apostrophe 3.14.2 → 3.15.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 3.15.0 (2022-03-02)
+
+### Adds
+
+* Adds throttle system based on username (even when not existing), on initial login route. Also added for each late login requirement, e.g. for 2FA attempts.
+
 ## 3.14.2 (2022-02-27)
 
 * Hotfix: fixed a bug introduced by 3.14.1 in which non-parked pages could throw an error during the migration to fix replication issues.

package/modules/@apostrophecms/i18n/i18n/en.json

@@ -178,6 +178,8 @@
   "manageDocType": "Manage {{ type }}",
   "manageDraftSubmissions": "Manage Draft Submissions",
   "managePages": "Manage Pages",
+  "loginMaxAttemptsReached": "Too many attempts. You may try again in a minute.",
+  "loginMaxAttemptsReached_plural": "Too many attempts. You may try again in {{ count }} minutes.",
   "maxLabel": "Max:",
   "maxUi": "Max: {{ number }}",
   "mediaCreatedDate": "Uploaded: {{ createdDate }}",

package/modules/@apostrophecms/login/index.js

@@ -44,6 +44,8 @@ const Promise = require('bluebird');
 const cuid = require('cuid');
 const expressSession = require('express-session');
 
+const loginAttemptsNamespace = '@apostrophecms/loginAttempt';
+
 module.exports = {
   cascades: [ 'requirements' ],
   options: {
@@ -53,7 +55,12 @@ module.exports = {
     csrfExceptions: [
       'login'
     ],
-    bearerTokens: true
+    bearerTokens: true,
+    throttle: {
+      allowedAttempts: 3,
+      perMinutes: 1,
+      lockoutMinutes: 1
+    }
   },
   async init(self) {
     self.passport = new Passport();
@@ -166,8 +173,16 @@ module.exports = {
         },
         async requirementVerify(req) {
           const name = self.apos.launder.string(req.body.name);
+          const loginNamespace = `${loginAttemptsNamespace}/${name}`;
 
-          const { user } = await self.findIncompleteTokenAndUser(req, req.body.incompleteToken);
+          const { user } = await self.findIncompleteTokenAndUser(
+            req,
+            req.body.incompleteToken
+          );
+
+          if (!user) {
+            throw self.apos.error('invalid');
+          }
 
           const requirement = self.requirements[name];
 
@@ -179,7 +194,15 @@ module.exports = {
             throw self.apos.error('invalid', 'You must provide a verify method in your requirement');
           }
 
+          const { cachedAttempts, reached } = await self
+            .checkLoginAttempts(user.username, loginNamespace);
+
+          if (reached) {
+            throw self.apos.error('invalid', req.t('apostrophe:loginMaxAttemptsReached'));
+          }
+
           try {
+
             await requirement.verify(req, req.body.value, user);
 
             const token = await self.bearerTokens.findOne({
@@ -198,8 +221,16 @@ module.exports = {
               $pull: { requirementsToVerify: name }
             });
 
+            await self.clearLoginAttempts(user.username, loginNamespace);
+
             return {};
           } catch (err) {
+            await self.addLoginAttempt(
+              user.username,
+              cachedAttempts,
+              loginNamespace
+            );
+
             err.data = err.data || {};
             err.data.requirement = name;
             throw err;
@@ -553,48 +584,64 @@ module.exports = {
       // Implementation detail of the login route. Log in the user, or if there are
       // `requirements` that require password verification occur first, return an incomplete token.
       async initialLogin(req) {
-        // Initial login step
         const username = self.apos.launder.string(req.body.username);
         const password = self.apos.launder.string(req.body.password);
+
         if (!(username && password)) {
           throw self.apos.error('invalid', req.t('apostrophe:loginPageBothRequired'));
         }
-        const { earlyRequirements, lateRequirements } = self.filterRequirements();
-        for (const [ name, requirement ] of Object.entries(earlyRequirements)) {
-          try {
-            await requirement.verify(req, req.body.requirements && req.body.requirements[name]);
-          } catch (e) {
-            e.data = e.data || {};
-            e.data.requirement = name;
-            throw e;
-          }
+
+        const { cachedAttempts, reached } = await self.checkLoginAttempts(username);
+
+        if (reached) {
+          throw self.apos.error('invalid', req.t('apostrophe:loginMaxAttemptsReached', {
+            count: self.options.throttle.lockoutMinutes
+          }));
         }
-        const user = await self.apos.login.verifyLogin(username, password);
-        if (!user) {
+
+        try {
+          // Initial login step
+          const { earlyRequirements, lateRequirements } = self.filterRequirements();
+          for (const [ name, requirement ] of Object.entries(earlyRequirements)) {
+            try {
+              await requirement.verify(req, req.body.requirements && req.body.requirements[name]);
+            } catch (e) {
+              e.data = e.data || {};
+              e.data.requirement = name;
+              throw e;
+            }
+          }
+          const user = await self.apos.login.verifyLogin(username, password);
+          if (!user) {
           // For security reasons we may not tell the user which case applies
-          throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
-        }
+            throw self.apos.error('invalid', req.t('apostrophe:loginPageBadCredentials'));
+          }
 
-        const requirementsToVerify = Object.keys(lateRequirements);
+          const requirementsToVerify = Object.keys(lateRequirements);
 
-        if (requirementsToVerify.length) {
-          const token = cuid();
+          if (requirementsToVerify.length) {
+            const token = cuid();
+
+            await self.bearerTokens.insert({
+              _id: token,
+              userId: user._id,
+              requirementsToVerify,
+              // Default lifetime of 1 hour is generous to permit situations like
+              // installing a TOTP app for the first time
+              expires: new Date(new Date().getTime() + (self.options.incompleteLifetime || 60 * 60 * 1000))
+            });
+
+            await self.clearLoginAttempts(user.username);
+
+            return {
+              incompleteToken: token
+            };
+          }
 
-          await self.bearerTokens.insert({
-            _id: token,
-            userId: user._id,
-            requirementsToVerify,
-            // Default lifetime of 1 hour is generous to permit situations like
-            // installing a TOTP app for the first time
-            expires: new Date(new Date().getTime() + (self.options.incompleteLifetime || 60 * 60 * 1000))
-          });
-          return {
-            incompleteToken: token
-          };
-        } else {
           const session = self.apos.launder.boolean(req.body.session);
           if (session) {
             await self.passportLogin(req, user);
+            await self.clearLoginAttempts(user.username);
           } else {
             const token = cuid();
             await self.bearerTokens.insert({
@@ -602,17 +649,30 @@ module.exports = {
               userId: user._id,
               expires: new Date(new Date().getTime() + (self.options.bearerTokens.lifetime || (86400 * 7 * 2)) * 1000)
             });
+
+            await self.clearLoginAttempts(user.username);
+
             return {
               token
             };
           }
+        } catch (err) {
+          await self.addLoginAttempt(username, cachedAttempts);
+
+          throw err;
         }
       },
 
       filterRequirements() {
         return {
-          earlyRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'beforeSubmit')),
-          lateRequirements: Object.fromEntries(Object.entries(self.requirements).filter(([ name, requirement ]) => requirement.phase === 'afterPasswordVerified'))
+          earlyRequirements: Object.fromEntries(
+            Object.entries(self.requirements)
+              .filter(([ _, requirement ]) => requirement.phase === 'beforeSubmit')
+          ),
+          lateRequirements: Object.fromEntries(
+            Object.entries(self.requirements)
+              .filter(([ _, requirement ]) => requirement.phase === 'afterPasswordVerified')
+          )
         };
       },
 
@@ -624,6 +684,63 @@ module.exports = {
           })(user);
         };
         await passportLogin(user);
+      },
+
+      async addLoginAttempt (
+        username,
+        attempts,
+        namespace = loginAttemptsNamespace
+      ) {
+        if (typeof attempts !== 'number') {
+          await self.apos.cache.set(namespace,
+            username,
+            1,
+            self.options.throttle.perMinutes * 60
+          );
+        } else {
+          await self.apos.cache.cacheCollection.updateOne(
+            {
+              namespace,
+              key: username
+            },
+            {
+              $inc: {
+                value: 1
+              }
+            }
+          );
+        }
+      },
+
+      async checkLoginAttempts (username, namespace = loginAttemptsNamespace) {
+        const cachedAttempts = await self.apos.cache.get(namespace, username);
+        const { allowedAttempts } = self.options.throttle;
+
+        if (!cachedAttempts || cachedAttempts < allowedAttempts) {
+          return { cachedAttempts };
+        }
+
+        // When this is the first time we reach the limit
+        // we set the lifetime only once with lockoutMinutes
+        if (cachedAttempts === allowedAttempts) {
+          await self.apos.cache.set(namespace,
+            username,
+            cachedAttempts + 1,
+            self.options.throttle.lockoutMinutes * 60
+          );
+        }
+
+        return {
+          cachedAttempts,
+          reached: true
+        };
+      },
+
+      async clearLoginAttempts (username, namespace = loginAttemptsNamespace) {
+        await self.apos.cache.cacheCollection.deleteOne({
+          namespace,
+          key: username
+        });
       }
     };
   },

package/modules/@apostrophecms/login/ui/apos/components/TheAposLogin.vue

@@ -128,7 +128,8 @@ export default {
       return this.mounted && this.beforeCreateFinished;
     },
     disabled() {
-      return this.doc.hasErrors || !!this.beforeSubmitRequirements.find(requirement => !requirement.done);
+      return this.doc.hasErrors ||
+        !!this.beforeSubmitRequirements.find(requirement => !requirement.done);
     },
     beforeSubmitRequirements() {
       return this.requirements.filter(requirement => requirement.phase === 'beforeSubmit');
@@ -274,12 +275,14 @@ export default {
       location.assign(`${apos.prefix}/`);
     },
     async requirementBlock(requirementBlock) {
-      const requirement = this.requirements.find(requirement => requirement.name === requirementBlock.name);
+      const requirement = this.requirements
+        .find(requirement => requirement.name === requirementBlock.name);
       requirement.done = false;
       requirement.value = undefined;
     },
     async requirementDone(requirementDone, value) {
-      const requirement = this.requirements.find(requirement => requirement.name === requirementDone.name);
+      const requirement = this.requirements
+        .find(requirement => requirement.name === requirementDone.name);
 
       if (requirement.phase === 'beforeSubmit') {
         requirement.done = true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.14.2",
+  "version": "3.15.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {

package/test/login-requirements.js

@@ -4,6 +4,8 @@ const assert = require('assert');
 let apos;
 
 describe('Login', function() {
+  const extraSecretErr = 'extra secret incorrect';
+  const captchaErr = 'captcha code incorrect';
 
   this.timeout(20000);
 
@@ -30,7 +32,7 @@ describe('Login', function() {
                   },
                   async verify(req, data) {
                     if (data !== 'xyz') {
-                      throw self.apos.error('invalid', 'captcha code incorrect');
+                      throw self.apos.error('invalid', captchaErr);
                     }
                   }
                 },
@@ -45,7 +47,7 @@ describe('Login', function() {
                   },
                   async verify(req, data, user) {
                     if (data !== user.extraSecret) {
-                      throw self.apos.error('invalid', 'extra secret incorrect');
+                      throw self.apos.error('invalid', extraSecretErr);
                     }
                   }
                 }
@@ -119,7 +121,7 @@ describe('Login', function() {
       assert(false);
     } catch (e) {
       assert(e.status === 400);
-      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.message, captchaErr);
       assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
     }
 
@@ -167,7 +169,7 @@ describe('Login', function() {
       assert(false);
     } catch (e) {
       assert(e.status === 400);
-      assert.strictEqual(e.body.message, 'captcha code incorrect');
+      assert.strictEqual(e.body.message, captchaErr);
       assert.strictEqual(e.body.data.requirement, 'WeakCaptcha');
     }
 
@@ -182,7 +184,10 @@ describe('Login', function() {
     assert(page.match(/logged out/));
   });
 
-  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+  it('should throttle requirements verify attemps and show a proper error when the limit is reached', async function () {
+    const loginModule = apos.modules['@apostrophecms/login'];
+    const { allowedAttempts } = loginModule.options.throttle;
+    const namespace = '@apostrophecms/loginAttempt/ExtraSecret';
 
     const jar = apos.http.jar();
 
@@ -224,6 +229,71 @@ describe('Login', function() {
 
     assert(page.match(/logged out/));
 
+    const token = result.incompleteToken;
+
+    for (let index = 0; index <= allowedAttempts; index++) {
+      try {
+        await apos.http.post('/api/v1/@apostrophecms/login/requirement-verify', {
+          body: {
+            incompleteToken: token,
+            session: true,
+            name: 'ExtraSecret',
+            value: 'roll-off'
+          },
+          jar
+        });
+      } catch ({ status, body }) {
+        if (index < allowedAttempts) {
+          assert(body.message === extraSecretErr);
+        } else {
+          assert(body.message === 'Too many attempts. You may try again in a minute.');
+        }
+      }
+    }
+
+    await loginModule.clearLoginAttempts('HarryPutter', namespace);
+  });
+
+  it('initial login should produce an incompleteToken, convertible with the afterPasswordVerified requirements', async function() {
+
+    const jar = apos.http.jar();
+
+    // establish session
+    let page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    const result = await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          username: 'HarryPutter',
+          password: 'crookshanks',
+          session: true,
+          requirements: {
+            WeakCaptcha: 'xyz'
+          }
+        },
+        jar
+      }
+    );
+
+    assert(result.incompleteToken);
+
+    // Make sure it did not create a login session prematurely
+    page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
     // Make sure it won't convert with an incorrect ExtraSecret
 
     const token = result.incompleteToken;
@@ -240,7 +310,7 @@ describe('Login', function() {
       });
     } catch ({ status, body }) {
       assert(status === 400);
-      assert.strictEqual(body.message, 'extra secret incorrect');
+      assert.strictEqual(body.message, extraSecretErr);
       assert.strictEqual(body.data.requirement, 'ExtraSecret');
     }
 

package/test/login.js

@@ -41,6 +41,48 @@ describe('Login', function() {
     assert(doc._id);
   });
 
+  it('should throttle login attempts and show a proper error when the limit is reached', async function () {
+    const loginModule = apos.modules['@apostrophecms/login'];
+    const { allowedAttempts } = loginModule.options.throttle;
+    const jar = apos.http.jar();
+    const username = 'HarryPutter';
+    // establish session
+    const page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+
+    assert(page.match(/logged out/));
+
+    for (let index = 0; index <= allowedAttempts; index++) {
+      try {
+        await apos.http.post(
+          '/api/v1/@apostrophecms/login/login',
+          {
+            method: 'POST',
+            body: {
+              username,
+              password: 'badpassword',
+              session: true
+            },
+            jar
+          }
+        );
+
+      } catch ({ body }) {
+        if (index < allowedAttempts) {
+          assert(body.message === 'Your credentials are incorrect, or there is no such user');
+        } else {
+          assert(body.message === 'Too many attempts. You may try again in a minute.');
+        }
+      }
+    }
+
+    await loginModule.clearLoginAttempts(username);
+  });
+
   it('should be able to login a user with their username', async function() {
 
     const jar = apos.http.jar();