discourse/app/models/user_auth_token.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

302 lines
8.2 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
require "digest/sha1"
class UserAuthToken < ActiveRecord::Base
belongs_to :user
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
ROTATE_TIME_MINS = 10
ROTATE_TIME = ROTATE_TIME_MINS.minutes
# used when token did not arrive at client
URGENT_ROTATE_TIME = 1.minute
MAX_SESSION_COUNT = 60
USER_ACTIONS = ["generate"]
attr_accessor :unhashed_auth_token
before_destroy do
UserAuthToken.log_verbose(
action: "destroy",
user_auth_token_id: self.id,
user_id: self.user_id,
user_agent: self.user_agent,
client_ip: self.client_ip,
auth_token: self.auth_token,
)
end
def self.log(info)
UserAuthTokenLog.create!(info)
end
def self.log_verbose(info)
log(info) if SiteSetting.verbose_auth_token_logging
end
RAD_PER_DEG = Math::PI / 180
EARTH_RADIUS_KM = 6371 # kilometers
def self.login_location(ip)
ipinfo = DiscourseIpInfo.get(ip)
ipinfo[:latitude] && ipinfo[:longitude] ? [ipinfo[:latitude], ipinfo[:longitude]] : nil
end
def self.distance(loc1, loc2)
lat1_rad, lon1_rad = loc1[0] * RAD_PER_DEG, loc1[1] * RAD_PER_DEG
lat2_rad, lon2_rad = loc2[0] * RAD_PER_DEG, loc2[1] * RAD_PER_DEG
a =
Math.sin((lat2_rad - lat1_rad) / 2)**2 +
Math.cos(lat1_rad) * Math.cos(lat2_rad) * Math.sin((lon2_rad - lon1_rad) / 2)**2
c = 2 * Math.atan2(Math.sqrt(a), Math.sqrt(1 - a))
c * EARTH_RADIUS_KM
end
def self.is_suspicious(user_id, user_ip)
return false unless User.find_by(id: user_id)&.staff?
ips = UserAuthTokenLog.where(user_id: user_id).pluck(:client_ip)
ips.delete_at(ips.index(user_ip) || ips.length) # delete one occurrence (current)
ips.uniq!
return false if ips.empty? # first login is never suspicious
if user_location = login_location(user_ip)
ips.none? do |ip|
if location = login_location(ip)
distance(user_location, location) < SiteSetting.max_suspicious_distance_km
end
end
end
end
def self.generate!(
user_id:,
user_agent: nil,
client_ip: nil,
path: nil,
staff: nil,
impersonate: false,
authenticated_with_oauth: false
)
token = SecureRandom.hex(16)
hashed_token = hash_token(token)
user_auth_token =
UserAuthToken.create!(
user_id: user_id,
user_agent: user_agent,
client_ip: client_ip,
auth_token: hashed_token,
prev_auth_token: hashed_token,
rotated_at: Time.zone.now,
authenticated_with_oauth: !!authenticated_with_oauth,
)
user_auth_token.unhashed_auth_token = token
log(
action: "generate",
user_auth_token_id: user_auth_token.id,
user_id: user_id,
user_agent: user_agent,
client_ip: client_ip,
path: path,
auth_token: hashed_token,
)
if staff && !impersonate
Jobs.enqueue(
:suspicious_login,
user_id: user_id,
client_ip: client_ip,
user_agent: user_agent,
)
end
user_auth_token
end
def self.lookup(unhashed_token, opts = nil)
mark_seen = opts && opts[:seen]
token = hash_token(unhashed_token)
expire_before = SiteSetting.maximum_session_age.hours.ago
user_token =
where(
"(auth_token = :token OR
prev_auth_token = :token) AND rotated_at > :expire_before",
token: token,
expire_before: expire_before,
)
if SiteSetting.verbose_auth_token_logging && path = opts.dig(:path)
user_token = user_token.annotate("path:#{path}")
end
user_token = user_token.first
if !user_token
log_verbose(
action: "miss token",
user_id: nil,
auth_token: token,
user_agent: opts && opts[:user_agent],
path: opts && opts[:path],
client_ip: opts && opts[:client_ip],
)
return nil
end
if user_token.auth_token != token && user_token.prev_auth_token == token &&
user_token.auth_token_seen
changed_rows =
UserAuthToken
.where("rotated_at < ?", 1.minute.ago)
.where(id: user_token.id, prev_auth_token: token)
.update_all(auth_token_seen: false)
# not updating AR model cause we want to give it one more req
# with wrong cookie
UserAuthToken.log_verbose(
action: changed_rows == 0 ? "prev seen token unchanged" : "prev seen token",
user_auth_token_id: user_token.id,
user_id: user_token.user_id,
auth_token: user_token.auth_token,
user_agent: opts && opts[:user_agent],
path: opts && opts[:path],
client_ip: opts && opts[:client_ip],
)
end
if mark_seen && user_token && !user_token.auth_token_seen && user_token.auth_token == token
# we must protect against concurrency issues here
changed_rows =
UserAuthToken.where(id: user_token.id, auth_token: token).update_all(
auth_token_seen: true,
seen_at: Time.zone.now,
)
2017-02-14 09:34:39 -05:00
if changed_rows == 1
# not doing a reload so we don't risk loading a rotated token
user_token.auth_token_seen = true
user_token.seen_at = Time.zone.now
end
log_verbose(
action: changed_rows == 0 ? "seen wrong token" : "seen token",
user_auth_token_id: user_token.id,
user_id: user_token.user_id,
auth_token: user_token.auth_token,
user_agent: opts && opts[:user_agent],
path: opts && opts[:path],
client_ip: opts && opts[:client_ip],
)
end
user_token
end
def self.hash_token(token)
Digest::SHA1.base64digest("#{token}#{GlobalSetting.safe_secret_key_base}")
end
def self.cleanup!
if SiteSetting.verbose_auth_token_logging
UserAuthTokenLog.where(
"created_at < :time",
time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME,
).delete_all
end
where(
"rotated_at < :time",
time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME,
).delete_all
end
def rotate!(info = nil)
user_agent = (info && info[:user_agent] || self.user_agent)
client_ip = (info && info[:client_ip] || self.client_ip)
token = SecureRandom.hex(16)
result =
DB.exec(
"
UPDATE user_auth_tokens
SET
auth_token_seen = false,
seen_at = null,
user_agent = :user_agent,
client_ip = :client_ip,
prev_auth_token = case when auth_token_seen then auth_token else prev_auth_token end,
auth_token = :new_token,
rotated_at = :now
WHERE id = :id AND (auth_token_seen or rotated_at < :safeguard_time)
",
id: self.id,
user_agent: user_agent,
client_ip: client_ip&.to_s,
now: Time.zone.now,
new_token: UserAuthToken.hash_token(token),
safeguard_time: 30.seconds.ago,
)
if result > 0
reload
self.unhashed_auth_token = token
UserAuthToken.log(
action: "rotate",
user_auth_token_id: id,
user_id: user_id,
auth_token: auth_token,
user_agent: user_agent,
client_ip: client_ip,
path: info && info[:path],
)
true
else
false
end
end
def self.enforce_session_count_limit!(user_id)
tokens_to_destroy =
where(user_id: user_id)
.where("rotated_at > ?", SiteSetting.maximum_session_age.hours.ago)
.order("rotated_at DESC")
.offset(MAX_SESSION_COUNT)
tokens_to_destroy.delete_all # Returns the number of deleted rows
end
end
# == Schema Information
#
# Table name: user_auth_tokens
#
# id :integer not null, primary key
# user_id :integer not null
# auth_token :string not null
# prev_auth_token :string not null
# user_agent :string
# auth_token_seen :boolean default(FALSE), not null
# client_ip :inet
# rotated_at :datetime not null
# created_at :datetime not null
# updated_at :datetime not null
# seen_at :datetime
# authenticated_with_oauth :boolean default(FALSE)
2017-03-22 02:26:53 -04:00
#
# Indexes
#
# index_user_auth_tokens_on_auth_token (auth_token) UNIQUE
# index_user_auth_tokens_on_prev_auth_token (prev_auth_token) UNIQUE
# index_user_auth_tokens_on_user_id (user_id)
#