diff --git a/CHANGELOG.md b/CHANGELOG.md index 8357a441..1a638c90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Added Page Delete functionality - Dev locale .yml files in `server/locales` are now loaded - Added SQLite dependencies in Docker image +- Added rate limiting to login mutations ### Fixed - Fixed root admin refresh token fail diff --git a/package.json b/package.json index c13f6a72..8d1be298 100644 --- a/package.json +++ b/package.json @@ -68,6 +68,7 @@ "getos": "3.1.1", "graphql": "14.1.1", "graphql-list-fields": "2.0.2", + "graphql-rate-limit-directive": "0.1.0", "graphql-subscriptions": "1.0.0", "graphql-tools": "4.0.4", "highlight.js": "9.14.2", diff --git a/server/graph/index.js b/server/graph/index.js index 349b64d7..c8856b57 100644 --- a/server/graph/index.js +++ b/server/graph/index.js @@ -6,6 +6,7 @@ const autoload = require('auto-load') const PubSub = require('graphql-subscriptions').PubSub const { LEVEL, MESSAGE } = require('triple-beam') const Transport = require('winston-transport') +const { createRateLimitTypeDef, createRateLimitDirective } = require('graphql-rate-limit-directive') /* global WIKI */ @@ -17,7 +18,7 @@ WIKI.GQLEmitter = new PubSub() // Schemas -let typeDefs = [] +let typeDefs = [createRateLimitTypeDef()] let schemas = fs.readdirSync(path.join(WIKI.SERVERPATH, 'graph/schemas')) schemas.forEach(schema => { typeDefs.push(fs.readFileSync(path.join(WIKI.SERVERPATH, `graph/schemas/${schema}`), 'utf8')) @@ -33,7 +34,12 @@ resolversObj.forEach(resolver => { // Directives -let schemaDirectives = autoload(path.join(WIKI.SERVERPATH, 'graph/directives')) +let schemaDirectives = { + ...autoload(path.join(WIKI.SERVERPATH, 'graph/directives')), + rateLimit: createRateLimitDirective({ + keyGenerator: (directiveArgs, source, args, context, info) => `${context.req.ip}:${info.parentType}.${info.fieldName}` + }) +} // Live Trail Logger (admin) diff --git a/server/graph/schemas/authentication.graphql b/server/graph/schemas/authentication.graphql index ee69dc23..b2c12145 100644 --- a/server/graph/schemas/authentication.graphql +++ b/server/graph/schemas/authentication.graphql @@ -29,12 +29,12 @@ type AuthenticationMutation { username: String! password: String! strategy: String! - ): AuthenticationLoginResponse + ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60) loginTFA( loginToken: String! securityCode: String! - ): DefaultResponse + ): DefaultResponse @rateLimit(limit: 5, duration: 60) register( email: String! diff --git a/yarn.lock b/yarn.lock index 2454c23a..5e395fe3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5582,6 +5582,16 @@ graphql-persisted-document-loader@1.0.1: loader-utils "^1.1.0" persistgraphql "^0.3.11" +graphql-rate-limit-directive@0.1.0: + version "0.1.0" + resolved "https://registry.yarnpkg.com/graphql-rate-limit-directive/-/graphql-rate-limit-directive-0.1.0.tgz#70888cd4fa84fcde731ffcb445fbc7a25fa5a790" + integrity sha512-mVZzuZUl6gmIHYaaMvO7YncHhW2R9B/6Tbr2Ka+kQT39KFIFTHh5+DTqUU4O/GxKcNfWO7Xm3dVF+dLcS+eF3g== + dependencies: + graphql "^14.0.2" + graphql-tag "^2.10.0" + graphql-tools "^4.0.0" + rate-limiter-flexible "^0.22.0" + graphql-request@^1.5.0: version "1.8.2" resolved "https://registry.yarnpkg.com/graphql-request/-/graphql-request-1.8.2.tgz#398d10ae15c585676741bde3fc01d5ca948f8fbe" @@ -5596,7 +5606,7 @@ graphql-subscriptions@1.0.0, graphql-subscriptions@^1.0.0: dependencies: iterall "^1.2.1" -graphql-tag@^2.0.0, graphql-tag@^2.10.1, graphql-tag@^2.4.2, graphql-tag@^2.9.2: +graphql-tag@^2.0.0, graphql-tag@^2.10.0, graphql-tag@^2.10.1, graphql-tag@^2.4.2, graphql-tag@^2.9.2: version "2.10.1" resolved "https://registry.yarnpkg.com/graphql-tag/-/graphql-tag-2.10.1.tgz#10aa41f1cd8fae5373eaf11f1f67260a3cad5e02" integrity sha512-jApXqWBzNXQ8jYa/HLkZJaVw9jgwNqZkywa2zfFn16Iv1Zb7ELNHkJaXHR7Quvd5SIGsy6Ny7SUKATgnu05uEg== @@ -5640,7 +5650,7 @@ graphql-voyager@1.0.0-rc.26: svg-pan-zoom "^3.5.2" viz.js "2.0.0" -graphql@14.1.1: +graphql@14.1.1, graphql@^14.0.2: version "14.1.1" resolved "https://registry.yarnpkg.com/graphql/-/graphql-14.1.1.tgz#d5d77df4b19ef41538d7215d1e7a28834619fac0" integrity sha512-C5zDzLqvfPAgTtP8AUPIt9keDabrdRAqSWjj2OPRKrKxI9Fb65I36s1uCs1UUBFnSWTdO7hyHi7z1ZbwKMKF6Q== @@ -10589,6 +10599,11 @@ range-parser@^1.0.3, range-parser@~1.2.0: resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e" integrity sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4= +rate-limiter-flexible@^0.22.0: + version "0.22.4" + resolved "https://registry.yarnpkg.com/rate-limiter-flexible/-/rate-limiter-flexible-0.22.4.tgz#bdaee6968f527b9f8577163d7cca7a3620bb0d0f" + integrity sha512-DKGzgcB8JDLxnojhnhr62D+eqIHjIfXCOpdeHiE77TJves/qiLGHrZpqEpWZ3f3aNDnvA6YB4FrM3/zorETrMw== + raven@2.6.4: version "2.6.4" resolved "https://registry.yarnpkg.com/raven/-/raven-2.6.4.tgz#458d4a380c8fbb59e0150c655625aaf60c167ea3"