feat: use a FixedWindowRateLimiter keyed by IP to rate limit emails

we don't talk about the sent_emails table :)
2024-12-11 21:17:46 +01:00 · 2024-12-11 21:17:46 +01:00 · 51e335f090
commit 51e335f090
parent 1ce4f9d278
8 changed files with 75 additions and 87 deletions
--- a/Foxnouns.Backend/Controllers/Authentication/EmailAuthController.cs
+++ b/Foxnouns.Backend/Controllers/Authentication/EmailAuthController.cs
@ -36,6 +36,7 @@ public class EmailAuthController(
    DatabaseContext db,
    AuthService authService,
    MailService mailService,
+    EmailRateLimiter rateLimiter,
    KeyCacheService keyCacheService,
    UserRendererService userRenderer,
    IClock clock,
@ -68,6 +69,9 @@ public class EmailAuthController(
            return NoContent();
        }

+        if (IsRateLimited())
+            return NoContent();
+
        mailService.QueueAccountCreationEmail(req.Email, state);
        return NoContent();
    }
@ -221,6 +225,9 @@ public class EmailAuthController(
            return NoContent();
        }

+        if (IsRateLimited())
+            return NoContent();
+
        mailService.QueueAddEmailAddressEmail(req.Email, state, CurrentUser.Username);
        return NoContent();
    }
@ -274,4 +281,34 @@ public class EmailAuthController(
        if (!config.EmailAuth.Enabled)
            throw new ApiError.BadRequest("Email authentication is not enabled on this instance.");
    }
+
+    /// <summary>
+    /// Checks whether the context's IP address is rate limited from dispatching emails.
+    /// </summary>
+    private bool IsRateLimited()
+    {
+        if (HttpContext.Connection.RemoteIpAddress == null)
+        {
+            _logger.Information(
+                "No remote IP address in HTTP context for email-related request, ignoring as we can't rate limit it"
+            );
+            return true;
+        }
+
+        if (
+            !rateLimiter.IsLimited(
+                HttpContext.Connection.RemoteIpAddress.ToString(),
+                out Duration retryAfter
+            )
+        )
+        {
+            return false;
+        }
+
+        _logger.Information(
+            "IP address cannot send email until {RetryAfter}, ignoring",
+            retryAfter
+        );
+        return true;
+    }
 }
--- a/Foxnouns.Backend/Database/DatabaseContext.cs
+++ b/Foxnouns.Backend/Database/DatabaseContext.cs
@ -66,7 +66,6 @@ public class DatabaseContext(DbContextOptions options) : DbContext(options)
    public DbSet<Application> Applications { get; init; } = null!;
    public DbSet<TemporaryKey> TemporaryKeys { get; init; } = null!;
    public DbSet<DataExport> DataExports { get; init; } = null!;
-    public DbSet<SentEmail> SentEmails { get; init; } = null!;

    public DbSet<PrideFlag> PrideFlags { get; init; } = null!;
    public DbSet<UserFlag> UserFlags { get; init; } = null!;
@ -86,7 +85,6 @@ public class DatabaseContext(DbContextOptions options) : DbContext(options)
        modelBuilder.Entity<Member>().HasIndex(m => m.Sid).IsUnique();
        modelBuilder.Entity<TemporaryKey>().HasIndex(k => k.Key).IsUnique();
        modelBuilder.Entity<DataExport>().HasIndex(d => d.Filename).IsUnique();
-        modelBuilder.Entity<SentEmail>().HasIndex(e => new { e.Email, e.SentAt });

        // Two indexes on auth_methods, one for fediverse auth and one for all other types.
        modelBuilder
--- a/Foxnouns.Backend/Database/Migrations/DatabaseContextModelSnapshot.cs
+++ b/Foxnouns.Backend/Database/Migrations/DatabaseContextModelSnapshot.cs
@ -302,33 +302,6 @@ namespace Foxnouns.Backend.Database.Migrations
                    b.ToTable("pride_flags", (string)null);
                });

-            modelBuilder.Entity("Foxnouns.Backend.Database.Models.SentEmail", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer")
-                        .HasColumnName("id");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("Email")
-                        .IsRequired()
-                        .HasColumnType("text")
-                        .HasColumnName("email");
-
-                    b.Property<Instant>("SentAt")
-                        .HasColumnType("timestamp with time zone")
-                        .HasColumnName("sent_at");
-
-                    b.HasKey("Id")
-                        .HasName("pk_sent_emails");
-
-                    b.HasIndex("Email", "SentAt")
-                        .HasDatabaseName("ix_sent_emails_email_sent_at");
-
-                    b.ToTable("sent_emails", (string)null);
-                });
-
            modelBuilder.Entity("Foxnouns.Backend.Database.Models.TemporaryKey", b =>
                {
                    b.Property<long>("Id")
--- a/Foxnouns.Backend/Database/Models/SentEmail.cs
+++ b/Foxnouns.Backend/Database/Models/SentEmail.cs
@ -1,13 +0,0 @@
-using System.ComponentModel.DataAnnotations.Schema;
-using NodaTime;
-
-namespace Foxnouns.Backend.Database.Models;
-
-public class SentEmail
-{
-    [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
-    public int Id { get; init; }
-
-    public required string Email { get; init; }
-    public required Instant SentAt { get; init; }
-}
--- a/Foxnouns.Backend/Extensions/WebApplicationExtensions.cs
+++ b/Foxnouns.Backend/Extensions/WebApplicationExtensions.cs
@ -110,6 +110,7 @@ public static class WebApplicationExtensions
                    .AddSingleton<IClock>(SystemClock.Instance)
                    .AddSnowflakeGenerator()
                    .AddSingleton<MailService>()
+                    .AddSingleton<EmailRateLimiter>()
                    .AddScoped<UserRendererService>()
                    .AddScoped<MemberRendererService>()
                    .AddScoped<AuthService>()
--- a/Foxnouns.Backend/Services/DataCleanupService.cs
+++ b/Foxnouns.Backend/Services/DataCleanupService.cs
@ -33,9 +33,6 @@ public class DataCleanupService(

    public async Task InvokeAsync(CancellationToken ct = default)
    {
-        _logger.Debug("Cleaning up sent email cache");
-        await CleanEmailsAsync(ct);
-
        _logger.Debug("Cleaning up expired users");
        await CleanUsersAsync(ct);

@ -43,14 +40,6 @@ public class DataCleanupService(
        await CleanExportsAsync(ct);
    }

-    private async Task CleanEmailsAsync(CancellationToken ct = default)
-    {
-        Instant expiry = clock.GetCurrentInstant() - Duration.FromHours(2);
-        int count = await db.SentEmails.Where(e => e.SentAt < expiry).ExecuteDeleteAsync(ct);
-        if (count != 0)
-            _logger.Information("Deleted {Count} entries from the sent email cache", expiry);
-    }
-
    private async Task CleanUsersAsync(CancellationToken ct = default)
    {
        Instant selfDeleteExpires = clock.GetCurrentInstant() - User.DeleteAfter;
--- a/Foxnouns.Backend/Services/EmailRateLimiter.cs
+++ b/Foxnouns.Backend/Services/EmailRateLimiter.cs
@ -0,0 +1,36 @@
+using System.Collections.Concurrent;
+using System.Threading.RateLimiting;
+using NodaTime;
+using NodaTime.Extensions;
+
+namespace Foxnouns.Backend.Services;
+
+public class EmailRateLimiter
+{
+    private readonly ConcurrentDictionary<string, RateLimiter> _limiters = new();
+
+    private readonly FixedWindowRateLimiterOptions _limiterOptions =
+        new() { Window = TimeSpan.FromHours(2), PermitLimit = 3 };
+
+    private RateLimiter GetLimiter(string bucket) =>
+        _limiters.GetOrAdd(bucket, _ => new FixedWindowRateLimiter(_limiterOptions));
+
+    public bool IsLimited(string bucket, out Duration retryAfter)
+    {
+        RateLimiter limiter = GetLimiter(bucket);
+        RateLimitLease lease = limiter.AttemptAcquire();
+
+        if (!lease.IsAcquired)
+        {
+            retryAfter = lease.TryGetMetadata(MetadataName.RetryAfter, out TimeSpan timeSpan)
+                ? timeSpan.ToDuration()
+                : default;
+        }
+        else
+        {
+            retryAfter = Duration.Zero;
+        }
+
+        return !lease.IsAcquired;
+    }
+}
--- a/Foxnouns.Backend/Services/MailService.cs
+++ b/Foxnouns.Backend/Services/MailService.cs
@ -15,22 +15,11 @@
 using Coravel.Mailer.Mail;
 using Coravel.Mailer.Mail.Interfaces;
 using Coravel.Queuing.Interfaces;
-using Foxnouns.Backend.Database;
-using Foxnouns.Backend.Database.Models;
 using Foxnouns.Backend.Mailables;
-using Microsoft.EntityFrameworkCore;
-using NodaTime;

 namespace Foxnouns.Backend.Services;

-public class MailService(
-    ILogger logger,
-    IMailer mailer,
-    IQueue queue,
-    IClock clock,
-    Config config,
-    IServiceProvider serviceProvider
-)
+public class MailService(ILogger logger, IMailer mailer, IQueue queue, Config config)
 {
    private readonly ILogger _logger = logger.ForContext<MailService>();

@ -78,29 +67,7 @@ public class MailService(
    {
        try
        {
-            // ReSharper disable SuggestVarOrType_SimpleTypes
-            await using var scope = serviceProvider.CreateAsyncScope();
-            await using var db = scope.ServiceProvider.GetRequiredService<DatabaseContext>();
-            // ReSharper restore SuggestVarOrType_SimpleTypes
-
-            Instant now = clock.GetCurrentInstant();
-
-            int count = await db.SentEmails.CountAsync(e =>
-                e.Email == to && e.SentAt > (now - Duration.FromHours(1))
-            );
-            if (count >= 2)
-            {
-                _logger.Information(
-                    "Have already sent 2 or more emails to {ToAddress} in the past hour, not sending new email",
-                    to
-                );
-                return;
-            }
-
            await mailer.SendAsync(mailable);
-
-            db.SentEmails.Add(new SentEmail { Email = to, SentAt = now });
-            await db.SaveChangesAsync();
        }
        catch (Exception exc)
        {