[C4GT Community]: Checks in stencil to prevent exploitation of user-service

SamagraX-Stencil / stencil

NestJS on steroids 💪

https://stencil.samagra.io

MIT License

30 stars 33 forks source link

[C4GT Community]: Checks in stencil to prevent exploitation of user-service #74

Open tushar5526 opened 9 months ago

tushar5526 commented 9 months ago

Ticket Contents

Description

Sanity check on application ids being used in requests. Rate-limiting based on fingerprints to prevent DDoS or exploitation of sendOTP APIs

Goals

[ ] Tests and Docs for rate limiting methods used and updated docs for user service.

Expected Outcome

No response

Acceptance Criteria

No response

Implementation Details

Rate limiting can be done using a fingerprint library as we can't rate-limit based on the public IPs.

Mockups/Wireframes

No response

Product Name

Stencil

Organisation Name

SamagraX

Domain

No response

Tech Skills Needed

NestJS

Mentor(s)

@ChakshuGautam @tushar5526

Complexity

Medium

Category

Other

c4gt-community-support[bot] commented 9 months ago

Hi! Important Details - These following details are helpful for contributors to effectively identify and contribute to tickets.

Sub-Category - Please mention the sub-category if any for the ticket

Please update the ticket

Praneetha29 commented 9 months ago

Hello @tushar5526 @ChakshuGautam , can you please assign this issue and mentor me regarding the same?

Savio629 commented 7 months ago

@tushar5526 @ChakshuGautam Are we avoiding IP addresses because in most of the cases it does not only identifies it as a person, but rather a router which possibly may contain every individual connected with the router to be rate-limited.

Do we need to just add a fingerprint layer (like a auth) over api-requests? Ref: https://dev.fingerprint.com/docs/fingerprintjs-pro-server-api-nodejs-sdk

Savio629 commented 7 months ago

@tushar5526 @techsavvyash

VedantKhairnar commented 3 months ago

@techsavvyash @Savio629 Can we take this ahead?

ritankarsaha commented 1 day ago

@tushar5526

Basically, the task involves implementing rate-limiting based on user fingerprints, which is an alternative to using IP addresses for tracking and limiting API requests.

My approach would be , since rate-limiting based on IP addresses is not reliable (due to shared IP addresses, such as those on routers), we can use a fingerprinting technique to uniquely identify users or devices. A fingerprint can be generated using various client-side factors (e.g., browser characteristics, device information, etc.), which will serve as a better identifier for rate-limiting.

Lastly for integration factors, we can use FingerprintJS to generate a unique fingerprint for each request to generate a unique hash that can identify each users.

Is this implementation correct?

Savio629 commented 1 day ago

I was also thinking in the same way. Tushar isn't active at the moment. Maybe @techsavvyash could help you out...

ritankarsaha commented 1 day ago

I was also thinking in the same way. Tushar isn't active at the moment. Maybe @techsavvyash could help you out...

Ohh , if the approach is all right, I would like to take up on the issue. Also is there anything else I should have taken into consideration @Savio629 @techsavvyash