Merge pull request #139 from MatteoGheza/feat_rate_limiter

Support for rate limiter and brute force protection

Author: MatteoGheza

UI/src/app/_components/login/login.component.html

@@ -1,7 +1,7 @@
 <div class="container text-center d-flex justify-content-center mt-5 pt-5">
     <main class="form-signin">
         <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
-        <div class="my-2 text-danger" *ngIf="wrongUsernameOrPassword">Wrong username or password!</div>
+        <div class="my-2 text-danger" *ngIf="!loginResponse.loginOk">{{ loginResponse.message }}</div>
         <div class="form-floating">
             <input type="text" class="form-control" (keydown.enter)="inputPassword.focus()" [(ngModel)]="username" id="username" placeholder="Username">
             <label for="username">Username</label>

UI/src/app/_components/login/login.component.ts

@@ -1,6 +1,6 @@
 import { Component, ElementRef, OnInit, ViewChild } from '@angular/core';
 import { Router } from '@angular/router';
-import { AuthService } from 'src/app/_services/auth.service';
+import { AuthService, LoginResponse } from 'src/app/_services/auth.service';
 
 @Component({
   selector: 'app-login',
@@ -9,7 +9,7 @@ import { AuthService } from 'src/app/_services/auth.service';
 })
 export class LoginComponent {
   public loading = false;
-  public wrongUsernameOrPassword = false;
+  public loginResponse: LoginResponse = {loginOk: false, message: ''};
   public username = "";
   public password = "";
   private type!: "producer" | "settings";
@@ -21,12 +21,11 @@ export class LoginComponent {
   login(): void {
     this.loading = true;
     this.type = this.router.url.endsWith("producer") ? "producer" : "settings";
-    this.authService.login(this.type, this.username, this.password).then((result) => {
+    this.authService.login(this.type, this.username, this.password).then((response: LoginResponse) => {
+      this.loginResponse = response;
       this.loading = false;
-      if (result === true) {
+      if (response.loginOk === true) {
         this.router.navigate([this.type]);
-      } else {
-        this.wrongUsernameOrPassword = true;
       }
     });
   }

UI/src/app/_services/auth.service.ts

@@ -1,6 +1,11 @@
 import { Injectable } from '@angular/core';
 import { SocketService } from './socket.service';
 
+export interface LoginResponse {
+  loginOk: boolean;
+  message: string;
+}
+
 @Injectable({
   providedIn: 'root'
 })
@@ -18,19 +23,17 @@ export class AuthService {
   }
 
   public login(type: "producer" | "settings", username: string, password: string) {
-    return new Promise((resolve) => {
+    return new Promise<LoginResponse>((resolve) => {
       this.socketService.socket.emit("login", type, username, password);
-      this.socketService.socket.once("login_result", (result: boolean) => {
-        if (result === true) {
+      this.socketService.socket.once("login_response", (response: LoginResponse) => {
+        if (response.loginOk === true) {
           if (type == "producer") {
             this._isProducer = true;
           } else {
             this._isAdmin = true;
           }
-          resolve(true);
-        } else {
-          resolve(false);
         }
+        resolve(response);
       })
     })
   }

index.js

@@ -15,6 +15,7 @@ const isPi 						= require('detect-rpi');
 const clc 						= require('cli-color');
 const util 						= require ('util');
 const express 					= require('express');
+const { RateLimiterMemory }		= require('rate-limiter-flexible');
 const bodyParser 				= require('body-parser');
 const axios 					= require('axios');
 const http 						= require('http');
@@ -26,6 +27,21 @@ const jspack 					= require('jspack').jspack;
 const os 						= require('os') // For getting available Network interfaces on host device
 const findRemoveSync            = require('find-remove');
 
+//Rate limiter configurations
+const maxWrongAttemptsByIPperDay = 100;
+const maxConsecutiveFailsByUsernameAndIP = 10;
+const limiterSlowBruteByIP = new RateLimiterMemory({
+  keyPrefix: 'login_fail_ip_per_day',
+  points: maxWrongAttemptsByIPperDay,
+  duration: 60 * 60 * 24, // Store number for 1 day since first fail
+  blockDuration: 60 * 60 * 24, // Block for 1 day
+});
+const limiterConsecutiveFailsByUsernameAndIP = new RateLimiterMemory({
+  keyPrefix: 'login_fail_consecutive_username_and_ip',
+  points: maxConsecutiveFailsByUsernameAndIP,
+  duration: 60 * 60 * 24, // Store number for 1 day since first fail
+  blockDuration: 60 * 60 * 2, // Block for 2 hours
+});
 
 //Tally Arbiter variables
 const listenPort 	= process.env.PORT || 4455;
@@ -741,6 +757,22 @@ function startUp() {
 	});*/
 }
 
+//based on https://stackoverflow.com/a/37096512
+//used in login function for displaying rate limits
+function secondsToHms(d) {
+    d = Number(d);
+    var h = Math.floor(d / 3600);
+    var m = Math.floor(d % 3600 / 60);
+    var s = Math.floor(d % 3600 % 60);
+
+    var hDisplay = h > 0 ? h + (h == 1 ? " hour, " : " hours, ") : "";
+    var mDisplay = m > 0 ? m + (m == 1 ? " minute, " : " minutes, ") : "";
+    var sDisplay = s > 0 ? s + (s == 1 ? " second" : " seconds") : "";
+	hmsString = hDisplay + mDisplay + sDisplay;
+	if(hmsString.endsWith(", ")) hmsString = hmsString.slice(0, -2);
+    return hmsString;
+}
+
 //sets up the REST API and GUI pages and starts the Express server that will listen for incoming requests
 function initialSetup() {
 	logger('Setting up the REST API.', 'info-quiet');
@@ -927,10 +959,39 @@ function initialSetup() {
 	logger('Starting socket.IO Setup.', 'info-quiet');
 
 	io.sockets.on('connection', function(socket) {
+		const ipAddr = socket.handshake.address;
 
 		socket.on('login', function (type, username, password) {
-			socket.emit('login_result', (type === "producer" && username == username_producer && password == password_producer)
-				|| (type === "settings" && username == username_settings && password == password_settings));
+			if((type === "producer" && username == username_producer && password == password_producer)
+			|| (type === "settings" && username == username_settings && password == password_settings)) {
+				//login successfull
+				socket.emit('login_result', true); //old response, for compatibility with old UI clients
+				socket.emit('login_response', { loginOk: true, message: "" });
+			} else {
+				//wrong credentials
+				Promise.all([
+					limiterConsecutiveFailsByUsernameAndIP.consume(ipAddr),
+					limiterSlowBruteByIP.consume(`${username}_${ipAddr}`)
+				]).then((values) => {
+					//rate limits not exceeded
+					let points = values[0].remainingPoints;
+					let message = "Wrong username or password!";
+					if(points < 4) {
+						message += " Remaining attemps:"+points;
+					}
+					socket.emit('login_result', false); //old response, for compatibility with old UI clients
+					socket.emit('login_response', { loginOk: false, message: message });
+				}).catch((error) => {
+					//rate limits exceeded
+					socket.emit('login_result', false); //old response, for compatibility with old UI clients
+					try{
+						retrySecs = Math.round(error.msBeforeNext / 1000) || 1;
+					} catch(e) {
+						retrySecs = Math.round(error[0].msBeforeNext / 1000) || 1;
+					}
+					socket.emit('login_response', { loginOk: false, message: "Too many attemps! Please try "+secondsToHms(retrySecs)+" later." });
+				});
+			}
 		});
 
 		socket.on('version', function() {

package-lock.json

@@ -60,6 +60,7 @@
 		"obs-websocket-js": "^4.0.2",
 		"osc": "^2.4.1",
 		"packet": "0.0.7",
+		"rate-limiter-flexible": "^2.2.4",
 		"socket.io": "4.1.2",
 		"socket.io-client": "4.1.2",
 		"tsl-umd": "^1.1.2",