Implement Accounts creation rate limit #1800
Conversation
| creationRateLimitPeriodSeconds: parseInt( | ||
| process.env.ACCOUNT_CREATION_RATE_LIMIT_PERIOD_SECONDS ?? `${60}`, | ||
| ), | ||
| creationRateLimitCalls: parseInt( | ||
| process.env.ACCOUNT_CREATION_RATE_LIMIT_CALLS_BY_PERIOD ?? `${1}`, | ||
| ), | ||
| }, |
There was a problem hiding this comment.
These defaults allow each IP to create an account per minute. As the account is cross-chain, I thought that one account should be sufficient for most users.
| address: `0x${string}`; | ||
| clientIp: string; |
There was a problem hiding this comment.
As this function's arity increased to 2, I've wrapped the arguments on a type, which caused some additional changes in the PR.
| this.loggingService.warn( | ||
| `Invalid client IP while creating account: ${clientIp}`, | ||
| ); |
There was a problem hiding this comment.
If the IP is not defined or it's not well formatted, the account creation is allowed. This is mostly done to avoid blockers, but I think we need to keep an eye on logs if we start seeing too many warnings here.
There was a problem hiding this comment.
In my understanding, it cannot happen.
you get this IP address from web server, who gets it from http(s) which is over tpc, where server always has to know the address on the other side.
even with http3, the udp packets would still contain originators ip. To become empty or malformed, it would need to be specially crafted.
So for this case I would propose to throw an error as well
There was a problem hiding this comment.
Makes sense to me, I've added a ticket to change it: #1838
Thanks!
| this.loggingService.warn( | ||
| `Limit of ${this.accountCreationRateLimitCalls} reached for IP ${clientIp}`, | ||
| ); |
There was a problem hiding this comment.
As before, I added a log line here also, as getting too many rate limit conditions shouldn't be normal.
Pull Request Test Coverage Report for Build 10270314343Details
💛 - Coveralls |
| @@ -88,20 +91,126 @@ describe('AccountsDatasource tests', () => { | |||
| ); | |||
| }); | |||
|
|
|||
| it('throws when an account with the same address already exists', async () => { | |||
| it('creates an account successfully if the clientIp is not a valid IP', async () => { | |||
There was a problem hiding this comment.
| it('creates an account successfully if the clientIp is not a valid IP', async () => { | |
| it('creates an account successfully if the clientIp is a valid IP', async () => { |
There was a problem hiding this comment.
Hmm, this is intended, the current behavior is to allow nonvalid IPs to create an account, and log this fact as a warning. The rationale is to cover the case where for some reason our infra sees a modified IP somehow. The idea is to not block users whose IP is obfuscated in some way. I'm open to restricting the account creation to valid IPs only btw. I guess we need to evaluate this while running the service. Wdyt?
There was a problem hiding this comment.
It seems trivial to rate limit based on IP but allow users to bypass it by obfuscating their IP. Do we know if there's a high chance of modified IPs? I am impartial regarding this nonetheless so we can leave it as if we want.
There was a problem hiding this comment.
I guess we will see how this goes through time, I don't think users can obfuscate their IPs easily. I think we can start allowing account creation but keep an eye on logging to see if this (a malformed IP reaching the service) happens often. So I'd leave it as it is for now, and maybe reconsider it based on the logs.
I don't have a super firm opinion, but I think it makes sense to have the limiter on the datasource for this use case as we have to limit the actual account creations. I guess if we add the rate limiter to the controller layer it wouldn't consider failed attempts for example. For a GET endpoint, I'd be more in favor of limiting the endpoint directly. Also, even if we put this on a Guard, it would need to have access to the Redis instance, as the rate limiter count needs to be shared among the CGW pods (maybe this could help if we want to do it https://github.com/kkoomen/nestjs-throttler-storage-redis). |
Considering we want to limit creations and this can happen via various methods - I am happy with keeping it as it is. Although a nit, I think we should add a comment explaining the above. |
Great, thanks! I've included a note in 031aaca, please let me know if you think it's not clearer enough, or if you would like to rephrase it. |
| this.loggingService.warn( | ||
| `Limit of ${this.accountCreationRateLimitCalls} reached for IP ${clientIp}`, | ||
| ); | ||
| throw new LimitReachedError(); |
There was a problem hiding this comment.
Which http code would a client get?
this Error is not extending HttpException. Is it necessary to implement an ExceptionFilter for this?
There was a problem hiding this comment.
With this implementation, the client would get a generic 500 status code error.
I've created a PR to extend HttpException and set the correct status codes for both accounts and Counterfactual Safes rate limit hit errors on creation: #1865
Thank you!
Adds a rate limitation controlled by a cache key before proceeding with account creation
Summary
This PR introduces a rate limitation to creating User Accounts using the related
AccountsControllerendpoint.Changes