feat: custom phone challenge rate limiter

Author: annahassel

Dockerfile

@@ -24,6 +24,6 @@ RUN \
 
 USER node
 COPY --chown=node:node . /src
-RUN pnpm install --offline --prod
+RUN pnpm install --prefer-offline --prod
 
 CMD [ "./node_modules/.bin/mfleet" ]

package.json

@@ -31,6 +31,7 @@
   "dependencies": {
     "@faker-js/faker": "^9.2.0",
     "@fastify/deepmerge": "^2.0.0",
+    "@google-cloud/recaptcha-enterprise": "^6.0.1",
     "@hapi/bell": "^13.0.2",
     "@hapi/boom": "^10.0.1",
     "@hapi/hapi": "^21.3.10",

pnpm-lock.yaml

@@ -1,25 +1,30 @@
 {
-    "$id": "challenge",
-    "type": "object",
-    "required": [
-        "type",
-        "username"
-    ],
-    "properties": {
-        "type": {
-            "type": "string",
-            "enum": ["email", "phone"]
-        },
-        "username": {
-            "type": "string",
-            "minLength": 1
-        },
-        "remoteip": {
-            "type": "string",
-            "format": "ipv4"
-        },
-        "metadata": {
-            "type": "object"
-        }
+  "$id": "challenge",
+  "type": "object",
+  "required": [
+    "type",
+    "username"
+  ],
+  "properties": {
+    "captcha": {
+      "$ref": "common.json#/definitions/captcha"
+    },
+    "metadata": {
+      "type": "object"
+    },
+    "remoteip": {
+      "$ref": "common.json#/definitions/remoteip"
+    },
+    "type": {
+      "type": "string",
+      "enum": [
+        "email",
+        "phone"
+      ]
+    },
+    "username": {
+      "type": "string",
+      "minLength": 1
     }
+  }
 }

schemas/challenge.json

@@ -189,6 +189,59 @@
       "description": "E-164. Only digits",
       "type": "string",
       "pattern": "^[0-9]{7,15}$"
+    },
+    "remoteip": {
+      "type": "string",
+      "oneOf": [
+        { "format": "ipv4" },
+        { "format": "ipv6" }
+      ]
+    },
+    "captcha": {
+      "oneOf": [
+        {
+          "type": "object",
+          "required": [
+            "response",
+            "remoteip"
+          ],
+          "properties": {
+            "response": {
+              "type": "string",
+              "minLength": 1
+            },
+            "remoteip": {
+              "type": "string",
+              "oneOf": [{
+                  "format": "ipv4"
+                },
+                {
+                  "format": "ipv6"
+                }
+              ]
+            },
+            "secret": {
+              "type": "string",
+              "minLength": 1
+            }
+          }
+        },
+        {
+          "type": "object",
+          "required": [
+            "type",
+            "token"
+          ],
+          "properties": {
+            "type": {
+              "const": "recaptcha"
+            },
+            "token": {
+              "type": "string"
+            }
+          }
+        }
+      ]
     }
   }
 }

schemas/common.json

@@ -6,13 +6,19 @@
     "challengeType"
   ],
   "properties": {
+    "captcha": {
+      "$ref": "common.json#/definitions/captcha"
+    },
     "challengeType": {
       "default": "phone",
       "const": "phone"
     },
     "id": {
       "type": "string",
-      "description": "User identificator"
+      "description": "User identifier"
+    },
+    "remoteip": {
+      "$ref": "common.json#/definitions/remoteip"
     }
   }
 }

schemas/disposable-password.json

@@ -20,31 +20,7 @@
       "type": "boolean"
     },
     "captcha": {
-      "type": "object",
-      "required": [
-        "response",
-        "remoteip"
-      ],
-      "properties": {
-        "response": {
-          "type": "string",
-          "minLength": 1
-        },
-        "remoteip": {
-          "type": "string",
-          "oneOf": [{
-              "format": "ipv4"
-            },
-            {
-              "format": "ipv6"
-            }
-          ]
-        },
-        "secret": {
-          "type": "string",
-          "minLength": 1
-        }
-      }
+      "$ref": "common.json#/definitions/captcha"
     },
     "metadata": {
       "type": "object",
@@ -59,14 +35,7 @@
       "minLength": 1
     },
     "ipaddress": {
-      "type": "string",
-      "oneOf": [{
-          "format": "ipv4"
-        },
-        {
-          "format": "ipv6"
-        }
-      ]
+      "$ref": "common.json#/definitions/remoteip"
     },
     "skipChallenge": {
       "type": "boolean"

schemas/register.json

@@ -7,6 +7,9 @@
     "value"
   ],
   "properties": {
+    "captcha": {
+      "$ref": "common.json#/definitions/captcha"
+    },
     "challengeType": {
       "description": "Where to send the secret code. Currently only the `phone` is supported",
       "type": "string",
@@ -22,6 +25,9 @@
       "minLength": 1,
       "type": "string"
     },
+    "remoteip": {
+      "$ref": "common.json#/definitions/remoteip"
+    },
     "username": {
       "description": "User alias, ID or username",
       "maxLength": 50,

schemas/update-username/request.json

@@ -5,7 +5,6 @@ const challenge = require('../utils/challenges/challenge');
 const { getInternalData } = require('../utils/userData');
 const isActive = require('../utils/is-active');
 const isBanned = require('../utils/is-banned');
-const hasNotPassword = require('../utils/has-no-password');
 const { USERS_ACTION_DISPOSABLE_PASSWORD, USERS_USERNAME_FIELD } = require('../constants');
 
 /**
@@ -14,7 +13,7 @@ const { USERS_ACTION_DISPOSABLE_PASSWORD, USERS_USERNAME_FIELD } = require('../c
  * @apiName DisposablePassword
  * @apiGroup Users
  *
- * @apiDescription This method allowes to get disposable password.
+ * @apiDescription This method allows to get disposable password.
  *
  * @apiSchema {jsonschema=../../schemas/disposable-password.json} apiParam
  */
@@ -27,7 +26,6 @@ module.exports = function disposablePassword(request) {
     .then(getInternalData)
     .tap(isActive)
     .tap(isBanned)
-    .tap(hasNotPassword)
     .then((data) => ([challengeType, {
       id: data[USERS_USERNAME_FIELD],
       action: USERS_ACTION_DISPOSABLE_PASSWORD,

src/actions/disposable-password.js

@@ -1,14 +1,11 @@
 const { ActionTransport } = require('@microfleet/plugin-router');
 
 const { requestUsernameUpdate } = require('../../utils/update-username');
-const { resolveUserId } = require('../../utils/userData');
-const { checkMFA } = require('../../utils/mfa');
+const { getInternalData, resolveUserId } = require('../../utils/userData');
 const isActive = require('../../utils/is-active');
 const isBanned = require('../../utils/is-banned');
 const {
   ErrorConflictUserExists,
-  ErrorUserNotFound,
-  MFA_TYPE_OPTIONAL,
   USERS_ID_FIELD,
 } = require('../../constants');
 
@@ -26,12 +23,8 @@ const {
  * @apiSuccess (Response) {Object} uid Token UID
  */
 module.exports = async function requestUpdateUsernameAction(request) {
-  const { challengeType, i18nLocale, value } = request.params;
-  const { internalData } = request.locals;
-
-  if (!internalData) {
-    throw ErrorUserNotFound;
-  }
+  const { challengeType, i18nLocale, username, value } = request.params;
+  const internalData = await getInternalData.call(this, username);
 
   await isActive(internalData);
   isBanned(internalData);
@@ -49,6 +42,4 @@ module.exports = async function requestUpdateUsernameAction(request) {
   );
 };
 
-module.exports.mfa = MFA_TYPE_OPTIONAL;
-module.exports.allowed = checkMFA;
 module.exports.transports = [ActionTransport.amqp, ActionTransport.internal];