Enable bruteforce protection on login endpoint
This commit is contained in:
parent
9943df4952
commit
886bae32c8
@ -1,11 +1,24 @@
|
|||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::net::IpAddr;
|
use std::net::IpAddr;
|
||||||
|
|
||||||
use actix::{Actor, AsyncContext, Context};
|
use actix::{Actor, AsyncContext, Context, Handler, Message};
|
||||||
|
|
||||||
use crate::constants::{FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, KEEP_FAILED_LOGIN_ATTEMPTS_FOR};
|
use crate::constants::{FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, KEEP_FAILED_LOGIN_ATTEMPTS_FOR};
|
||||||
use crate::utils::time::time;
|
use crate::utils::time::time;
|
||||||
|
|
||||||
|
#[derive(Message)]
|
||||||
|
#[rtype(result = "()")]
|
||||||
|
pub struct RecordFailedAttempt {
|
||||||
|
pub ip: IpAddr,
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Message)]
|
||||||
|
#[rtype(result = "usize")]
|
||||||
|
pub struct CountFailedAttempt {
|
||||||
|
pub ip: IpAddr,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
#[derive(Debug, Default)]
|
#[derive(Debug, Default)]
|
||||||
pub struct BruteForceActor {
|
pub struct BruteForceActor {
|
||||||
failed_attempts: HashMap<IpAddr, Vec<u64>>,
|
failed_attempts: HashMap<IpAddr, Vec<u64>>,
|
||||||
@ -55,6 +68,22 @@ impl Actor for BruteForceActor {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl Handler<RecordFailedAttempt> for BruteForceActor {
|
||||||
|
type Result = ();
|
||||||
|
|
||||||
|
fn handle(&mut self, attempt: RecordFailedAttempt, _ctx: &mut Self::Context) -> Self::Result {
|
||||||
|
self.insert_failed_attempt(attempt.ip)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Handler<CountFailedAttempt> for BruteForceActor {
|
||||||
|
type Result = usize;
|
||||||
|
|
||||||
|
fn handle(&mut self, attempt: CountFailedAttempt, _ctx: &mut Self::Context) -> Self::Result {
|
||||||
|
self.count_failed_attempts(&attempt.ip)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod test {
|
mod test {
|
||||||
use std::net::{IpAddr, Ipv4Addr};
|
use std::net::{IpAddr, Ipv4Addr};
|
||||||
|
@ -33,5 +33,5 @@ pub const LOGIN_ROUTE: &str = "/login";
|
|||||||
|
|
||||||
/// Bruteforce protection
|
/// Bruteforce protection
|
||||||
pub const KEEP_FAILED_LOGIN_ATTEMPTS_FOR: u64 = 3600;
|
pub const KEEP_FAILED_LOGIN_ATTEMPTS_FOR: u64 = 3600;
|
||||||
pub const MAX_FAILED_LOGIN_ATTEMPTS: u64 = 15;
|
pub const MAX_FAILED_LOGIN_ATTEMPTS: usize = 15;
|
||||||
pub const FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
|
pub const FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
|
@ -1,6 +1,7 @@
|
|||||||
use std::fmt::Display;
|
use std::fmt::Display;
|
||||||
|
|
||||||
use actix_web::HttpResponse;
|
use actix_web::HttpResponse;
|
||||||
|
use askama::Template;
|
||||||
|
|
||||||
use crate::constants::LOGIN_ROUTE;
|
use crate::constants::LOGIN_ROUTE;
|
||||||
|
|
||||||
@ -24,3 +25,10 @@ pub fn redirect_user_for_login<P: Display>(redirect_uri: P) -> HttpResponse {
|
|||||||
))
|
))
|
||||||
.finish()
|
.finish()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Fatal error page message
|
||||||
|
#[derive(Template)]
|
||||||
|
#[template(path = "fatal_error.html")]
|
||||||
|
pub struct FatalErrorPage {
|
||||||
|
pub message: &'static str,
|
||||||
|
}
|
@ -1,13 +1,16 @@
|
|||||||
use actix::Addr;
|
use actix::Addr;
|
||||||
use actix_identity::Identity;
|
use actix_identity::Identity;
|
||||||
use actix_web::{web, HttpResponse, Responder};
|
use actix_web::{HttpRequest, HttpResponse, Responder, web};
|
||||||
use askama::Template;
|
use askama::Template;
|
||||||
|
|
||||||
use crate::actors::users_actor;
|
use crate::actors::{bruteforce_actor, users_actor};
|
||||||
|
use crate::actors::bruteforce_actor::BruteForceActor;
|
||||||
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
|
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
|
||||||
use crate::constants::{APP_NAME, MIN_PASS_LEN};
|
use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
|
||||||
use crate::controllers::base_controller::redirect_user;
|
use crate::controllers::base_controller::{FatalErrorPage, redirect_user};
|
||||||
|
use crate::data::app_config::AppConfig;
|
||||||
use crate::data::session_identity::{SessionIdentity, SessionStatus};
|
use crate::data::session_identity::{SessionIdentity, SessionStatus};
|
||||||
|
use crate::utils::network_utils::{get_remote_ip, parse_ip};
|
||||||
|
|
||||||
#[derive(Template)]
|
#[derive(Template)]
|
||||||
#[template(path = "base_login_page.html")]
|
#[template(path = "base_login_page.html")]
|
||||||
@ -47,15 +50,38 @@ pub struct LoginRequestQuery {
|
|||||||
|
|
||||||
/// Authenticate user
|
/// Authenticate user
|
||||||
pub async fn login_route(
|
pub async fn login_route(
|
||||||
|
http_req: HttpRequest,
|
||||||
users: web::Data<Addr<UsersActor>>,
|
users: web::Data<Addr<UsersActor>>,
|
||||||
|
bruteforce: web::Data<Addr<BruteForceActor>>,
|
||||||
query: web::Query<LoginRequestQuery>,
|
query: web::Query<LoginRequestQuery>,
|
||||||
req: Option<web::Form<LoginRequestBody>>,
|
req: Option<web::Form<LoginRequestBody>>,
|
||||||
|
config: web::Data<AppConfig>,
|
||||||
id: Identity,
|
id: Identity,
|
||||||
) -> impl Responder {
|
) -> impl Responder {
|
||||||
let mut danger = String::new();
|
let mut danger = String::new();
|
||||||
let mut success = String::new();
|
let mut success = String::new();
|
||||||
let mut login = String::new();
|
let mut login = String::new();
|
||||||
|
|
||||||
|
let remote_ip = match parse_ip(&get_remote_ip(&http_req, config.proxy_ip.as_deref())) {
|
||||||
|
None => return HttpResponse::InternalServerError().body(
|
||||||
|
FatalErrorPage {
|
||||||
|
message: "Failed to determine remote ip address!"
|
||||||
|
}.render().unwrap()
|
||||||
|
),
|
||||||
|
Some(i) => i,
|
||||||
|
};
|
||||||
|
|
||||||
|
let failed_attempts = bruteforce.send(bruteforce_actor::CountFailedAttempt { ip: remote_ip })
|
||||||
|
.await.unwrap();
|
||||||
|
|
||||||
|
if failed_attempts > MAX_FAILED_LOGIN_ATTEMPTS {
|
||||||
|
return HttpResponse::InternalServerError().body(
|
||||||
|
FatalErrorPage {
|
||||||
|
message: "Too many failed login attempts, please try again later!"
|
||||||
|
}.render().unwrap()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
let redirect_uri = match query.redirect.as_deref() {
|
let redirect_uri = match query.redirect.as_deref() {
|
||||||
None => "/",
|
None => "/",
|
||||||
Some(s) => match s.starts_with('/') && !s.starts_with("//") {
|
Some(s) => match s.starts_with('/') && !s.starts_with("//") {
|
||||||
@ -125,8 +151,10 @@ pub async fn login_route(
|
|||||||
}
|
}
|
||||||
|
|
||||||
c => {
|
c => {
|
||||||
log::warn!("Failed login for username {} : {:?}", login, c);
|
log::warn!("Failed login for ip {:?} / username {}: {:?}", remote_ip, login, c);
|
||||||
danger = "Login failed.".to_string();
|
danger = "Login failed.".to_string();
|
||||||
|
|
||||||
|
bruteforce.send(bruteforce_actor::RecordFailedAttempt { ip: remote_ip }).await.unwrap();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -144,8 +172,8 @@ pub async fn login_route(
|
|||||||
},
|
},
|
||||||
min_pass_len: MIN_PASS_LEN,
|
min_pass_len: MIN_PASS_LEN,
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -160,8 +188,8 @@ pub async fn login_route(
|
|||||||
},
|
},
|
||||||
login,
|
login,
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,6 +23,10 @@ pub struct AppConfig {
|
|||||||
/// Website origin
|
/// Website origin
|
||||||
#[clap(short, long, env, default_value = "http://localhost:8000")]
|
#[clap(short, long, env, default_value = "http://localhost:8000")]
|
||||||
pub website_origin: String,
|
pub website_origin: String,
|
||||||
|
|
||||||
|
/// Proxy IP, might end with a star "*"
|
||||||
|
#[clap(short, long, env)]
|
||||||
|
pub proxy_ip: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl AppConfig {
|
impl AppConfig {
|
||||||
|
@ -1,20 +1,20 @@
|
|||||||
//! # Authentication middleware
|
//! # Authentication middleware
|
||||||
|
|
||||||
use std::future::{ready, Future, Ready};
|
use std::future::{Future, ready, Ready};
|
||||||
use std::pin::Pin;
|
use std::pin::Pin;
|
||||||
use std::rc::Rc;
|
use std::rc::Rc;
|
||||||
|
|
||||||
use actix_identity::RequestIdentity;
|
use actix_identity::RequestIdentity;
|
||||||
use actix_web::body::EitherBody;
|
|
||||||
use actix_web::http::{header, Method};
|
|
||||||
use actix_web::{
|
use actix_web::{
|
||||||
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
|
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
|
||||||
web, Error, HttpResponse,
|
Error, HttpResponse, web,
|
||||||
};
|
};
|
||||||
|
use actix_web::body::EitherBody;
|
||||||
|
use actix_web::http::{header, Method};
|
||||||
use askama::Template;
|
use askama::Template;
|
||||||
|
|
||||||
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
|
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
|
||||||
use crate::controllers::base_controller::redirect_user_for_login;
|
use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
|
||||||
use crate::data::app_config::AppConfig;
|
use crate::data::app_config::AppConfig;
|
||||||
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
|
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
|
||||||
|
|
||||||
@ -28,10 +28,10 @@ pub struct AuthMiddleware;
|
|||||||
// `S` - type of the next service
|
// `S` - type of the next service
|
||||||
// `B` - type of response's body
|
// `B` - type of response's body
|
||||||
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
|
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
|
||||||
where
|
where
|
||||||
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
|
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
|
||||||
S::Future: 'static,
|
S::Future: 'static,
|
||||||
B: 'static,
|
B: 'static,
|
||||||
{
|
{
|
||||||
type Response = ServiceResponse<EitherBody<B>>;
|
type Response = ServiceResponse<EitherBody<B>>;
|
||||||
type Error = Error;
|
type Error = Error;
|
||||||
@ -63,25 +63,22 @@ impl ConnStatus {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Template)]
|
|
||||||
#[template(path = "access_denied.html")]
|
|
||||||
struct AccessDeniedTemplate {}
|
|
||||||
|
|
||||||
pub struct AuthInnerMiddleware<S> {
|
pub struct AuthInnerMiddleware<S> {
|
||||||
service: Rc<S>,
|
service: Rc<S>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
|
impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
|
||||||
where
|
where
|
||||||
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
|
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
|
||||||
S::Future: 'static,
|
S::Future: 'static,
|
||||||
B: 'static,
|
B: 'static,
|
||||||
{
|
{
|
||||||
type Response = ServiceResponse<EitherBody<B>>;
|
type Response = ServiceResponse<EitherBody<B>>;
|
||||||
type Error = Error;
|
type Error = Error;
|
||||||
|
|
||||||
#[allow(clippy::type_complexity)]
|
#[allow(clippy::type_complexity)]
|
||||||
type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;
|
type Future = Pin<Box<dyn Future<Output=Result<Self::Response, Self::Error>>>>;
|
||||||
|
|
||||||
forward_ready!(service);
|
forward_ready!(service);
|
||||||
|
|
||||||
@ -120,21 +117,21 @@ where
|
|||||||
|
|
||||||
let session = match SessionIdentity::deserialize_session_data(req.get_identity()) {
|
let session = match SessionIdentity::deserialize_session_data(req.get_identity()) {
|
||||||
Some(SessionIdentityData {
|
Some(SessionIdentityData {
|
||||||
status: SessionStatus::SignedIn,
|
status: SessionStatus::SignedIn,
|
||||||
is_admin: true,
|
is_admin: true,
|
||||||
..
|
..
|
||||||
}) => ConnStatus::Admin,
|
}) => ConnStatus::Admin,
|
||||||
Some(SessionIdentityData {
|
Some(SessionIdentityData {
|
||||||
status: SessionStatus::SignedIn,
|
status: SessionStatus::SignedIn,
|
||||||
..
|
..
|
||||||
}) => ConnStatus::RegularUser,
|
}) => ConnStatus::RegularUser,
|
||||||
_ => ConnStatus::SignedOut,
|
_ => ConnStatus::SignedOut,
|
||||||
};
|
};
|
||||||
|
|
||||||
// Redirect user to login page
|
// Redirect user to login page
|
||||||
if !session.is_auth()
|
if !session.is_auth()
|
||||||
&& (req.path().starts_with(ADMIN_ROUTES)
|
&& (req.path().starts_with(ADMIN_ROUTES)
|
||||||
|| req.path().starts_with(AUTHENTICATED_ROUTES))
|
|| req.path().starts_with(AUTHENTICATED_ROUTES))
|
||||||
{
|
{
|
||||||
let path = req.path().to_string();
|
let path = req.path().to_string();
|
||||||
return Ok(req
|
return Ok(req
|
||||||
@ -147,7 +144,9 @@ where
|
|||||||
return Ok(req
|
return Ok(req
|
||||||
.into_response(
|
.into_response(
|
||||||
HttpResponse::Unauthorized()
|
HttpResponse::Unauthorized()
|
||||||
.body(AccessDeniedTemplate {}.render().unwrap()),
|
.body(FatalErrorPage {
|
||||||
|
message: "You are not allowed to access this resource."
|
||||||
|
}.render().unwrap()),
|
||||||
)
|
)
|
||||||
.map_into_right_body());
|
.map_into_right_body());
|
||||||
}
|
}
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
pub mod err;
|
pub mod err;
|
||||||
pub mod time;
|
pub mod time;
|
||||||
|
pub mod network_utils;
|
102
src/utils/network_utils.rs
Normal file
102
src/utils/network_utils.rs
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
use std::net::{IpAddr, Ipv6Addr};
|
||||||
|
use std::str::FromStr;
|
||||||
|
|
||||||
|
use actix_web::HttpRequest;
|
||||||
|
|
||||||
|
/// Check if two ips matches
|
||||||
|
pub fn match_ip(pattern: &str, ip: &str) -> bool {
|
||||||
|
if pattern.eq(ip) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
false
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/// Get the remote IP address
|
||||||
|
pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> String {
|
||||||
|
let mut ip = req.peer_addr().unwrap().ip().to_string();
|
||||||
|
|
||||||
|
// We check if the request comes from a trusted reverse proxy
|
||||||
|
if let Some(proxy) = proxy_ip.as_ref() {
|
||||||
|
if match_ip(proxy, &ip) {
|
||||||
|
if let Some(header) = req.headers().get("X-Forwarded-For") {
|
||||||
|
let header: Vec<String> = header
|
||||||
|
.to_str()
|
||||||
|
.unwrap()
|
||||||
|
.to_string()
|
||||||
|
.split(',')
|
||||||
|
.map(|f| f.to_string())
|
||||||
|
.collect();
|
||||||
|
|
||||||
|
if !header.is_empty() {
|
||||||
|
ip = header[0].to_string();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ip
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Parse an IP address
|
||||||
|
pub fn parse_ip(ip: &str) -> Option<IpAddr> {
|
||||||
|
let mut ip = match IpAddr::from_str(ip) {
|
||||||
|
Ok(ip) => ip,
|
||||||
|
Err(e) => {
|
||||||
|
log::warn!("Failed to parse an IP address: {}", e);
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
if let IpAddr::V6(ipv6) = &mut ip {
|
||||||
|
let mut octets = ipv6.octets();
|
||||||
|
for i in 8..16 {
|
||||||
|
octets[i] = 0;
|
||||||
|
}
|
||||||
|
ip = IpAddr::V6(Ipv6Addr::from(octets));
|
||||||
|
}
|
||||||
|
|
||||||
|
Some(ip)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
|
||||||
|
|
||||||
|
use crate::utils::network_utils::parse_ip;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn parse_bad_ip() {
|
||||||
|
let ip = parse_ip("badbad");
|
||||||
|
assert_eq!(None, ip);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn parse_ip_v4_address() {
|
||||||
|
let ip = parse_ip("192.168.1.1").unwrap();
|
||||||
|
assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn parse_ip_v6_address() {
|
||||||
|
let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
|
||||||
|
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0)));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn parse_ip_v6_address_2() {
|
||||||
|
let ip = parse_ip("::1").unwrap();
|
||||||
|
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn parse_ip_v6_address_3() {
|
||||||
|
let ip = parse_ip("a::1").unwrap();
|
||||||
|
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
|
||||||
|
}
|
||||||
|
}
|
@ -7,6 +7,6 @@
|
|||||||
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
|
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<p>You are not allowed to access this resource.</p>
|
<p>{{ message }}</p>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
Loading…
Reference in New Issue
Block a user