Merge pull request #214 from alphagov/2446-rate-limit-api-endpoints

Rate limit API endpoints

Author: davidgisbey

config/initializers/rack_attack.rb

@@ -1,4 +1,6 @@
 class Rack::Attack
+  CONVERSATION_API_PATH_REGEX = /^\/api\/v\d+\/conversation/
+
   throttle("sign-in or sign-ups by IP", limit: 10, period: 5.minutes) do |request|
     homepage_path = Rails.application.routes.url_helpers.homepage_path
     next cdn_client_ip(request) if request.path == homepage_path && request.post?
@@ -27,6 +29,30 @@ class Rack::Attack
     end
   end
 
+  throttle("read requests to Conversations API with token", limit: 10_000, period: 1.minute) do |request|
+    if request.path.match?(CONVERSATION_API_PATH_REGEX) && read_method?(request)
+      normalise_auth_header(request.get_header("HTTP_AUTHORIZATION"))
+    end
+  end
+
+  throttle("write requests to Conversations API with token", limit: 500, period: 1.minute) do |request|
+    if request.path.match?(CONVERSATION_API_PATH_REGEX) && !read_method?(request)
+      normalise_auth_header(request.get_header("HTTP_AUTHORIZATION"))
+    end
+  end
+
+  throttle("read requests to Conversations API with device id", limit: 120, period: 1.minute) do |request|
+    if request.path.match?(CONVERSATION_API_PATH_REGEX) && read_method?(request)
+      request.get_header("HTTP_GOVUK_CHAT_CLIENT_DEVICE_ID").presence
+    end
+  end
+
+  throttle("write requests to Conversations API with device id", limit: 20, period: 1.minute) do |request|
+    if request.path.match?(CONVERSATION_API_PATH_REGEX) && !read_method?(request)
+      request.get_header("HTTP_GOVUK_CHAT_CLIENT_DEVICE_ID").presence
+    end
+  end
+
   def self.rails_controller_action(url)
     route = Rails.application.routes.recognize_path(url)
 
@@ -42,6 +68,16 @@ def self.cdn_client_ip(request)
     request.get_header("HTTP_TRUE_CLIENT_IP")
   end
 
+  def self.read_method?(request)
+    request.get? || request.head? || request.options?
+  end
+
+  def self.normalise_auth_header(auth_header)
+    return if auth_header.blank?
+
+    auth_header.strip.gsub(/^bearer/i, "Bearer")
+  end
+
   self.throttled_responder = lambda do |request|
     Rails.logger.info(
       "Throttled request for #{request.env['rack.attack.match_discriminator']} " \

docs/api_openapi_specification.yml

@@ -18,6 +18,8 @@ paths:
     post:
       summary: Start conversation
       description: Create a conversation by posting an initial question
+      parameters:
+        - $ref: "#/components/parameters/DeviceIdHeader"
       requestBody:
         required: true
         content:
@@ -52,6 +54,7 @@ paths:
           schema:
             type: string
             format: uuid
+        - $ref: "#/components/parameters/DeviceIdHeader"
       responses:
         "200":
           description: |
@@ -82,6 +85,7 @@ paths:
           schema:
             type: string
             format: uuid
+        - $ref: "#/components/parameters/DeviceIdHeader"
       requestBody:
         required: true
         content:
@@ -123,6 +127,7 @@ paths:
           schema:
             type: string
             format: uuid
+        - $ref: "#/components/parameters/DeviceIdHeader"
       responses:
         "200":
           description: The answer is available and is returned
@@ -158,6 +163,7 @@ paths:
           schema:
             type: string
             format: uuid
+        - $ref: "#/components/parameters/DeviceIdHeader"
       requestBody:
         required: true
         content:
@@ -195,6 +201,17 @@ components:
         GOV.UK Signon issued bearer token which is used to authenticate the
         client application (e.g. GOV.UK App) and not an individual end user
       scheme: bearer
+  parameters:
+    DeviceIdHeader:
+      name: Govuk-Chat-Client-Device-Id
+      in: header
+      required: false
+      description: |
+        An identifier for an individual end-user client to be used to provide
+        individual end-user rate limiting to ensure that no one client can
+        consume all of an API users' limits.
+      schema:
+        type: string
   schemas:
     UserQuestion:
       type: object

spec/requests/api/v0/conversations_spec.rb

@@ -79,6 +79,42 @@
                     },
                   ]
 
+  it_behaves_like "throttles traffic for an access token",
+                  routes: {
+                    api_v0_show_conversation_path: %i[get],
+                    api_v0_answer_question_path: %i[get],
+                    api_v0_create_conversation_path: %i[post],
+                    api_v0_update_conversation_path: %i[put],
+                    api_v0_answer_feedback_path: %i[post],
+                  },
+                  period: 1.minute do
+                    let(:route_params) do
+                      {
+                        conversation_id: SecureRandom.uuid,
+                        question_id: SecureRandom.uuid,
+                        answer_id: SecureRandom.uuid,
+                      }
+                    end
+                  end
+
+  it_behaves_like "throttles traffic for a single device",
+                  routes: {
+                    api_v0_show_conversation_path: %i[get],
+                    api_v0_answer_question_path: %i[get],
+                    api_v0_create_conversation_path: %i[post],
+                    api_v0_update_conversation_path: %i[put],
+                    api_v0_answer_feedback_path: %i[post],
+                  },
+                  period: 1.minute do
+    let(:route_params) do
+      {
+        conversation_id: SecureRandom.uuid,
+        question_id: SecureRandom.uuid,
+        answer_id: SecureRandom.uuid,
+      }
+    end
+  end
+
   describe "middleware ensures adherance to the OpenAPI specification" do
     context "when the response returned does not conform to the OpenAPI specification" do
       it "raises an error and returns the invalid params in the error message" do

spec/support/rack_attack_examples.rb

@@ -1,44 +1,138 @@
 module RackAttackExamples
-  shared_examples "throttles traffic from a single IP address" do |routes:, limit:, period:|
+  RSpec.shared_context "with rack attack helpers" do
+    def process_request(method, path, headers)
+      process(method.to_sym, public_send(path, **route_params), headers: headers)
+    end
+
+    def expect_throttled_response(method, path, headers)
+      process_request(method, path, headers)
+      expect(response).to have_http_status(:too_many_requests)
+    end
+
+    def expect_not_throttled_response(method, path, headers)
+      process_request(method, path, headers)
+      expect(response).not_to have_http_status(:too_many_requests)
+    end
+  end
+
+  RSpec.shared_examples "throttles traffic from a single IP address" do |routes:, limit:, period:|
+    include_context "with rack attack helpers"
     let(:route_params) { {} }
 
     routes.each do |path, methods|
       methods.each do |method|
-        context "when a single IP address uses it's allowance of traffic to #{method} #{path}", :rack_attack do
-          let(:ip_address) { "1.2.3.4" }
+        context "when a single IP address uses its allowance of traffic to #{method} #{path}", :rack_attack do
+          let(:headers) { { "HTTP_TRUE_CLIENT_IP" => "1.2.3.4" } }
 
           before do
             limit.times do |i|
-              process(method.to_sym,
-                      public_send(path, **route_params),
-                      headers: { "HTTP_TRUE_CLIENT_IP": ip_address })
+              process_request(method, path, headers)
               raise "Returning too_many_requests on request #{i + 1}" if response.status == 429
             end
           end
 
           it "rejects the next request from that IP address" do
-            process(method.to_sym,
-                    public_send(path, **route_params),
-                    headers: { "HTTP_TRUE_CLIENT_IP": ip_address })
-
-            expect(response).to have_http_status(:too_many_requests)
+            expect_throttled_response(method, path, headers)
           end
 
           it "doesn't reject a request from a different IP address" do
-            process(method.to_sym,
-                    public_send(path, **route_params),
-                    headers: { "HTTP_TRUE_CLIENT_IP": "4.5.6.7" })
-
-            expect(response).not_to have_http_status(:too_many_requests)
+            expect_not_throttled_response(method, path, { "HTTP_TRUE_CLIENT_IP" => "4.5.6.7" })
           end
 
           it "doesn't reject a request after the time period" do
             travel_to(Time.current + period + 1.second) do
-              process(method.to_sym,
-                      public_send(path, **route_params),
-                      headers: { "HTTP_TRUE_CLIENT_IP": ip_address })
+              expect_not_throttled_response(method, path, headers)
+            end
+          end
+        end
+      end
+    end
+  end
+
+  shared_examples "throttles traffic for an access token" do |routes:, period:|
+    include_context "with rack attack helpers"
+    let(:route_params) { {} }
+    let(:headers) { { "HTTP_AUTHORIZATION" => "Bearer testtoken123" } }
+
+    before do
+      read_throttle = Rack::Attack.throttles["read requests to Conversations API with token"]
+      allow(read_throttle).to receive(:limit).and_return(1)
+      write_throttle = Rack::Attack.throttles["write requests to Conversations API with token"]
+      allow(write_throttle).to receive(:limit).and_return(1)
+    end
+
+    routes.each do |path, methods|
+      methods.each do |method|
+        context "when an access token exhausts its allowance", :rack_attack do
+          before { process_request(method, path, headers) }
+
+          it "rejects the next request to #{method} #{path} using the same token" do
+            expect_throttled_response(method, path, headers)
+          end
+
+          it "normalises Bearer tokens with different formats" do
+            [
+              "bearer testtoken123",
+              "BEARER testtoken123",
+              " Bearer testtoken123",
+              "Bearer testtoken123 ",
+            ].each do |auth_value|
+              process_request(method, path, { "HTTP_AUTHORIZATION" => auth_value })
+              expect(response).to have_http_status(:too_many_requests)
+            end
+          end
+
+          it "doesn't reject a request to #{method} #{path} using a different token" do
+            expect_not_throttled_response(
+              method,
+              path,
+              { "HTTP_AUTHORIZATION" => "Bearer testtoken456" },
+            )
+          end
+
+          it "doesn't reject a request to #{method} #{path} after the time period" do
+            travel_to(Time.current + period + 1.second) do
+              expect_not_throttled_response(method, path, headers)
+            end
+          end
+        end
+      end
+    end
+  end
 
-              expect(response).not_to have_http_status(:too_many_requests)
+  RSpec.shared_examples "throttles traffic for a single device" do |routes:, period:|
+    include_context "with rack attack helpers"
+    let(:route_params) { {} }
+    let(:headers) { { "HTTP_GOVUK_CHAT_CLIENT_DEVICE_ID" => "test-device-123" } }
+
+    before do
+      read_throttle = Rack::Attack.throttles["read requests to Conversations API with device id"]
+      allow(read_throttle).to receive(:limit).and_return(1)
+
+      write_throttle = Rack::Attack.throttles["write requests to Conversations API with device id"]
+      allow(write_throttle).to receive(:limit).and_return(1)
+    end
+
+    routes.each do |path, methods|
+      methods.each do |method|
+        context "when a user's device uses its allowance", :rack_attack do
+          before { process_request(method, path, headers) }
+
+          it "rejects the next request to #{method} #{path} with the same device ID" do
+            expect_throttled_response(method, path, headers)
+          end
+
+          it "doesn't reject a request to #{method} #{path} with a different device ID" do
+            expect_not_throttled_response(
+              method,
+              path,
+              { "HTTP_GOVUK_CHAT_CLIENT_DEVICE_ID" => "test-device-456" },
+            )
+          end
+
+          it "doesn't reject a request to #{method} #{path} after the time period" do
+            travel_to(Time.current + period + 1.second) do
+              expect_not_throttled_response(method, path, headers)
             end
           end
         end