[RND-665] Lower rate limiting for OAuth (#331)

Ed-Fi-Exchange-OSS · Dec 12, 2023 · 940d110 · 940d110
1 parent 9cc502c
commit 940d110
Show file tree

Hide file tree

Showing 14 changed files with 96 additions and 52 deletions.
diff --git a/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json b/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-elasticsearch-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark backend plugin for elasticsearch",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,8 +19,8 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-core": "0.4.0-pre.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-core": "0.4.0-pre.7",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "@elastic/elasticsearch": "^8.10.0",
     "@elastic/transport": "^8.3.4"
   },

diff --git a/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json b/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-mongodb-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark backend plugin for MongoDB",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,9 +19,9 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-authz-server": "0.4.0-pre.6",
-    "@edfi/meadowlark-core": "0.4.0-pre.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-authz-server": "0.4.0-pre.7",
+    "@edfi/meadowlark-core": "0.4.0-pre.7",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "async-retry": "^1.3.3",
     "mongodb": "^5.9.0",
     "ramda": "0.29.1"

diff --git a/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json b/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-opensearch-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark backend plugin for OpenSearch",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,8 +19,8 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-core": "0.4.0-pre.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-core": "0.4.0-pre.7",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "@opensearch-project/opensearch": "^2.4.0"
   },
   "devDependencies": {

diff --git a/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json b/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-postgresql-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark backend plugin for PostgreSQL",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,9 +19,9 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-authz-server": "0.4.0-pre.6",
-    "@edfi/meadowlark-core": "0.4.0-pre.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-authz-server": "0.4.0-pre.7",
+    "@edfi/meadowlark-core": "0.4.0-pre.7",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "pg": "^8.11.3",
     "pg-format": "^1.0.4",
     "ramda": "0.29.1"

diff --git a/Meadowlark-js/lerna.json b/Meadowlark-js/lerna.json
@@ -3,7 +3,7 @@
   "packages": [
     "packages/*"
   ],
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "npmClient": "npm",
   "useWorkspaces": true
 }
diff --git a/Meadowlark-js/package-lock.json b/Meadowlark-js/package-lock.json
diff --git a/Meadowlark-js/package.json b/Meadowlark-js/package.json
@@ -72,7 +72,7 @@
     "test:e2e:dev:exit": "bash ../eng/exit-dev-containers.sh",
     "start:local": "lerna run start:local",
     "docker:lint": "cat ./Dockerfile | docker run --rm -i hadolint/hadolint",
-    "docker:install": "npm i lerna@^6.0.2 rimraf@^3.0.2 copyfiles@^2.4.1 typescript@4.8.4 -g && npm ci --only=production",
+    "docker:install": "npm i lerna@^6.6.2 rimraf@^5.0.5 copyfiles@^2.4.1 typescript@4.9.5 -g && npm ci --only=production",
     "docker:build": "docker build -t meadowlark .",
     "docker:build:wsl1": "docker.exe build -t meadowlark .",
     "docker:start": "docker run -d --env-file ./.env-docker --name ml-api -p 3000:3000 meadowlark",

diff --git a/Meadowlark-js/packages/meadowlark-authz-server/package.json b/Meadowlark-js/packages/meadowlark-authz-server/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-authz-server",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark authorization server",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -14,7 +14,7 @@
   ],
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "ajv": "^8.12.0",
     "didyoumean2": "^6.0.1",
     "dotenv": "^16.3.1",

diff --git a/Meadowlark-js/packages/meadowlark-core/package.json b/Meadowlark-js/packages/meadowlark-core/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-core",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark core functionality",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -14,7 +14,7 @@
   ],
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "@isaacs/ttlcache": "^1.4.1",
     "ajv": "^8.12.0",
     "ajv-formats": "^2.1.1",

diff --git a/Meadowlark-js/packages/meadowlark-utilities/package.json b/Meadowlark-js/packages/meadowlark-utilities/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-utilities",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark shared utilities",
   "license": "Apache-2.0",
   "publishConfig": {

diff --git a/Meadowlark-js/sample-load-balancer.conf b/Meadowlark-js/sample-load-balancer.conf
@@ -1,3 +1,5 @@
+limit_req_zone $binary_remote_addr zone=oauthlimit:10m rate=1r/m;
+
 upstream meadowlarkoauth {
     server meadowlark-oauth-ml-local-1:3000;
     server meadowlark-oauth-ml-local-2:3000;
@@ -34,6 +36,12 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
 
+    location /local/oauth/token {
+        proxy_pass http://meadowlarkoauth;
+
+        limit_req zone=oauthlimit burst=3 nodelay;
+    }
+
     #error_page  404              /404.html;
 
     # redirect server error pages to the static page /50x.html

diff --git a/Meadowlark-js/services/meadowlark-fastify/package.json b/Meadowlark-js/services/meadowlark-fastify/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@edfi/meadowlark-fastify",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark service using Fastify",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -12,9 +12,9 @@
     "/package.json"
   ],
   "dependencies": {
-    "@edfi/meadowlark-authz-server": "0.4.0-pre.6",
-    "@edfi/meadowlark-core": "0.4.0-pre.6",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-authz-server": "0.4.0-pre.7",
+    "@edfi/meadowlark-core": "0.4.0-pre.7",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "@fastify/rate-limit": "^6.0.1",
     "dotenv": "^16.3.1",
     "fastify": "^3.29.5"

diff --git a/Meadowlark-js/tests/e2e/package.json b/Meadowlark-js/tests/e2e/package.json
@@ -1,13 +1,13 @@
 {
   "name": "@edfi/meadowlark-e2e-tests",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.6",
+  "version": "0.4.0-pre.7",
   "description": "Meadowlark Ed-Fi API end to end tests",
   "license": "Apache-2.0",
   "private": true,
   "files": [],
   "devDependencies": {
-    "@edfi/meadowlark-utilities": "0.4.0-pre.6",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.7",
     "@testcontainers/mongodb": "^10.3.1",
     "@testcontainers/postgresql": "^10.3.1",
     "@types/chance": "^1.1.6",

diff --git a/docs/design/rate-limiting-for-oauth/README.md b/docs/design/rate-limiting-for-oauth/README.md
@@ -0,0 +1,36 @@
+# Rate Limiting for OAuth
+
+To prevent a possible attack, we want to limit the users from authenticating
+multiple times in a short period of time, this can be done with the load
+balancer. As an example, we will use the NGINX
+[sample-load-balancer](../../../Meadowlark-js/sample-load-balancer.conf)
+
+## Configuration
+
+NGINX has a built in setup of rate limiting in a configuration file per endpoint
+(can be done at a higher level). See
+https://www.nginx.com/blog/rate-limiting-nginx/ for guidance, and the
+[documentation](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req)
+
+### Setup
+
+1. Define the `limit_req_zone` at the beginning of the
+   [file](../../../Meadowlark-js/sample-load-balancer.conf#L1). The zone means the
+   memory used to save IP addresses, and the `rate` represent how often the
+   count will be restarted (every minute).
+
+2. For the desired endpoint, specify the `limit_req` with the name of the zone
+   specified in the previous step, and the `burst` which is the amount of time
+   allowed per time period (the rate). In this example, we set the `rate` to 1
+   minute and the `burst` to 3 requests during that minute.
+
+3. Start Meadowlark fully in Docker, using MongoDB as the backend and OpenSearch
+   as the search provider.
+
+   ```pwsh
+   cd Meadowlark-js
+   ./reset-docker-compose.ps1
+   ```
+
+With this setup, the endpoint will have the request limit in place, which is the
+recommended approach with a load balancer or front end proxy.