Prevent brute force login attack

author: Chocobozzz <me@florianbigard.com> 2018-03-29 10:58:24 +0200
committer: Chocobozzz <me@florianbigard.com> 2018-03-29 11:03:30 +0200
commit: 490b595a01c5824ff63ffb87f0efdfca95f4bf3b (patch)
tree: 3ad716fbb97a8b4ee946ad907202b82934a33d7c /server/tests
parent: 23f4c3d412974fa5fda52589d1192e098e260f1a (diff)
download: PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.gz
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.zst
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.zip
2 files changed, 90 insertions, 3 deletions
diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts
new file mode 100644
index 000000000..aa4b3ae81
--- /dev/null
+++ b/server/tests/api/server/reverse-proxy.ts
@@ -0,0 +1,82 @@
+/* tslint:disable:no-unused-expression */
+import 'mocha'
+import * as chai from 'chai'
+import { About } from '../../../../shared/models/server/about.model'
+import { CustomConfig } from '../../../../shared/models/server/custom-config.model'
+import { deleteCustomConfig, getAbout, getVideo, killallServers, login, reRunServer, uploadVideo, userLogin, viewVideo } from '../../utils'
+const expect = chai.expect
+import {
+  getConfig,
+  flushTests,
+  runServer,
+  registerUser, getCustomConfig, setAccessTokensToServers, updateCustomConfig
+} from '../../utils/index'
+describe('Test application behind a reverse proxy', function () {
+  let server = null
+  let videoId
+  before(async function () {
+    this.timeout(30000)
+    await flushTests()
+    server = await runServer(1)
+    await setAccessTokensToServers([ server ])
+    const { body } = await uploadVideo(server.url, server.accessToken, {})
+    videoId = body.video.uuid
+  })
+  it('Should view a video only once with the same IP by default', async function () {
+    await viewVideo(server.url, videoId)
+    await viewVideo(server.url, videoId)
+    const { body } = await getVideo(server.url, videoId)
+    expect(body.views).to.equal(1)
+  })
+  it('Should view a video 2 times with the X-Forwarded-For header set', async function () {
+    await viewVideo(server.url, videoId, 204, '0.0.0.1,127.0.0.1')
+    await viewVideo(server.url, videoId, 204, '0.0.0.2,127.0.0.1')
+    const { body } = await getVideo(server.url, videoId)
+    expect(body.views).to.equal(3)
+  })
+  it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {
+    await viewVideo(server.url, videoId, 204, '0.0.0.4,0.0.0.3,::ffff:127.0.0.1')
+    await viewVideo(server.url, videoId, 204, '0.0.0.5,0.0.0.3,127.0.0.1')
+    const { body } = await getVideo(server.url, videoId)
+    expect(body.views).to.equal(4)
+  })
+  it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {
+    await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.6,127.0.0.1')
+    await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.7,127.0.0.1')
+    const { body } = await getVideo(server.url, videoId)
+    expect(body.views).to.equal(6)
+  })
+  it('Should rate limit logins', async function () {
+    const user = { username: 'root', password: 'fail' }
+    for (let i = 0; i < 9; i++) {
+      await userLogin(server, user, 400)
+    }
+    await userLogin(server, user, 429)
+  })
+  after(async function () {
+    process.kill(-server.app.pid)
+    // Keep the logs if the test failed
+    if (this['ok']) {
+      await flushTests()
+    }
+  })
+})
diff --git a/server/tests/utils/videos/videos.ts b/server/tests/utils/videos/videos.ts
index 424f41ed8..9bda53371 100644
--- a/server/tests/utils/videos/videos.ts
+++ b/server/tests/utils/videos/videos.ts
@@ -85,13 +85,18 @@ function getVideo (url: string, id: number | string, expectedStatus = 200) {
          .expect(expectedStatus)
 }
-function viewVideo (url: string, id: number | string, expectedStatus = 204) {
+function viewVideo (url: string, id: number | string, expectedStatus = 204, xForwardedFor?: string) {
  const path = '/api/v1/videos/' + id + '/views'
-  return request(url)
+  const req = request(url)
    .post(path)
    .set('Accept', 'application/json')
-    .expect(expectedStatus)
+  if (xForwardedFor) {
+    req.set('X-Forwarded-For', xForwardedFor)
+  }
+  return req.expect(expectedStatus)
 }
 function getVideoWithToken (url: string, token: string, id: number | string, expectedStatus = 200) {
author	Chocobozzz <me@florianbigard.com>	2018-03-29 10:58:24 +0200
committer	Chocobozzz <me@florianbigard.com>	2018-03-29 11:03:30 +0200
commit	490b595a01c5824ff63ffb87f0efdfca95f4bf3b (patch)
tree	3ad716fbb97a8b4ee946ad907202b82934a33d7c /server/tests
parent	23f4c3d412974fa5fda52589d1192e098e260f1a (diff)
download	PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.gz PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.zst PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.zip

diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts new file mode 100644 index 000000000..aa4b3ae81 --- /dev/null +++ b/server/tests/api/server/reverse-proxy.ts
@@ -0,0 +1,82 @@
		1	/* tslint:disable:no-unused-expression */
		2
		3	import 'mocha'
		4	import * as chai from 'chai'
		5	import { About } from '../../../../shared/models/server/about.model'
		6	import { CustomConfig } from '../../../../shared/models/server/custom-config.model'
		7	import { deleteCustomConfig, getAbout, getVideo, killallServers, login, reRunServer, uploadVideo, userLogin, viewVideo } from '../../utils'
		8	const expect = chai.expect
		9
		10	import {
		11	getConfig,
		12	flushTests,
		13	runServer,
		14	registerUser, getCustomConfig, setAccessTokensToServers, updateCustomConfig
		15	} from '../../utils/index'
		16
		17	describe('Test application behind a reverse proxy', function () {
		18	let server = null
		19	let videoId
		20
		21	before(async function () {
		22	this.timeout(30000)
		23
		24	await flushTests()
		25	server = await runServer(1)
		26	await setAccessTokensToServers([ server ])
		27
		28	const { body } = await uploadVideo(server.url, server.accessToken, {})
		29	videoId = body.video.uuid
		30	})
		31
		32	it('Should view a video only once with the same IP by default', async function () {
		33	await viewVideo(server.url, videoId)
		34	await viewVideo(server.url, videoId)
		35
		36	const { body } = await getVideo(server.url, videoId)
		37	expect(body.views).to.equal(1)
		38	})
		39
		40	it('Should view a video 2 times with the X-Forwarded-For header set', async function () {
		41	await viewVideo(server.url, videoId, 204, '0.0.0.1,127.0.0.1')
		42	await viewVideo(server.url, videoId, 204, '0.0.0.2,127.0.0.1')
		43
		44	const { body } = await getVideo(server.url, videoId)
		45	expect(body.views).to.equal(3)
		46	})
		47
		48	it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {
		49	await viewVideo(server.url, videoId, 204, '0.0.0.4,0.0.0.3,::ffff:127.0.0.1')
		50	await viewVideo(server.url, videoId, 204, '0.0.0.5,0.0.0.3,127.0.0.1')
		51
		52	const { body } = await getVideo(server.url, videoId)
		53	expect(body.views).to.equal(4)
		54	})
		55
		56	it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {
		57	await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.6,127.0.0.1')
		58	await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.7,127.0.0.1')
		59
		60	const { body } = await getVideo(server.url, videoId)
		61	expect(body.views).to.equal(6)
		62	})
		63
		64	it('Should rate limit logins', async function () {
		65	const user = { username: 'root', password: 'fail' }
		66
		67	for (let i = 0; i < 9; i++) {
		68	await userLogin(server, user, 400)
		69	}
		70
		71	await userLogin(server, user, 429)
		72	})
		73
		74	after(async function () {
		75	process.kill(-server.app.pid)
		76
		77	// Keep the logs if the test failed
		78	if (this['ok']) {
		79	await flushTests()
		80	}
		81	})
		82	})


diff --git a/server/tests/utils/videos/videos.ts b/server/tests/utils/videos/videos.ts index 424f41ed8..9bda53371 100644 --- a/server/tests/utils/videos/videos.ts +++ b/server/tests/utils/videos/videos.ts
@@ -85,13 +85,18 @@ function getVideo (url: string, id: number \| string, expectedStatus = 200) {
85	.expect(expectedStatus)	85	.expect(expectedStatus)
86	}	86	}
87		87
88	function viewVideo (url: string, id: number \| string, expectedStatus = 204) {	88	function viewVideo (url: string, id: number \| string, expectedStatus = 204, xForwardedFor?: string) {
89	const path = '/api/v1/videos/' + id + '/views'	89	const path = '/api/v1/videos/' + id + '/views'
90		90
91	return request(url)	91	const req = request(url)
92	.post(path)	92	.post(path)
93	.set('Accept', 'application/json')	93	.set('Accept', 'application/json')
94	.expect(expectedStatus)	94
		95	if (xForwardedFor) {
		96	req.set('X-Forwarded-For', xForwardedFor)
		97	}
		98
		99	return req.expect(expectedStatus)
95	}	100	}
96		101
97	function getVideoWithToken (url: string, token: string, id: number \| string, expectedStatus = 200) {	102	function getVideoWithToken (url: string, token: string, id: number \| string, expectedStatus = 200) {