Merge pull request #2884 from OpenC3/maint/login

ryan-pratt · web-flow · commit 02086f888207 · 2026-03-02T17:23:14.000-07:00
API rate limiting
diff --git a/.env b/.env
@@ -55,6 +55,11 @@ OPENC3_SR_REDIS_PASSWORD=scriptrunnerpassword
 OPENC3_SR_BUCKET_USERNAME=scriptrunnerbucket
 OPENC3_SR_BUCKET_PASSWORD=scriptrunnerbucketpassword
 OPENC3_SERVICE_PASSWORD=openc3service
+# Rate limiting for authentication endpoints. Uncomment to change from defaults.
+# In COSMOS Enterprise, use Keycloak to configure this instead.
+# This prevents more than 10 failed password attempts within 120 seconds.
+# OPENC3_AUTH_RATE_LIMIT_TO=10
+# OPENC3_AUTH_RATE_LIMIT_WITHIN=120
 # Build and repository settings
 ALPINE_VERSION=3.22
 ALPINE_BUILD=3
diff --git a/openc3-cosmos-cmd-tlm-api/app/controllers/auth_controller.rb b/openc3-cosmos-cmd-tlm-api/app/controllers/auth_controller.rb
@@ -19,6 +19,17 @@
 require 'openc3/models/auth_model'
 
 class AuthController < ApplicationController
+  MAX_BAD_ATTEMPTS = ENV.fetch('OPENC3_AUTH_RATE_LIMIT_TO', '10').to_i
+  BAD_ATTEMPTS_WINDOW = ENV.fetch('OPENC3_AUTH_RATE_LIMIT_WITHIN', '120').to_i
+
+  @@user_bad_attempts_count = 0
+  @@user_bad_attempts_first_time = nil
+  @@user_bad_attempts_mutex = Mutex.new
+
+  @@service_bad_attempts_count = 0
+  @@service_bad_attempts_first_time = nil
+  @@service_bad_attempts_mutex = Mutex.new
+
   def token_exists
     result = OpenC3::AuthModel.set?
     render json: {
@@ -27,10 +38,16 @@ def token_exists
   end
 
   def verify
+    if user_rate_limited?
+      head :too_many_requests
+      return
+    end
+
     begin
       if OpenC3::AuthModel.verify_no_service(params[:password], no_password: false)
         render :plain => OpenC3::AuthModel.generate_session()
       else
+        record_user_bad_attempt
         head :unauthorized
       end
     rescue StandardError => e
@@ -40,10 +57,16 @@ def verify
   end
 
   def verify_service
+    if service_rate_limited?
+      head :too_many_requests
+      return
+    end
+
     begin
       if OpenC3::AuthModel.verify(params[:password], service_only: true)
         render :plain => OpenC3::AuthModel.generate_session()
       else
+        record_service_bad_attempt
         head :unauthorized
       end
     rescue StandardError => e
@@ -53,14 +76,84 @@ def verify_service
   end
 
   def set
+    if user_rate_limited?
+      head :too_many_requests
+      return
+    end
+
     begin
       # Set throws an exception if it fails for any reason
       OpenC3::AuthModel.set(params[:password], params[:old_password])
       OpenC3::Logger.info("Password changed", user: username())
       render :plain => OpenC3::AuthModel.generate_session()
     rescue StandardError => e
+      if e.message == "old_password incorrect"
+        record_user_bad_attempt
+      end
       log_error(e)
       render json: { status: 'error', message: e.message, type: e.class }, status: 500
     end
   end
+
+  private
+
+  # Checks to see if the user password has been rate limited due to bad attempts
+  def user_rate_limited?
+    @@user_bad_attempts_mutex.synchronize do
+      time = Time.now
+      
+      # Reset counter if window has expired
+      if @@user_bad_attempts_first_time && (time - @@user_bad_attempts_first_time) > BAD_ATTEMPTS_WINDOW
+        @@user_bad_attempts_count = 0
+        @@user_bad_attempts_first_time = nil
+      end
+      
+      return @@user_bad_attempts_count >= MAX_BAD_ATTEMPTS
+    end
+  end
+  
+  # Initializes or increments the bad attempt counter for the user password
+  def record_user_bad_attempt
+    @@user_bad_attempts_mutex.synchronize do
+      time = Time.now
+      
+      # Start new window if this is the first attempt or window expired
+      if @@user_bad_attempts_first_time.nil? || (time - @@user_bad_attempts_first_time) > BAD_ATTEMPTS_WINDOW
+        @@user_bad_attempts_count = 1
+        @@user_bad_attempts_first_time = time
+      else
+        @@user_bad_attempts_count += 1
+      end
+    end
+  end
+  
+  # Checks to see if the service password has been rate limited due to bad attempts
+  def service_rate_limited?
+    @@service_bad_attempts_mutex.synchronize do
+      time = Time.now
+      
+      # Reset counter if window has expired
+      if @@service_bad_attempts_first_time && (time - @@service_bad_attempts_first_time) > BAD_ATTEMPTS_WINDOW
+        @@service_bad_attempts_count = 0
+        @@service_bad_attempts_first_time = nil
+      end
+      
+      return @@service_bad_attempts_count >= MAX_BAD_ATTEMPTS
+    end
+  end
+  
+  # Initializes or increments the bad attempt counter for the service password
+  def record_service_bad_attempt
+    @@service_bad_attempts_mutex.synchronize do
+      time = Time.now
+      
+      # Start new window if this is the first attempt or window expired
+      if @@service_bad_attempts_first_time.nil? || (time - @@service_bad_attempts_first_time) > BAD_ATTEMPTS_WINDOW
+        @@service_bad_attempts_count = 1
+        @@service_bad_attempts_first_time = time
+      else
+        @@service_bad_attempts_count += 1
+      end
+    end
+  end
 end
diff --git a/openc3-cosmos-cmd-tlm-api/spec/controllers/auth_controller_spec.rb b/openc3-cosmos-cmd-tlm-api/spec/controllers/auth_controller_spec.rb
@@ -82,4 +82,46 @@
       expect(response).to have_http_status(:ok)
     end
   end
+
+  describe "rate limiting" do
+    # Actually testing that rate limiting is enforced is done in Playwright
+    # because the bad attempt counters in the controller are shared across
+    # all requests/tests. But we can ensure that the config is read and that
+    # successful attempts don't get rate limited.
+
+    it "uses default rate limit values from environment" do
+      expect(ENV['OPENC3_AUTH_RATE_LIMIT_TO']).to eq('10')
+      expect(ENV['OPENC3_AUTH_RATE_LIMIT_WITHIN']).to eq('120')
+    end
+
+    it "respects custom rate limit values from environment" do
+      original_to = ENV.fetch('OPENC3_AUTH_RATE_LIMIT_TO', '10')
+      original_within = ENV.fetch('OPENC3_AUTH_RATE_LIMIT_WITHIN', '120')
+
+      begin
+        ENV['OPENC3_AUTH_RATE_LIMIT_TO'] = '5'
+        ENV['OPENC3_AUTH_RATE_LIMIT_WITHIN'] = '60'
+
+        load Rails.root.join('app', 'controllers', 'auth_controller.rb')
+
+        expect(ENV['OPENC3_AUTH_RATE_LIMIT_TO']).to eq('5')
+        expect(ENV['OPENC3_AUTH_RATE_LIMIT_WITHIN']).to eq('60')
+      ensure
+        ENV['OPENC3_AUTH_RATE_LIMIT_TO'] = original_to
+        ENV['OPENC3_AUTH_RATE_LIMIT_WITHIN'] = original_within
+        load Rails.root.join('app', 'controllers', 'auth_controller.rb')
+      end
+    end
+
+    it "does not rate limit successful password attempts" do
+      # Note: testing rate limit for bad attempts is done in Playwright
+      post :set, params: { password: 'PASSWORD' }
+      expect(response).to have_http_status(:ok)
+
+      20.times do
+        post :verify, params: { password: 'PASSWORD' }
+        expect(response).to have_http_status(:ok)
+      end
+    end
+  end
 end
diff --git a/openc3-cosmos-cmd-tlm-api/spec/spec_helper.rb b/openc3-cosmos-cmd-tlm-api/spec/spec_helper.rb
@@ -76,6 +76,8 @@
 ENV['OPENC3_BUCKET_PASSWORD'] = 'openc3bucketpassword'
 ENV['OPENC3_SCOPE'] = 'DEFAULT'
 ENV['OPENC3_CLOUD'] = 'local'
+ENV['OPENC3_AUTH_RATE_LIMIT_TO'] ||= '10'
+ENV['OPENC3_AUTH_RATE_LIMIT_WITHIN'] ||= '120'
 
 $openc3_scope = ENV['OPENC3_SCOPE']
 $openc3_token = ENV['OPENC3_API_PASSWORD']
diff --git a/openc3-cosmos-init/plugins/packages/openc3-vue-common/src/tools/base/Login.vue b/openc3-cosmos-init/plugins/packages/openc3-vue-common/src/tools/base/Login.vue
@@ -169,6 +169,8 @@ export default {
         .catch((error) => {
           if (error?.status === 401) {
             this.alert = 'Incorrect password'
+          } else if (error?.status === 429) {
+            this.alert = 'Please try again later'
           } else if (
             error?.response?.data?.message === 'invalid password hash'
           ) {
diff --git a/openc3/lib/openc3/models/auth_model.rb b/openc3/lib/openc3/models/auth_model.rb
@@ -84,7 +84,7 @@ def self.verify_no_service(token, no_password: true)
 
       # Check stored password hash
       pw_hash = Store.get(PRIMARY_KEY)
-      raise "invalid password hash" unless pw_hash.start_with?("$argon2") # Catch users who didn't run the migration utility when upgrading to COSMOS 7
+      raise "invalid password hash" if pw_hash.nil? || !pw_hash.start_with?("$argon2") # Catch users who didn't run the migration utility when upgrading to COSMOS 7
       @@pw_hash_cache = pw_hash
       @@pw_hash_cache_time = time
       return Argon2::Password.verify_password(token, @@pw_hash_cache)
diff --git a/playwright/tests/auth.p.spec.ts b/playwright/tests/auth.p.spec.ts
@@ -0,0 +1,36 @@
+/*
+# Copyright 2026 OpenC3, Inc.
+# All Rights Reserved.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See LICENSE.md for more details.
+*/
+
+import { test, expect } from '@playwright/test'
+
+test.describe('Auth API', () => {
+  test('verifies rate limiting is enforced', async ({ request }) => {
+    if (process.env.ENTERPRISE === '1') {
+      // Rate limiting handled by Keycloak in Enterprise
+      return
+    }
+
+    const maxRequests = Number.parseInt(process.env.OPENC3_AUTH_RATE_LIMIT_TO || '10')
+
+    let gotRateLimited = false
+    for (let i = 0; i <= maxRequests; i++) {
+      const response = await request.post('/openc3-api/auth/verify', {
+        data: { password: 'whatever' }
+      })
+
+      if (response.status() === 429) {
+        gotRateLimited = true
+        break
+      }
+    }
+
+    expect(gotRateLimited).toBe(true)
+  })
+})
diff --git a/playwright/tests/data-extractor.p.spec.ts b/playwright/tests/data-extractor.p.spec.ts
@@ -161,12 +161,12 @@ test('cancels a process', async ({ page, utils }) => {
 
 test('adds an entire target', async ({ page, utils }) => {
   await utils.addTargetPacketItem('INST')
-  await expect(page.getByText('1-20 of 278')).toBeVisible()
+  await expect(page.getByText('1-20 of 279')).toBeVisible()
 })
 
 test('adds an entire packet', async ({ page, utils }) => {
   await utils.addTargetPacketItem('INST', 'HEALTH_STATUS')
-  await expect(page.getByText('1-20 of 39')).toBeVisible()
+  await expect(page.getByText('1-20 of 40')).toBeVisible()
 })
 
 test('add, edits, deletes items', async ({ page, utils }) => {
diff --git a/playwright/tests/data-viewer.p.spec.ts b/playwright/tests/data-viewer.p.spec.ts
@@ -47,11 +47,9 @@ test('saves, opens, and resets the configuration', async ({ page, utils }) => {
 
   // Add a new component with a different type
   await page.locator('[data-test=new-tab]').click()
-  await page
-    .getByRole('combobox')
-    .filter({ hasText: 'COSMOS Packet Raw/Decom' })
-    .click()
-  await page.getByText('Current Time').click()
+  await page.locator('[data-test=select-component]').click()
+  await page.getByRole('option', { name: 'Current Time' }).click()
+  await utils.sleep(100) // Wait for TPI chooser to be clickable
   await utils.selectTargetPacketItem('INST', 'HEALTH_STATUS')
   await page.locator('[data-test=select-send]').click() // add the packet to the list
   await page.locator('[data-test=add-component]').click()
