Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(rateLimiter): correct rate limits (#1183)
## Problem Our rate limiter is implemented wrongly. Couple of problems exist: 1. careless conversion of units. the unit of env var was already ms, but the code assumes it is in s instead. for clarity, renaming the env var from `tokenExpiry` to `tokenExpiryInMs` 2. We are currently trusting proxy, where we trust the proxy to expose the client ip. The [documentation](https://expressjs.com/en/guide/behind-proxies.html) states that > When setting to true, it is important to ensure that the last reverse proxy trusted is removing/overwriting all of the following HTTP headers: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto otherwise it may be possible for the client to provide any value. This is not entirely true from reading the Cloudflare's [documentation](https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#x-forwarded-for). > If, on the other hand, an X-Forwarded-For header was already present in the request to Cloudflare, Cloudflare will append the IP address of the HTTP proxy connecting to Cloudflare to the header. This PR uses the recommended approach of using the `CF-Connecting-IP` that cloudflare [provides](https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip) to assert the ip of the client instead. Moving forward, we never trust the proxy. When using Cloudflare in production env, we should use the `CF-Connecting-IP` instead to verify the cilent ip instead. We continue to use `req.ip` for dev environments I have verified that the `cf-incoming-ip` exists in staging env by logging it <img width="1310" alt="Screenshot 2024-03-05 at 12 14 04 PM" src="https://github.com/isomerpages/isomercms-backend/assets/42832651/e1fd64ff-f7f7-48c7-bf65-069133786289"> Closes GTA-24-011 WP3. **Breaking Changes** <!-- Does this PR contain any backward incompatible changes? If so, what are they and should there be special considerations for release? --> - [ ] Yes - this PR contains breaking changes - Details ... - [X] No - this PR is backwards compatible with ALL of the following feature flags in this [doc](https://www.notion.so/opengov/Existing-feature-flags-518ad2cdc325420893a105e88c432be5) ## Tests - [ ] create a file called ddos.js ``` const stg = "https://staging-cms-api.isomer.gov.sg/v2/auth/verify" async function send() { try { const resp = await fetch(stg, { method: "POST", body: JSON.stringify({ email: "[email protected]", otp: "111111", }), headers: { "Content-Type": "application/json", "X-Forwarded-For": generateRandomIp(), }, }) const text = await resp.text() console.log(text) console.log({ Limit: resp.headers.get("Ratelimit-Limit"), Remaining: resp.headers.get("Ratelimit-Remaining"), Reset: resp.headers.get("Ratelimit-Reset"), }) } catch (err) { console.log(err.message) } } for (let i = 1; i <= 25; i++) { send() } ``` - [ ] run `node ddos.js` assert that the reset time is around 84400 (units are in seconds) Reset value before: ![Screenshot 2024-03-05 at 12 44 20 PM](https://github.com/isomerpages/isomercms-backend/assets/42832651/9cf2360e-0447-471d-8810-5ba7e8465beb) Reset value after: ![Screenshot 2024-03-05 at 12 45 08 PM](https://github.com/isomerpages/isomercms-backend/assets/42832651/e7c11093-e1cf-4fa6-8541-4317859d232c)
- Loading branch information