetCounter: function resetCounter(email) {`
			`loginSecurity = _.filter(loginSecurity, function filter(logTime) {`
Move the spam prevention into its own file. issue #5286 - Moved the spam prevention functions into their own file - Added unit tests for the functions 2015-05-26 22:04:27 +03:00			`return (logTime.email !== email);`
			`});`
			`}`
			`};`

			`module.exports = spamPrevention;`