Merge pull request #24 from zeeshanakram3/bypass_captcha_verification

Bypass Captcha Verification for Certain Requests
Joystream · Jul 19, 2023 · c4965ed · c4965ed
2 parents 36a9e6b + 4cb27b1
commit c4965ed
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -24,8 +24,8 @@ Will build and start the server.
 
 ## API
 
-### `POST /register`
-Send a JSON in the request body:
+### `POST -H Authorization: Bearer {CAPTCHA_BYPASS_KEY} /register`
+Send a JSON in the request body with an optional Bearer Authentication (if request wants to bypass captcha verification):
 
 ```
 {
@@ -108,4 +108,4 @@ docker compose up -d
 ### Setup Reverse proxy
 The webserice will be listening on localhost on the port you configured in your .env file.
 To make the service available publicly you will need to setup a reverse proxy with an ssl certificate.
-Nginx and caddy are good options. Example usage of caddy in [docker/docke-compose stack](https://hub.docker.com/_/caddy)
+Nginx and caddy are good options. Example usage of caddy with [docker/docker-compose stack](https://hub.docker.com/_/caddy)
diff --git a/env.example b/env.example
@@ -12,3 +12,4 @@ GLOBAL_API_LIMIT_INTERVAL_HOURS=1
 GLOBAL_API_LIMIT_MAX_IN_INTERVAL=10
 PER_IP_API_LIMIT_INTERVAL_HOURS=48
 PER_IP_API_LIMIT_MAX_IN_INTERVAL=1
+CAPTCHA_BYPASS_KEY=random-string-key
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@joystream/member-faucet",
- "version": "0.1.0",
+ "version": "0.2.0",
  "main": "./lib/app.js",
  "license": "MIT",
  "scripts": {

diff --git a/src/app.ts b/src/app.ts
@@ -93,6 +93,11 @@ app.post('/register', async (req, res) => {
  captchaToken,
  } = req.body
 
+ const captchaBypassKey = (req: express.Request) => {
+ const authHeader = req.headers['authorization']
+ return authHeader && authHeader.split(' ')[1]
+ }
+
  processingRequest.lock(async () => {
  try {
  await register(
@@ -105,6 +110,7 @@ app.post('/register', async (req, res) => {
  about,
  externalResources,
  captchaToken,
+ captchaBypassKey(req),
  callback
  )
  } catch (err) {

diff --git a/src/config.ts b/src/config.ts
@@ -67,3 +67,7 @@ export const ALERT_TO_EMAIL = process.env.ALERT_TO_EMAIL
 export const HCAPTCHA_ENDPOINT = 'https://hcaptcha.com/siteverify'
 export const HCAPTCHA_SECRET = process.env.HCAPTCHA_SECRET
 export const HCAPTCHA_ENABLED = HCAPTCHA_ENDPOINT && HCAPTCHA_SECRET
+
+// A server-side configured key that client should send (in the `Authorization` header) along with
+// the request to `/register` endpoint if they want to bypass the captcha verification requirement.
+export const CAPTCHA_BYPASS_KEY = process.env.CAPTCHA_BYPASS_KEY
diff --git a/src/register.ts b/src/register.ts
@@ -12,6 +12,7 @@ import { MembershipMetadata } from '@joystream/metadata-protobuf'
 import IExternalResource = MembershipMetadata.IExternalResource
 import {
  ENABLE_API_THROTTLING,
+ CAPTCHA_BYPASS_KEY,
  GLOBAL_API_LIMIT_INTERVAL_HOURS,
  GLOBAL_API_LIMIT_MAX_IN_INTERVAL,
  HCAPTCHA_ENABLED,
@@ -28,12 +29,18 @@ const globalLimiter = new InMemoryRateLimiter({
  maxInInterval: GLOBAL_API_LIMIT_MAX_IN_INTERVAL,
 })
 
-// per ip rate limit
+// per ip rate limit to apply after input validation checks
 const ipLimiter = new InMemoryRateLimiter({
  interval: PER_IP_API_LIMIT_INTERVAL_HOURS * 60 * 60 * 1000, // milliseconds
  maxInInterval: PER_IP_API_LIMIT_MAX_IN_INTERVAL,
 })
 
+// very aggressive ip limit for failed authentication
+const authLimiter = new InMemoryRateLimiter({
+ interval: 1 * 60 * 60 * 1000, // milliseconds
+ maxInInterval: 3,
+})
+
 function memberIdFromEvent(events: EventRecord[]): MemberId | undefined {
  return getDataFromEvent(events, 'members', 'MembershipGifted', 0)
 }
@@ -56,31 +63,53 @@ export async function register(
  avatar: string | undefined,
  about: string,
  externalResources: IExternalResource[],
- captchaToken: string,
+ captchaToken: string | undefined,
+ captchaBypassKey: string | undefined,
  callback: RegisterCallback
 ) {
- // verify captcha if enabled
- if (HCAPTCHA_ENABLED) {
- if (!captchaToken) {
+
+ let canBypass = false
+ // Check if request is authorized to bypass captcha verification and ip rate limits
+ if ((HCAPTCHA_ENABLED || ENABLE_API_THROTTLING) && captchaBypassKey && CAPTCHA_BYPASS_KEY) {
+ const wasBlockedIp = await authLimiter.limit(`${ip}-auth`)
+ if((captchaBypassKey !== CAPTCHA_BYPASS_KEY) || wasBlockedIp) {
  callback(
  {
- error: 'MissingCaptchaToken',
+ error: 'Unauthorized', // keep it general, no need to reveal if throttle or bad key
  },
- 400
+ 403
  )
+ log(`Too many failed auth attempts from ${ip}`)
  return
+ } else {
+ authLimiter.clear(`${ip}-auth`)
+ canBypass = true
  }
- const captchaResult = await verifyCaptcha(captchaToken)
- if (captchaResult !== true) {
- log('captcha verification failed')
+ }
+
+ // verify captcha if enabled
+ if (HCAPTCHA_ENABLED && !canBypass) {
+ if (!captchaToken) {
  callback(
  {
- error: 'InvalidCaptchaToken',
- errorCodes: captchaResult,
+ error: 'MissingCaptchaToken',
  },
  400
  )
  return
+ } else {
+ const captchaResult = await verifyCaptcha(captchaToken)
+ if (captchaResult !== true) {
+ log('captcha verification failed')
+ callback(
+ {
+ error: 'InvalidCaptchaToken',
+ errorCodes: captchaResult,
+ },
+ 400
+ )
+ return
+ }
  }
  }
 
@@ -184,7 +213,9 @@ export async function register(
  return callback('FaucetExhausted', 400)
  }
 
- if (ENABLE_API_THROTTLING) {
+ // Do throttling after all input validation checks to avoid DoS attack by someone repeatedly
+ // trying to register with most likely outcome being unsuccsessful.
+ if (ENABLE_API_THROTTLING && !canBypass) {
  // apply limit per ip address
  const wasBlockedIp = await ipLimiter.limit(`${ip}-register`)
  if (wasBlockedIp) {