Rate limit admin login requests

gmjimenezc · gmjimenezc · commit 7531a43e1703 · 2025-02-21T21:35:18.000-05:00
diff --git a/config/config.yml b/config/config.yml
@@ -189,6 +189,8 @@ RATE_LIMIT_NUMBER: 300
 RATE_LIMIT_PERIOD: 300
 RATE_LIMIT_LOGIN_ATTEMPTS: 5
 RATE_LIMIT_LOGIN_PERIOD: 20
+RATE_LIMIT_ADMIN_LOGIN_ATTEMPTS: 10
+RATE_LIMIT_ADMIN_LOGIN_PERIOD: 300
 RATE_LIMIT_PER_NGINX_UPSTREAM:
   unicorn_elastic:
     limit: 300
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -81,6 +81,24 @@ class Rack::Attack
     req.params.dig("user", "login").presence if req.path == "/users/login" && req.post?
   end
   
+    ### Add Rate Limits for Admin Login ###
+    admin_login_limit = ArchiveConfig.RATE_LIMIT_ADMIN_LOGIN_ATTEMPTS
+    admin_login_period = ArchiveConfig.RATE_LIMIT_ADMIN_LOGIN_PERIOD
+  
+    # Throttle POST requests to /admin/login by IP address
+    #
+    # Key: "rack::attack:#{Time.now.to_i/:period}:admin_logins/ip:#{req.ip}"
+    throttle("admin_logins/ip", limit: admin_login_limit, period: admin_login_period) do |req|
+      req.ip if req.path == "/admin/login" && req.post?
+    end
+  
+    # Throttle POST requests to /admin/login by login param (user name or email)
+    #
+    # Key: "rack::attack:#{Time.now.to_i/:period}:admin_logins/email:#{login}"
+    throttle("admin_logins/email", limit: admin_login_limit, period: admin_login_period) do |req|
+      req.params.dig("admin", "login").presence if req.path == "/admin/login" && req.post?
+    end
+  
   # Add Retry-After response header to let polite clients know
   # how many seconds they should wait before trying again
   Rack::Attack.throttled_response_retry_after_header = true
diff --git a/spec/requests/rack_attack_spec.rb b/spec/requests/rack_attack_spec.rb
@@ -18,13 +18,24 @@ def unique_user_params
     { user: { login: generate(:login), password: "secret" } }
   end
 
+  def unique_admin_params
+    { admin: { login: generate(:login), password: "secret" } }
+  end
+
   it "test utility returns valid parameters for successful user login attempts" do
     params = unique_user_params
     create(:user, login: params[:user][:login], password: params[:user][:password])
     post user_session_path, params: params.to_query
     expect(response).to have_http_status(:redirect)
   end
 
+  it "test utility returns valid parameters for successful admin login attempts" do
+    params = unique_admin_params
+    create(:admin, login: params[:admin][:login], password: params[:admin][:password])
+    post admin_session_path, params: params.to_query
+    expect(response).to have_http_status(:redirect)
+  end
+
   it "successful response does not include retry-after header" do
     get root_path, env: { "REMOTE_ADDR" => Faker::Internet.unique.public_ip_v4_address }
     expect(response).to have_http_status(:ok)
@@ -113,4 +124,70 @@ def unique_user_params
       expect(response).to have_http_status(:ok)
     end
   end
-end
+
+  context "when there have been max admin login attempts from an IP address" do
+    let(:ip) { Faker::Internet.unique.public_ip_v4_address }
+
+    before do
+      10.times do
+        post admin_session_path, params: unique_admin_params.to_query, env: { "REMOTE_ADDR" => ip }
+      end
+    end
+
+    it "response to the next attempt from the same IP includes retry-after header" do
+      post admin_session_path, params: unique_admin_params.to_query, env: { "REMOTE_ADDR" => ip }
+      expect(response).to have_http_status(:too_many_requests)
+      expect(response.headers["Retry-After"].to_i).to be > 0
+      expect(response.headers["Retry-After"].to_i).to be <= 5.minutes
+    end
+
+    it "throttles the next attempt from the same IP" do
+      post admin_session_path, params: unique_admin_params.to_query, env: { "REMOTE_ADDR" => ip }
+      expect(response).to have_http_status(:too_many_requests)
+    end
+
+    it "does not throttle an attempt from a different IP" do
+      post admin_session_path, params: unique_admin_params.to_query, env: unique_ip_env
+      expect(response).to have_http_status(:ok)
+    end
+
+    it "does not throttle the next attempt from the same IP after some time" do
+      travel 5.minutes
+      post admin_session_path, params: unique_admin_params.to_query, env: { "REMOTE_ADDR" => ip }
+      expect(response).to have_http_status(:ok)
+    end
+  end
+
+  context "when there have been max admin login attempts for a username" do
+    let(:params) { unique_admin_params.to_query }
+
+    before do
+      10.times do
+        post admin_session_path, params: params, env: unique_ip_env
+      end
+    end
+
+    it "response to the next attempt for the same username includes retry-after header" do
+      post admin_session_path, params: params, env: unique_ip_env
+      expect(response).to have_http_status(:too_many_requests)
+      expect(response.headers["Retry-After"].to_i).to be > 0
+      expect(response.headers["Retry-After"].to_i).to be <= 5.minutes
+    end
+
+    it "throttles the next attempt for the same username" do
+      post admin_session_path, params: params, env: unique_ip_env
+      expect(response).to have_http_status(:too_many_requests)
+    end
+
+    it "does not throttle an attempt for a different username" do
+      post admin_session_path, params: unique_admin_params.to_query, env: unique_ip_env
+      expect(response).to have_http_status(:ok)
+    end
+
+    it "does not throttle the next attempt for the same username after some time" do
+      travel 5.minutes
+      post admin_session_path, params: params, env: unique_ip_env
+      expect(response).to have_http_status(:ok)
+    end
+  end
+end
