Add ratelimiting on login (#4821)

Add two ratelimiters on login (per-IP address and per-userID).
author: Brendan Abolivier <contact@brendanabolivier.com> 2019-03-15 17:46:16 +0000
committer: GitHub <noreply@github.com> 2019-03-15 17:46:16 +0000
commit: 899e523d6d92dfbc17dce81eb36f63053e447a97 (patch)
tree: 5a8e2a7b2638cdc06a6dd4c8736c828c25ba47b9 /synapse/rest
parent: Merge pull request #4855 from matrix-org/rav/refactor_transaction_queue (diff)
download: synapse-899e523d6d92dfbc17dce81eb36f63053e447a97.tar.xz
2 files changed, 12 insertions, 2 deletions
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index 6121c5b6df..8d56effbb8 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -22,6 +22,7 @@ from twisted.internet import defer
 from twisted.web.client import PartialDownloadError
 
 from synapse.api.errors import Codes, LoginError, SynapseError
+from synapse.api.ratelimiting import Ratelimiter
 from synapse.http.server import finish_request
 from synapse.http.servlet import (
     RestServlet,
@@ -97,6 +98,7 @@ class LoginRestServlet(ClientV1RestServlet):
         self.registration_handler = hs.get_registration_handler()
         self.handlers = hs.get_handlers()
         self._well_known_builder = WellKnownBuilder(hs)
+        self._address_ratelimiter = Ratelimiter()
 
     def on_GET(self, request):
         flows = []
@@ -129,6 +131,13 @@ class LoginRestServlet(ClientV1RestServlet):
 
     @defer.inlineCallbacks
     def on_POST(self, request):
+        self._address_ratelimiter.ratelimit(
+            request.getClientIP(), time_now_s=self.hs.clock.time(),
+            rate_hz=self.hs.config.rc_login_address.per_second,
+            burst_count=self.hs.config.rc_login_address.burst_count,
+            update=True,
+        )
+
         login_submission = parse_json_object_from_request(request)
         try:
             if self.jwt_enabled and (login_submission["type"] ==
@@ -285,6 +294,7 @@ class LoginRestServlet(ClientV1RestServlet):
             raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED)
 
         user_id = UserID(user, self.hs.hostname).to_string()
+
         auth_handler = self.auth_handler
         registered_user_id = yield auth_handler.check_user_exists(user_id)
         if registered_user_id:
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index 6f34029431..6d235262c8 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -210,8 +210,8 @@ class RegisterRestServlet(RestServlet):
 
         allowed, time_allowed = self.ratelimiter.can_do_action(
             client_addr, time_now_s=time_now,
-            rate_hz=self.hs.config.rc_registration_requests_per_second,
-            burst_count=self.hs.config.rc_registration_request_burst_count,
+            rate_hz=self.hs.config.rc_registration.per_second,
+            burst_count=self.hs.config.rc_registration.burst_count,
             update=False,
         )
author	Brendan Abolivier <contact@brendanabolivier.com>	2019-03-15 17:46:16 +0000
committer	GitHub <noreply@github.com>	2019-03-15 17:46:16 +0000
commit	899e523d6d92dfbc17dce81eb36f63053e447a97 (patch)
tree	5a8e2a7b2638cdc06a6dd4c8736c828c25ba47b9 /synapse/rest
parent	Merge pull request #4855 from matrix-org/rav/refactor_transaction_queue (diff)
download	synapse-899e523d6d92dfbc17dce81eb36f63053e447a97.tar.xz