Merge pull request #63 from wildjames/dev

Rate limit user account actions

Author: wildjames

todoqueue_backend/accounts/tests.py

@@ -8,8 +8,7 @@
 from rest_framework.test import APITestCase, APIClient
 from rest_framework_simplejwt.tokens import RefreshToken
 
-from logging import getLogger, basicConfig, INFO
-basicConfig(level=INFO)
+from logging import getLogger
 logger = getLogger(__name__)
 
 from .serializers import CustomUserSerializer

todoqueue_backend/accounts/utils.py

@@ -0,0 +1,30 @@
+from django.core.cache import cache
+from django.utils import timezone
+from datetime import timedelta
+
+from logging import getLogger, DEBUG, basicConfig
+basicConfig(level=DEBUG)
+logger = getLogger(__name__)
+
+def is_rate_limited(identifier, request_type, max_attempts=5, period=timedelta(hours=1)):
+    """
+    Check if the identifier has exceeded the maximum number of attempts within the period.
+    """
+    logger.debug("Checking rate limit")
+    
+    current_time = timezone.now()
+    cache_key = f"password_reset_attempts_{request_type}_{identifier}"
+    attempts = cache.get(cache_key, [])
+
+    # Filter out attempts older than the rate-limiting period
+    attempts = [attempt for attempt in attempts if current_time - attempt < period]
+
+    logger.debug(f"Endpoint {cache_key} attempts: {len(attempts)}")
+    if len(attempts) >= max_attempts:
+        return True
+
+    # Add the current attempt and update the cache
+    attempts.append(current_time)
+    cache.set(cache_key, attempts, period.total_seconds())
+
+    return False

todoqueue_backend/accounts/views.py

@@ -1,3 +1,4 @@
+from datetime import timedelta
 from logging import getLogger
 from time import sleep
 
@@ -23,6 +24,7 @@
     CustomUserRegistrationSerializer,
     ResetPasswordSerializer,
 )
+from .utils import is_rate_limited
 
 logger = getLogger(__name__)
 
@@ -44,8 +46,10 @@ def get_queryset(self, *args, **kwargs):
     def check_permissions(self, request):
         super().check_permissions(request)
         # If it's a 'list' action and user is not admin, deny access
-        if self.action == 'list' and not request.user.is_staff:
-            raise PermissionDenied("You do not have permission to view the list of users.")
+        if self.action == "list" and not request.user.is_staff:
+            raise PermissionDenied(
+                "You do not have permission to view the list of users."
+            )
 
 
 class AuthView(APIView):
@@ -75,6 +79,15 @@ def post(self, request):
 
 class RegisterView(APIView):
     def post(self, request):
+        # Check if the rate limit has been exceeded
+        if is_rate_limited(
+            request.META['REMOTE_ADDR'], "init_registration", max_attempts=20, period=timedelta(hours=1)
+        ):
+            return Response(
+                {"detail": "Registration requests are limited to 20 per hour."},
+                status=status.HTTP_429_TOO_MANY_REQUESTS,
+            )
+
         logger.info(f"Registering user with email: {request.data['email']}")
         serializer = CustomUserRegistrationSerializer(data=request.data)
 
@@ -156,6 +169,15 @@ def post(self, request):
 
 class ConfirmRegistrationView(APIView):
     def get(self, request, uidb64, token):
+        # Check if the rate limit has been exceeded
+        if is_rate_limited(
+            request.META['REMOTE_ADDR'], "confirm_registration", max_attempts=50, period=timedelta(hours=1)
+        ):
+            return Response(
+                {"detail": "Please stop spamming the confirmation endpoint."},
+                status=status.HTTP_429_TOO_MANY_REQUESTS,
+            )
+
         logger.info(f"Confirming registration for user with uidb64: {uidb64}")
         try:
             uid = force_str(urlsafe_base64_decode(uidb64))
@@ -179,6 +201,15 @@ def get(self, request, uidb64, token):
 
 class ForgotPasswordView(APIView):
     def post(self, request):
+        # Check if the rate limit has been exceeded
+        if is_rate_limited(
+            request.META['REMOTE_ADDR'], "forgot_password", max_attempts=5, period=timedelta(hours=1)
+        ):
+            return Response(
+                {"detail": "Password reset requests are limited to 5 per hour."},
+                status=status.HTTP_429_TOO_MANY_REQUESTS,
+            )
+
         logger.info(
             f"Forgot password request for user with email: {request.data['email']}"
         )
@@ -245,6 +276,15 @@ def post(self, request):
 
 class CompleteForgotPasswordView(APIView):
     def post(self, request, uidb64, token):
+        # Check if the rate limit has been exceeded
+        if is_rate_limited(
+            request.META['REMOTE_ADDR'], "new_password", max_attempts=20, period=timedelta(hours=1)
+        ):
+            return Response(
+                {"detail": "Please stop spamming the password reset endpoint."},
+                status=status.HTTP_429_TOO_MANY_REQUESTS,
+            )
+
         logger.info(f"Completing forgot password for user with uidb64: {uidb64}")
         try:
             uid = force_str(urlsafe_base64_decode(uidb64))

todoqueue_backend/requirements.txt

@@ -5,6 +5,7 @@ distlib==0.3.5
 Django==4.2.5
 django-cors-headers==4.2.0
 django-rest-framework==0.1.0
+django-redis==5.4.0
 djangorestframework==3.14.0
 djangorestframework-simplejwt==5.3.0
 filelock==3.8.0
@@ -13,6 +14,7 @@ mysqlclient==2.2.0
 packaging==23.1
 platformdirs==2.5.2
 pytz==2023.3.post1
+redis==5.0.1
 sqlparse==0.4.4
 typing_extensions==4.7.1
 virtualenv==20.16.3

todoqueue_backend/tasks/utils.py

@@ -1,12 +1,11 @@
 from datetime import timedelta
 from typing import List
-from logging import getLogger, INFO, basicConfig
+from logging import getLogger
 import math
 from profanity_check import predict as is_profane
 import random
 
 logger = getLogger(__name__)
-basicConfig(level=INFO)
 
 
 def renormalize(value, old_range, new_range):

todoqueue_backend/tasks/views.py

@@ -1,5 +1,5 @@
 from datetime import timedelta
-from logging import INFO, basicConfig, getLogger
+from logging import getLogger
 
 from accounts.serializers import CustomUserWithBrowniePointsSerializer
 from django.contrib.auth import get_user_model
@@ -40,7 +40,6 @@
 from .utils import bp_function, parse_duration
 
 logger = getLogger(__name__)
-basicConfig(level=INFO)
 
 
 class ScheduledTaskViewSet(viewsets.ModelViewSet):

todoqueue_backend/todoqueue_backend/settings.py

@@ -21,8 +21,6 @@
 logger = getLogger(__name__)
 
 
-
-
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -33,7 +31,7 @@
 SECRET_KEY = config("DJANGO_SECRET", default=os.urandom(32))
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = os.environ.get("DJANGO_DEBUG", "false").lower() == "true"
 
 web_port = config("DJANGO_HOST_PORT", default=8000, cast=int)
 logger.info("Whilelisting host for CSRF: {}".format(config("FRONTEND_URL", default=None)))
@@ -129,6 +127,24 @@
     }
 }
 
+if os.environ.get("DJANGO_CACHE_BACKEND", None) == "redis":
+    logger.info("Using RedisCache")
+    CACHES = {
+        "default": {
+            "BACKEND": "django_redis.cache.RedisCache",
+            "LOCATION": os.environ.get("DJANGO_CACHE_LOCATION", "redis://127.0.0.1:6379/1"),
+            "OPTIONS": {
+                "CLIENT_CLASS": "django_redis.client.DefaultClient",
+            }
+        }
+    }
+else:
+    logger.info("Using LocMemCache")
+    CACHES = {
+        'default': {
+            'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
+        }
+    }
 
 AUTH_USER_MODEL = "accounts.CustomUser"