Skip to content

Commit

Permalink
aut-2776 add api rate limit for contact us form submission
Browse files Browse the repository at this point in the history
  • Loading branch information
@di-fabs
di-fabs committed Jun 5, 2024
1 parent 190ea9d commit cb3e630
Show file tree
Hide file tree
Showing 15 changed files with 39 additions and 1 deletion.
1 change: 1 addition & 0 deletions ci/terraform/authdev1.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ support_authorize_controller = "1"
support_2fa_b4_password_reset = "1"
support_check_email_fraud = "1"
language_toggle_enabled = "1"
api_rate_limit = "5"

frontend_task_definition_cpu = 512
frontend_task_definition_memory = 1024
Expand Down
1 change: 1 addition & 0 deletions ci/terraform/authdev2.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ support_authorize_controller = "1"
support_2fa_b4_password_reset = "1"
support_check_email_fraud = "1"
language_toggle_enabled = "1"
api_rate_limit = "5"

frontend_task_definition_cpu = 512
frontend_task_definition_memory = 1024
Expand Down
2 changes: 1 addition & 1 deletion ci/terraform/build.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ code_entered_wrong_blocked_minutes = "1"
reduced_code_block_duration_minutes = "0.5"
url_for_support_links = "https://home.build.account.gov.uk/contact-gov-uk-one-login"
language_toggle_enabled = "1"

api_rate_limit = "5"

logging_endpoint_arns = [
"arn:aws:logs:eu-west-2:885513274347:destination:csls_cw_logs_destination_prodpython"
Expand Down
1 change: 1 addition & 0 deletions ci/terraform/dev.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ code_entered_wrong_blocked_minutes = "1"
reduced_code_block_duration_minutes = "0.5"
url_for_support_links = "https://home.dev.account.gov.uk/contact-gov-uk-one-login"
language_toggle_enabled = "1"
api_rate_limit = "5"

logging_endpoint_arns = []

Expand Down
1 change: 1 addition & 0 deletions ci/terraform/integration.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ support_authorize_controller = "1"
support_2fa_b4_password_reset = "1"
support_2hr_lockout = "1"
support_reauthentication = "1"
api_rate_limit = "5"

code_request_blocked_minutes = "120"
account_recovery_code_entered_wrong_blocked_minutes = "120"
Expand Down
1 change: 1 addition & 0 deletions ci/terraform/production.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ code_entered_wrong_blocked_minutes = "120"
email_entered_wrong_blocked_minutes = "120"
password_reset_code_entered_wrong_blocked_minutes = "120"
reduced_code_block_duration_minutes = "15"
api_rate_limit = "5"

url_for_support_links = "https://home.account.gov.uk/contact-gov-uk-one-login"

Expand Down
1 change: 1 addition & 0 deletions ci/terraform/sandpit.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ support_account_interventions = "1"
support_2fa_b4_password_reset = "1"
support_check_email_fraud = "1"
language_toggle_enabled = "1"
api_rate_limit = "5"


frontend_task_definition_cpu = 512
Expand Down
1 change: 1 addition & 0 deletions ci/terraform/staging.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ reduced_code_block_duration_minutes = "15"
support_reauthentication = "1"
language_toggle_enabled = "1"
prove_identity_welcome_enabled = "0"
api_rate_limit = "5"

url_for_support_links = "https://home.staging.account.gov.uk/contact-gov-uk-one-login"

Expand Down
6 changes: 6 additions & 0 deletions ci/terraform/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,12 @@ variable "support_account_interventions" {
default = "0"
}

variable "api_rate_limit" {
description = "number of contact form submission per 15 minutes"
type = string
default = "5"
}

variable "support_reauthentication" {
description = "When true, turns on re-authentication in environment"
type = string
Expand Down
1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@
"dompurify": "^2.3.4",
"ecdsa-sig-formatter": "^1.0.11",
"express": "^4.17.2",
"express-rate-limit": "^7.3.0",
"express-session": "^1.17.2",
"express-validator": "^6.13.0",
"govuk-frontend": "^4.8.0",
Expand Down
1 change: 1 addition & 0 deletions scripts/_create_env_file.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ class EnvFileSection(TypedDict):
"SUPPORT_REAUTHENTICATION": 1,
"SUPPORT_2HR_LOCKOUT": 1,
"SUPPORT_CHECK_EMAIL_FRAUD": 1,
"API_RATE_LIMIT": 5,
},
},
{
Expand Down
2 changes: 2 additions & 0 deletions src/app.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ import { temporarilyBlockedRouter } from "./components/account-intervention/temp
import { resetPassword2FAAuthAppRouter } from "./components/reset-password-2fa-auth-app/reset-password-2fa-auth-app-routes";
import { setGTM } from "./middleware/analytics-middleware";
import { setCurrentUrlMiddleware } from "./middleware/current-url-middleware";
import { setApiRateLimiter } from "./middleware/api-rate-limiter-middleware";

const APP_VIEWS = [
path.join(__dirname, "components"),
Expand Down Expand Up @@ -168,6 +169,7 @@ async function createApp(): Promise<express.Application> {
app.set("view engine", configureNunjucks(app, APP_VIEWS));
app.use(setLocalVarsMiddleware);
app.use(setGTM);
app.use(setApiRateLimiter());

i18next
.use(Backend)
Expand Down
4 changes: 4 additions & 0 deletions src/config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@ export function getAnalyticsCookieDomain(): string {
return process.env.ANALYTICS_COOKIE_DOMAIN;
}

export function getApiRateLimit(): number {
return parseInt(process.env.API_RATE_LIMIT) || 5;
}

export function getServiceDomain(): string {
return process.env.SERVICE_DOMAIN || "localhost";
}
Expand Down
12 changes: 12 additions & 0 deletions src/middleware/api-rate-limiter-middleware.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
import { RateLimitRequestHandler, rateLimit } from 'express-rate-limit'
import {
getApiRateLimit,
} from "../config";

export function setApiRateLimiter(): RateLimitRequestHandler {
return rateLimit({
skip: (req) => req.url !== '/contact-us-questions' && req.method !== 'POST',
windowMs: 15 * 60 * 1000, // 15 minutes
max: getApiRateLimit(), // limit each IP to 5 requests per windowMs
});
}
5 changes: 5 additions & 0 deletions yarn.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3026,6 +3026,11 @@ events@^3.3.0:
resolved "https://registry.npmjs.org/events/-/events-3.3.0.tgz"
integrity sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==

express-rate-limit@^7.3.0:
version "7.3.0"
resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.3.0.tgz#b3ea0dc4fc3ca9739e3af04565184f6edcdf0240"
integrity sha512-ZPfWlcQQ1PsZonB/vqksOsBQV74z5osi/QcdoBCyKJXl/wOVjS1yRDmvkpMM52KJeLbiF2+djwVEnEgVCDdvtw==

express-session@^1.17.2:
version "1.17.2"
resolved "https://registry.npmjs.org/express-session/-/express-session-1.17.2.tgz"
Expand Down

0 comments on commit cb3e630

Please sign in to comment.