dad97a5124
|
||
|---|---|---|
| bans | ||
| bin | ||
| config | ||
| docs | ||
| grunttasks | ||
| scripts | ||
| test | ||
| .awsbox.json | ||
| .eslintrc | ||
| .gitignore | ||
| .travis.yml | ||
| CHANGELOG | ||
| CONTRIBUTING.md | ||
| Gruntfile.js | ||
| LICENSE | ||
| README.md | ||
| email_record.js | ||
| ip_email_record.js | ||
| ip_record.js | ||
| log.js | ||
| npm-shrinkwrap.json | ||
| package.json | ||
README.md
Firefox Accounts Customs Server
This project is used by the Firefox Accounts Auth Server to detect and deter fraud and abuse.
Prerequisites
- node 0.10.x
- npm
- memcached
- On Debian flavors of Linux:
sudo apt-get install memcached - On Mac OS X:
brew install memcached
- On Debian flavors of Linux:
Install
Clone the git repository and install dependencies:
git clone git://github.com/mozilla/fxa-customs-server.git
cd fxa-customs-server
npm install
To start the server, run:
npm start
It will listen on http://127.0.0.1:7000 by default.
Testing
Run tests with:
npm test
On Mac OS X, memcached must be manually started for the tests to run.
memcached &
npm test
Code
Here are the main components of this project:
bans/: code implementing temporary bans of specific email or IP addresses and listening on the SQS API for requestsbin/customs_server.js: process listening on the network and responding to HTTP API callsconfig/config.js: where all of the configuration options are definedemail_record.js,ip_email_record.jsandip_record.js: code implementing the various blocking and rate-limiting policiesscripts: helper scripts only used for development/testingtest/local: unit teststest/remote: tests exercising the HTTP API
API
See our detailed API spec.
Policies
There are three types of policies:
- rate-limiting: slows down attackers by temporarily blocking requests for 15 minutes (see
config.limits.rateLimitIntervalSeconds) - block / ban: stops attacks by temporarily blocking requests for 24 hours (see
config.limits.blockIntervalSeconds) - lockout: stops password-guessing attacks by permanently blocking password-authenticated requests until the user reconfirms their email address by clicking a link
We currently have the following policies in place:
- rate-limiting when too many emails (
config.limits.maxEmailsdefaults to 3) have been sent to the same email address in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - rate-limiting when too many failed login attempts (
config.limits.maxBadLoginsdefaults to 2) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - lockout when too many failed login attempts (
config.limits.badLoginLockoutdefaults to 20) have occurred for a given account regardless of the IP address, in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - manual blocking of an account (see
/blockEmailAPI call) - manual blocking of an IP address (see
/blockIpAPI call)
The data that these policies are based on is stored in a memcache instance (keyed by email, ip or ip + email depending on the policy) and the code that implements them is split across these three files:
email_record.jshandles blocking and rate-limiting based only on the email addressip_email_record.jshandles rate-limiting based on both the email and IP address of the requestip_record.jshandles blocking based only on the IP address
The rate-limiting and blocking policies are conveyed to the auth server via the block property in the response to /check wheres the lockout policies are conveyed via the response to /failedLoginAttempt.