ORV2-4838 Add AUDIT_LOGIN FF and rate limit (#2105)

Author: praju-aot

database/mssql/scripts/sampledata/dbo.ORBC_FEATURE_FLAG.Table.sql

@@ -461,6 +461,31 @@ VALUES
     N'dbo',
     GETUTCDATE()
   );
+
+INSERT INTO
+  [dbo].[ORBC_FEATURE_FLAG] (
+    [FEATURE_ID],
+    [FEATURE_KEY],
+    [FEATURE_VALUE],
+    [CONCURRENCY_CONTROL_NUMBER],
+    [DB_CREATE_USERID],
+    [DB_CREATE_TIMESTAMP],
+    [DB_LAST_UPDATE_USERID],
+    [DB_LAST_UPDATE_TIMESTAMP]
+  )
+VALUES
+  (
+    '21',
+    'AUDIT_LOGIN',
+    'ENABLED',
+    NULL,
+    N'dbo',
+    GETUTCDATE(),
+    N'dbo',
+    GETUTCDATE()
+  );
+
+
 SET
   IDENTITY_INSERT [dbo].[ORBC_FEATURE_FLAG] OFF
 GO

docker-compose.yml

@@ -58,6 +58,8 @@ services:
       VEHICLES_API_TYPEORM_LOG_LEVEL: ${VEHICLES_API_TYPEORM_LOG_LEVEL}
       VEHICLES_API_MAX_QUERY_EXECUTION_TIME_MS: ${VEHICLES_API_MAX_QUERY_EXECUTION_TIME_MS}
       VEHICLES_API_MSSQL_MAX_CONNECTION: ${VEHICLES_API_MSSQL_MAX_CONNECTION}
+      VEHICLES_API_PUBLIC_AUTH_RATE_LIMIT: ${VEHICLES_API_PUBLIC_AUTH_RATE_LIMIT}
+      VEHICLES_API_PUBLIC_AUTH_THROTTLER_TTL_MS: ${VEHICLES_API_PUBLIC_AUTH_THROTTLER_TTL_MS}
       DB_TYPE: ${DB_TYPE}
       MSSQL_HOST: sql-server-db
       MSSQL_PORT: ${MSSQL_PORT}

vehicles/package-lock.json

@@ -56,6 +56,7 @@
     "@nestjs/schematics": "^10.2.3",
     "@nestjs/swagger": "^7.4.2",
     "@nestjs/testing": "^10.4.15",
+    "@nestjs/throttler": "^6.4.0",
     "@nestjs/typeorm": "^10.0.2",
     "@types/response-time": "^2.3.8",
     "cache-manager": "^5.7.6",

vehicles/package.json

@@ -40,12 +40,21 @@ import { CreditAccountModule } from './modules/credit-account/credit-account.mod
 import { SpecialAuthModule } from './modules/special-auth/special-auth.module';
 import { CaseManagementModule } from './modules/case-management/case-management.module';
 import { VersionMatchMiddleware } from './common/middleware/version.middleware';
+import { ThrottlerModule } from '@nestjs/throttler';
 
 const envPath = path.resolve(process.cwd() + '/../');
 
 @Module({
   imports: [
     ConfigModule.forRoot({ envFilePath: `${envPath}/.env` }),
+    ThrottlerModule.forRoot({
+      throttlers: [
+        {
+          ttl: +process.env.VEHICLES_API_PUBLIC_AUTH_THROTTLER_TTL_MS || 60000,
+          limit: +process.env.VEHICLES_API_PUBLIC_AUTH_RATE_LIMIT || 100,
+        },
+      ],
+    }),
     // Register the ClsModule,
     ClsModule.forRoot({
       global: true,

vehicles/src/app.module.ts

@@ -3,10 +3,12 @@ import {
   Controller,
   ForbiddenException,
   Get,
+  Inject,
   Param,
   Post,
   Query,
   Req,
+  UseGuards,
 } from '@nestjs/common';
 
 import {
@@ -37,6 +39,10 @@ import {
   IDIR_USER_ROLE_LIST,
 } from '../../../common/enum/user-role.enum';
 import { doesUserHaveRole } from '../../../common/helper/auth.helper';
+import { isFeatureEnabled } from '../../../common/helper/common.helper';
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { Cache } from 'cache-manager';
+import { ThrottlerGuard } from '@nestjs/throttler';
 
 @ApiTags('Company and User Management - User')
 @ApiBadRequestResponse({
@@ -58,7 +64,11 @@ import { doesUserHaveRole } from '../../../common/helper/auth.helper';
 @ApiBearerAuth()
 @Controller('users')
 export class UsersController {
-  constructor(private readonly userService: UsersService) {}
+  constructor(
+    private readonly userService: UsersService,
+    @Inject(CACHE_MANAGER)
+    private readonly cacheManager: Cache,
+  ) {}
 
   /**
    * A POST method defined with a route of
@@ -79,6 +89,7 @@ export class UsersController {
       'It supports different identity providers, including IDIR and general ORBC user flows.',
   })
   @AuthOnly()
+  @UseGuards(ThrottlerGuard)
   @Post('user-context')
   async find(@Req() request: Request): Promise<ReadUserOrbcStatusDto> {
     const currentUser = request.user as IUserJWT;
@@ -89,7 +100,9 @@ export class UsersController {
     } else {
       userExists = await this.userService.findORBCUser(currentUser);
     }
-    await this.userService.saveLoginInformation(currentUser, userExists);
+    if (await isFeatureEnabled(this.cacheManager, 'AUDIT_LOGIN')) {
+      await this.userService.saveLoginInformation(currentUser, userExists);
+    }
     return userExists;
   }
 

vehicles/src/modules/company-user-management/users/users.controller.ts

@@ -39,6 +39,9 @@ import { readRedCompanyMetadataDtoMock } from 'test/util/mocks/data/company.mock
 import { App } from 'supertest/types';
 import { CompanyUser } from '../../src/modules/company-user-management/users/entities/company-user.entity';
 import { Login } from '../../src/modules/company-user-management/users/entities/login.entity';
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
+import { APP_GUARD } from '@nestjs/core';
 
 let repo: DeepMocked<Repository<User>>;
 let repoCompanyUser: DeepMocked<Repository<CompanyUser>>;
@@ -48,6 +51,8 @@ let pendingUsersServiceMock: DeepMocked<PendingUsersService>;
 let pendingIdirUsersServiceMock: DeepMocked<PendingIdirUsersService>;
 let companyServiceMock: DeepMocked<CompanyService>;
 
+let cacheManager: DeepMocked<Cache>;
+
 describe('Users (e2e)', () => {
   let app: INestApplication<Express.Application>;
 
@@ -60,11 +65,24 @@ describe('Users (e2e)', () => {
     pendingUsersServiceMock = createMock<PendingUsersService>();
     pendingIdirUsersServiceMock = createMock<PendingIdirUsersService>();
     companyServiceMock = createMock<CompanyService>();
+    cacheManager = createMock<Cache>();
     const dataSourceMock = dataSourceMockFactory() as DataSource;
     const moduleFixture: TestingModule = await Test.createTestingModule({
-      imports: [AutomapperModule],
+      imports: [
+        AutomapperModule,
+        ThrottlerModule.forRoot({
+          throttlers: [
+            {
+              ttl: +process.env.PUBLIC_API_THROTTLER_TTL_MS || 60000,
+              limit: +process.env.PUBLIC_API_RATE_LIMIT || 100,
+            },
+          ],
+        }),
+      ],
       providers: [
         UsersService,
+        { provide: CACHE_MANAGER, useValue: cacheManager },
+        { provide: APP_GUARD, useValue: ThrottlerGuard },
         {
           provide: getRepositoryToken(User),
           useValue: repo,

vehicles/test/e2e/users.e2e-spec.ts

@@ -19,6 +19,9 @@ import { IUserJWT } from '../../../src/common/interface/user-jwt.interface';
 import { GetStaffUserQueryParamsDto } from '../../../src/modules/company-user-management/users/dto/request/queryParam/getStaffUser.query-params.dto';
 import { IDIRUserRole } from '../../../src/common/enum/user-role.enum';
 import { BadRequestException } from '@nestjs/common';
+import { CACHE_MANAGER } from '@nestjs/cache-manager';
+import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
+import { APP_GUARD } from '@nestjs/core';
 
 const COMPANY_ID_99 = 99;
 let userService: DeepMocked<UsersService>;
@@ -28,15 +31,32 @@ interface FindUsersDtoMockParameters {
   companyId?: number[];
 }
 
+let cacheManager: DeepMocked<Cache>;
+
 describe('UsersController', () => {
   let controller: UsersController;
 
   beforeEach(async () => {
     jest.clearAllMocks();
     userService = createMock<UsersService>();
+    cacheManager = createMock<Cache>();
     const module: TestingModule = await Test.createTestingModule({
+      imports: [
+        ThrottlerModule.forRoot({
+          throttlers: [
+            {
+              ttl: +process.env.PUBLIC_API_THROTTLER_TTL_MS || 60000,
+              limit: +process.env.PUBLIC_API_RATE_LIMIT || 100,
+            },
+          ],
+        }),
+      ],
       controllers: [UsersController],
-      providers: [{ provide: UsersService, useValue: userService }],
+      providers: [
+        { provide: UsersService, useValue: userService },
+        { provide: CACHE_MANAGER, useValue: cacheManager },
+        { provide: APP_GUARD, useValue: ThrottlerGuard },
+      ],
     }).compile();
 
     controller = module.get<UsersController>(UsersController);