зеркало из https://github.com/mozilla/fxa.git
971296410f
|
||
|---|---|---|
| .. | ||
| .vscode | ||
| bin | ||
| config | ||
| docs | ||
| grunttasks | ||
| lib | ||
| scripts | ||
| test | ||
| .awsbox.json | ||
| .eslintrc | ||
| .nsprc | ||
| .prettierignore | ||
| CHANGELOG.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| Gruntfile.js | ||
| LICENSE | ||
| README.md | ||
| package.json | ||
| pm2.config.js | ||
README.md
Firefox Accounts Customs Server
This project is used by the Firefox Accounts Auth Server to detect and deter fraud and abuse.
Development
To start the server, run:
npm start
It will listen on http://localhost:7000 by default.
Docker Based Development
To run the customs server via Docker:
$ docker-compose up mozilla/fxa_customs_server
Testing
Run tests with:
npm test
To run tests via Docker:
docker-compose run mozilla/fxa_customs_server npm test
Code
Here are the main components of this project:
./bin/customs_server.js: process listening on the network and responding to HTTP API calls./lib/bans/: code implementing temporary bans of specific email or IP addresses and listening on the SQS API for requests./lib/config/config.js: where all of the configuration options are defined./lib/email_record.js,./lib/ip_email_record.jsand./lib/ip_record.js: code implementing the various blocking and rate-limiting policies./scripts: helper scripts only used for development/testing./test/local: unit tests./test/remote: tests exercising the HTTP API
API
See our detailed API spec.
Policies
There are two types of policies:
- rate-limiting: slows down attackers by temporarily blocking requests for 15 minutes (see
config.limits.rateLimitIntervalSeconds) - block / ban: stops attacks by temporarily blocking requests for 24 hours (see
config.limits.blockIntervalSeconds)
We currently have the following policies in place:
- rate-limiting when too many emails (
config.limits.maxEmailsdefaults to 3) have been sent to the same email address in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - rate-limiting when too many requests to look up account status by email address (
config.limits.maxAccountStatusCheck) have been sent from the same ip address during - rate-limiting when too many sms (
config.limits.smsRateLimit.maxSms) have been sent from the same ip address during period (config.limits.smsRateLimit.limitIntervalSecondsdefaults to 60 minutes) - rate-limiting when too many sms (
config.limits.smsRateLimit.maxSms) have been sent from the same email address during period (config.limits.smsRateLimit.limitIntervalSecondsdefaults to 60 minutes) - rate-limiting when too many sms (
config.limits.smsRateLimit.maxSms) have been sent to the same phone number during period (config.limits.smsRateLimit.limitIntervalSecondsdefaults to 60 minutes) - rate-limiting when too many failed login attempts (
config.limits.maxBadLoginsdefaults to 2) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - rate-limiting too many attempts to verify randomly-generated codes (
config.limits.maxVerifyCodesdefaults to 10) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSecondsdefaults to 15 minutes) - manual blocking of an account (see
/blockEmailAPI call) - manual blocking of an IP address (see
/blockIpAPI call)
The data that these policies are based on is stored in a memcache instance (keyed by email, ip or ip + email depending on the policy) and the code that implements them is split across these three files:
email_record.jshandles blocking and rate-limiting based only on the email addressip_email_record.jshandles rate-limiting based on both the email and IP address of the requestip_record.jshandles blocking based only on the IP address
The rate-limiting and blocking policies are conveyed to the auth server via the block property in the response to /check.