DEPRECATED - Migrated to https://github.com/mozilla/fxa
fxa
Перейти к файлу
Greg Guthe 9b94bd1bdd Send violations to ip service (#148), r=@vbudhram
This adds the tigerblood-js-client to the customs server. This is used to report when a request has been blocked to the Tigerblood service. It is disabled by default.
2016-11-28 09:08:23 -05:00
bin feat(blocklist): Add blocklist module (#117), r=@rfk, @seanmonstar 2016-10-03 14:45:55 -04:00
config fix(config): restore top-level "config" dir for $(NODE_ENV).json files. 2016-02-19 11:05:45 +11:00
docs Send violations to ip service (#148), r=@vbudhram 2016-11-28 09:08:23 -05:00
grunttasks refactor(lib): Put all the code inside a "lib" subdirectory. 2016-02-17 15:59:00 +11:00
lib Send violations to ip service (#148), r=@vbudhram 2016-11-28 09:08:23 -05:00
scripts chore(lint): Fix up some linty issues noticed in PR review. 2016-10-17 12:38:58 +11:00
test Send violations to ip service (#148), r=@vbudhram 2016-11-28 09:08:23 -05:00
.awsbox.json Actually address the typo that Andy found 2014-06-27 15:05:27 +12:00
.eslintrc chore(build): Replace JSHint with ESLint 2015-06-29 17:20:42 -07:00
.gitignore chore(lint): Fix up some linty issues noticed in PR review. 2016-10-17 12:38:58 +11:00
.travis.yml feat(unblock): add unblock rate limits (#131); r=rfk 2016-10-05 14:25:58 +11:00
CHANGELOG Release v0.72.1 2016-10-26 13:49:22 +11:00
CONTRIBUTING.md Customize README and CONTRIBUTING for this repo 2014-05-21 16:53:29 +12:00
Gruntfile.js chore(build): Replace JSHint with ESLint 2015-06-29 17:20:42 -07:00
LICENSE Add a copy of the MPL and put tests in Public Domain 2014-05-06 16:28:34 +12:00
README.md chore(server): Remove some left-over references to account lockout. (#124) r=vladikoff 2016-08-02 10:35:32 -04:00
npm-shrinkwrap.json Send violations to ip service (#148), r=@vbudhram 2016-11-28 09:08:23 -05:00
package.json Send violations to ip service (#148), r=@vbudhram 2016-11-28 09:08:23 -05:00

README.md

Firefox Accounts Customs Server

Build Status

This project is used by the Firefox Accounts Auth Server to detect and deter fraud and abuse.

Prerequisites

  • node 0.10.x
  • npm
  • memcached
    • On Debian flavors of Linux: sudo apt-get install memcached
    • On Mac OS X: brew install memcached

Install

Clone the git repository and install dependencies:

git clone git://github.com/mozilla/fxa-customs-server.git
cd fxa-customs-server
npm install

To start the server, run:

npm start

It will listen on http://127.0.0.1:7000 by default.

Testing

Run tests with:

npm test

On Mac OS X, memcached must be manually started for the tests to run.

memcached &
npm test

Code

Here are the main components of this project:

  • ./bin/customs_server.js: process listening on the network and responding to HTTP API calls
  • ./lib/bans/: code implementing temporary bans of specific email or IP addresses and listening on the SQS API for requests
  • ./lib/config/config.js: where all of the configuration options are defined
  • ./lib/email_record.js, ./lib/ip_email_record.js and ./lib/ip_record.js: code implementing the various blocking and rate-limiting policies
  • ./scripts: helper scripts only used for development/testing
  • ./test/local: unit tests
  • ./test/remote: tests exercising the HTTP API

API

See our detailed API spec.

Policies

There are two types of policies:

  • rate-limiting: slows down attackers by temporarily blocking requests for 15 minutes (see config.limits.rateLimitIntervalSeconds)
  • block / ban: stops attacks by temporarily blocking requests for 24 hours (see config.limits.blockIntervalSeconds)

We currently have the following policies in place:

  • rate-limiting when too many emails (config.limits.maxEmails defaults to 3) have been sent to the same email address in a given time period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • rate-limiting when too many requests to look up account status by email address (config.limits.maxAccountStatusCheck) have been sent from the same ip address during period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • rate-limiting when too many failed login attempts (config.limits.maxBadLogins defaults to 2) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • manual blocking of an account (see /blockEmail API call)
  • manual blocking of an IP address (see /blockIp API call)

The data that these policies are based on is stored in a memcache instance (keyed by email, ip or ip + email depending on the policy) and the code that implements them is split across these three files:

  • email_record.js handles blocking and rate-limiting based only on the email address
  • ip_email_record.js handles rate-limiting based on both the email and IP address of the request
  • ip_record.js handles blocking based only on the IP address

The rate-limiting and blocking policies are conveyed to the auth server via the block property in the response to /check.