Wip/bewest/express slow down

docs/example-template.env

@@ -12,4 +12,4 @@ LANGUAGE=en
 INSECURE_USE_HTTP=true
 PORT=1337
 NODE_ENV=development
-AUTH_FAIL_DELAY=50
+UNAUTHORIZED_DELAY_MS=50

lib/api/index.js

@@ -32,13 +32,14 @@ function create (env, ctx) {
 
   app.set('title', [app.get('name'),  'API', app.get('version')].join(' '));
 
+  app.use(wares.speedLimit);
+
  // Start setting up routes
   if (app.enabled('api')) {
     // experiments
     app.use('/experiments', require('./experiments/')(app, wares, ctx));
   }
 
-
   app.use(wares.extensions([
     'json', 'svg', 'csv', 'txt', 'png', 'html', 'tsv'
   ]));

lib/api/verifyauth.js

@@ -6,7 +6,7 @@ function configure (ctx) {
   var express = require('express'),
       api = express.Router( );
 
-  api.get('/verifyauth', function(req, res) {
+  api.get('/verifyauth', function(req, res, next) {
     ctx.authorization.resolveWithRequest(req, function resolved (err, result) {
       // this is used to see if req has api-secret equivalent authorization
       var canRead = !err && 
@@ -22,13 +22,17 @@ function configure (ctx) {
         canWrite,
         isAdmin,
         message: authorized ? 'OK' : 'UNAUTHORIZED',
+        required: true,
+        is_permitted: authorized,
         rolefound: result.subject ? 'FOUND' : 'NOTFOUND',
         permissions: result.defaults ? 'DEFAULT' : 'ROLE'
       };
-
-
-      res.sendJSONStatus(res, consts.HTTP_OK, response);
+      req.authInfo = response;
+      next( );
     });
+  }, ctx.authorization.speedLimit, function verifyauth_json (req, res, next) {
+    var response = req.authInfo;
+    res.sendJSONStatus(res, consts.HTTP_OK, response);
   });
 
   return api;

lib/authorization/endpoints.js

@@ -2,6 +2,7 @@
 
 var _ = require('lodash');
 var express = require('express');
+var slowDown = require('express-slow-down');
 
 var consts = require('./../constants');
 
@@ -18,6 +19,9 @@ function init (env, authorization) {
   // also support url-encoded content-type
   endpoints.use(wares.bodyParser.urlencoded({ extended: true }));
 
+  var speedLimit = wares.speedLimit;
+  endpoints.use(speedLimit);
+
   endpoints.get('/request/:accessToken', function requestAuthorize (req, res) {
     var authorized = authorization.authorize(req.params.accessToken);
 

lib/authorization/index.js

@@ -7,6 +7,7 @@ const shiroTrie = require('shiro-trie');
 const consts = require('./../constants');
 const sleep = require('util').promisify(setTimeout);
 const forwarded = require('forwarded-for');
+const slowDown = require('express-slow-down');
 
 function getRemoteIP (req) {
   const address = forwarded(req, req.headers);
@@ -15,15 +16,25 @@ function getRemoteIP (req) {
 
 function init (env, ctx) {
 
-  const ipdelaylist = require('./delaylist')(env, ctx);
-  const addFailedRequest = ipdelaylist.addFailedRequest;
-  const shouldDelayRequest = ipdelaylist.shouldDelayRequest;
-  const requestSucceeded = ipdelaylist.requestSucceeded;
-
   var authorization = {};
   var storage = authorization.storage = require('./storage')(env, ctx);
   var defaultRoles = (env.settings.authDefaultRoles || '').split(/[, :]/);
+  const SLOWDOWN_WINDOW_MS = _.get(env, 'settings.unauthorizedDelayWindowMs');
+  const SLOWDOWN_DELAY_AFTER = _.get(env, 'settings.unauthorizedDelayAfter');
+  const SLOWDOWN_DELAY_MS = _.get(env, 'settings.unauthorizedDelayMs');
+
+  function skip_request (req, res) {
+    var required = req.authInfo && req.authInfo.required;
+    return !required || (req.authInfo && req.authInfo.is_permitted);
+  }
 
+  var speedLimit = authorization.speedLimit = slowDown({
+    windowMS: SLOWDOWN_WINDOW_MS,
+    delayAfter: SLOWDOWN_DELAY_AFTER,
+    delayMs: SLOWDOWN_DELAY_MS,
+    keyGenerator: getRemoteIP,
+    skip: skip_request
+  });
   /**
    * Loads JWT from request
    * 
@@ -154,12 +165,6 @@ function init (env, ctx) {
       data.api_secret = null;
     }
 
-    const requestDelay = shouldDelayRequest(data.ip);
-
-    if (requestDelay) {
-      await sleep(requestDelay);
-    }
-
     const authAttempted = (data.api_secret || data.token) ? true : false;
     const defaultShiros = storage.rolesToShiros(defaultRoles);
 
@@ -173,7 +178,6 @@ function init (env, ctx) {
     // Check for API_SECRET first as that allows bailing out fast
 
     if (data.api_secret && authorizeAdminSecret(data.api_secret)) {
-      requestSucceeded(data.ip);
       var admin = shiroTrie.new();
       admin.add(['*']);
       const result = { shiros: [admin] };
@@ -200,15 +204,12 @@ function init (env, ctx) {
     }
 
     if (token) {
-      requestSucceeded(data.ip);
       const results = authorization.resolveAccessToken(token, null, defaultShiros);
       if (callback) { callback(null, results); }
       return results;
     }
 
     console.error('Resolving secret/token to permissions failed');
-    addFailedRequest(data.ip);
-
     ctx.bus.emit('admin-notify', {
       title: ctx.language.translate('Failed authentication')
       , message: ctx.language.translate('A device at IP address %1 attempted authenticating with Nightscout with wrong credentials. Check if you have an uploader setup with wrong API_SECRET or token?', data.ip)
@@ -264,15 +265,28 @@ function init (env, ctx) {
       const permissions = await authorization.resolve(data);
       const permitted = authorization.checkMultiple(permission, permissions.shiros);
 
-      if (permitted) {
+      var response = {
+        required: permission,
+        found: permissions,
+        is_permitted: permitted,
+        message: permitted ? 'OK' : 'UNAUTHORIZED',
+      };
+      req.authInfo = response;
+      next( );
+    }
+
+    function enforce (req, res, next) {
+
+      if (permission && req.authInfo.is_permitted) {
         next();
         return;
       }
 
       res.sendJSONStatus(res, consts.HTTP_UNAUTHORIZED, 'Unauthorized', 'Invalid/Missing');
     }
 
-    return check;
+    // inspect the results and conditionally skip.
+    return [ check, speedLimit, enforce ];
 
   };
 

lib/middleware/index.js

@@ -1,5 +1,14 @@
 'use strict';
 
+var _ = require('lodash');
+const forwarded = require('forwarded-for');
+const slowDown = require('express-slow-down');
+
+function getRemoteIP (req) {
+  const address = forwarded(req, req.headers);
+  return address.ip;
+}
+
 var wares = {
   sendJSONStatus : require('./send-json-status'),
   bodyParser : require('body-parser'),
@@ -12,6 +21,17 @@ function extensions (list) {
 }
 
 function configure (env) {
+  const SLOWDOWN_WINDOW_MS = _.get(env, 'settings.slowdownWindowMs');
+  const SLOWDOWN_DELAY_AFTER = _.get(env, 'settings.slowdownDelayAfter');
+  const SLOWDOWN_DELAY_MS = _.get(env, 'settings.slowdownDelayMs');
+  var speedLimit = slowDown({
+    windowMS: SLOWDOWN_WINDOW_MS,
+    delayAfter: SLOWDOWN_DELAY_AFTER,
+    delayMs: SLOWDOWN_DELAY_MS,
+    keyGenerator: getRemoteIP,
+    skipSuccessfulRequests: true
+  });
+
   return {
     sendJSONStatus: wares.sendJSONStatus( ),
     bodyParser: wares.bodyParser,
@@ -28,7 +48,8 @@ function configure (env) {
     }),
     compression: wares.compression,
     extensions: extensions,
-    obscure_device: wares.obscureDeviceProvenance(env)
+    obscure_device: wares.obscureDeviceProvenance(env),
+    speedLimit: speedLimit
   };
 }
 

lib/settings.js

@@ -68,7 +68,12 @@ function init () {
     , frameName6: ''
     , frameName7: ''
     , frameName8: ''
-    , authFailDelay: 5000
+    , slowdownWindowMs: 30000
+    , slowdownDelayAfter: 100
+    , slowdownDelayMs: 500
+    , unauthorizedDelayWindowMs: 30000
+    , unauthorizedDelayAfter: 1
+    , unauthorizedDelayMs: 5000
     , adminNotifiesEnabled: true
     , obscured: ''
     , obscureDeviceProvenance: ''
@@ -109,7 +114,12 @@ function init () {
     , bgLow: mapNumber
     , bgTargetTop: mapNumber
     , bgTargetBottom: mapNumber
-    , authFailDelay: mapNumber
+    , slowdownWindowMs: mapNumber
+    , slowdownDelayAfter: mapNumber
+    , slowdownDelayMs: mapNumber
+    , unauthorizedDelayWindowMs: mapNumber
+    , unauthorizedDelayAfter: mapNumber
+    , unauthorizedDelayMs: mapNumber
     , adminNotifiesEnabled: mapTruthy
   };