feat: enhance password change functionality with brute force protection

- Updated the change password endpoint to include client IP tracking and brute force protection mechanisms.
- Implemented logic to block excessive password change attempts, returning appropriate HTTP status and retry information.
- Refactored the PasswdService to handle client IP normalization and manage brute force failure states.
- Enhanced error handling for password change attempts, improving security and user feedback.

Author: tacxou

apps/api/src/management/passwd/passwd.controller.ts

@@ -1,4 +1,4 @@
-import { Body, Controller, Get, HttpStatus, Logger, Post, Res } from '@nestjs/common';
+import { Body, Controller, Get, HttpStatus, Logger, Post, Req, Res } from '@nestjs/common';
 import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { Response } from 'express';
 import { Document } from 'mongoose';
@@ -12,6 +12,8 @@ import { PasswdadmService } from '~/settings/passwdadm.service';
 import { ChangePasswordDto } from './_dto/change-password.dto';
 import { ResetPasswordDto } from './_dto/reset-password.dto';
 import { PasswdService } from './passwd.service';
+import { resolveClientIp } from '~/_common/functions/resolve-client-ip';
+import { HttpException } from '@nestjs/common';
 
 @Controller('passwd')
 @ApiTags('management/passwd')
@@ -26,21 +28,36 @@ export class PasswdController {
   @Post('change')
   @ApiOperation({ summary: 'Execute un job de changement de mot de passe sur le/les backends' })
   @ApiResponse({ status: HttpStatus.OK, description: 'Mot de passe synchronisé sur le/les backends' })
-  public async change(@Body() body: ChangePasswordDto, @Res() res: Response): Promise<Response> {
+  public async change(@Req() req: any, @Body() body: ChangePasswordDto, @Res() res: Response): Promise<Response> {
     const debug = {};
 
-    const [, data] = await this.passwdService.change(body);
-    this.logger.log(`Call passwd change for : ${body.uid}`);
+    try {
+      const [, data] = await this.passwdService.change(body, resolveClientIp(req) ?? null);
+      this.logger.log(`Call passwd change for : ${body.uid}`);
 
-    if (process.env.NODE_ENV === 'development') {
-      debug['_debug'] = data;
-    }
+      if (process.env.NODE_ENV === 'development') {
+        debug['_debug'] = data;
+      }
 
-    return res.status(HttpStatus.OK).json({
-      message: 'Password changed',
-      status: 0,
-      ...debug,
-    });
+      return res.status(HttpStatus.OK).json({
+        message: 'Password changed',
+        status: 0,
+        ...debug,
+      });
+    } catch (e) {
+      if (e instanceof HttpException && e.getStatus?.() === HttpStatus.TOO_MANY_REQUESTS) {
+        const payload = e.getResponse() as any;
+        const retryAfterSeconds =
+          payload && typeof payload === 'object' && Number.isFinite(Number(payload.retryAfterSeconds))
+            ? Number(payload.retryAfterSeconds)
+            : 0;
+        if (retryAfterSeconds > 0) {
+          res.set('Retry-After', `${retryAfterSeconds}`);
+        }
+        return res.status(HttpStatus.TOO_MANY_REQUESTS).json(payload);
+      }
+      throw e;
+    }
   }
 
   @Post('resetbycode')

apps/api/src/management/passwd/passwd.service.ts

@@ -56,6 +56,12 @@ export class PasswdService extends AbstractService {
 
   public static readonly TOKEN_ALGORITHM = 'aes-256-gcm';
 
+  protected readonly BRUTEFORCE_FAIL_PREFIX = 'passwd:bf:fail';
+  protected readonly BRUTEFORCE_BLOCK_PREFIX = 'passwd:bf:block';
+  protected readonly BRUTEFORCE_THRESHOLD = 5;
+  protected readonly BRUTEFORCE_FAIL_WINDOW_SECONDS = 6 * 60 * 60;
+  protected readonly BRUTEFORCE_COOLDOWN_STEPS_SECONDS = [60, 300, 1800, 3600];
+
   public constructor(
     protected readonly backends: BackendsService,
     protected readonly identities: IdentitiesCrudService,
@@ -232,7 +238,21 @@ export class PasswdService extends AbstractService {
   }
 
   //Changement du password
-  public async change(passwdDto: ChangePasswordDto): Promise<[Jobs, any]> {
+  public async change(passwdDto: ChangePasswordDto, clientIp?: string | null): Promise<[Jobs, any]> {
+    const ip = this.normalizeClientIp(clientIp);
+    const uid = `${passwdDto?.uid || ''}`.trim();
+    const block = await this.getChangePasswordBruteforceBlock({ uid, ip });
+    if (block.blocked) {
+      throw new HttpException(
+        {
+          message: 'Too many password change attempts. Please retry later.',
+          retryAfterSeconds: block.retryAfterSeconds,
+        },
+        HttpStatus.TOO_MANY_REQUESTS,
+      );
+    }
+
+    let shouldCountFailure = false;
     try {
       const identity = (await this.identities.findOne({
         'inetOrgPerson.uid': passwdDto.uid,
@@ -253,6 +273,7 @@ export class PasswdService extends AbstractService {
       }
       await this.passwordHistory.assertNotReused(identity._id, passwdDto.newPassword);
       //tout est ok en envoie au backend
+      shouldCountFailure = true;
       const result = await this.backends.executeJob(
         ActionType.IDENTITY_PASSWORD_CHANGE,
         identity._id,
@@ -274,12 +295,28 @@ export class PasswdService extends AbstractService {
       await this.identities.model.updateOne({ _id: identity._id }, { dataStatus: DataStatusEnum.ACTIVE });
       await this.passwordHistory.recordPassword(identity._id, passwdDto.newPassword, 'change');
       await this.updatePasswordUsageExpiration(identity._id);
+      await this.clearChangePasswordBruteforceState({ uid, ip });
       return result;
     } catch (e) {
+      if (e instanceof HttpException && e.getStatus?.() === HttpStatus.TOO_MANY_REQUESTS) throw e;
+
       let job = undefined;
       let _debug = undefined;
       this.logger.error('Error while changing password. ' + e + ` (uid=${passwdDto?.uid})`);
 
+      if (shouldCountFailure) {
+        const failure = await this.registerChangePasswordBruteforceFailure({ uid, ip });
+        if (failure.blocked) {
+          throw new HttpException(
+            {
+              message: 'Too many password change attempts. Please retry later.',
+              retryAfterSeconds: failure.retryAfterSeconds,
+            },
+            HttpStatus.TOO_MANY_REQUESTS,
+          );
+        }
+      }
+
       if (e?.response?.status === HttpStatus.BAD_REQUEST) {
         job = {};
         job['status'] = e?.response?.job?.status;
@@ -299,6 +336,74 @@ export class PasswdService extends AbstractService {
     }
   }
 
+  protected normalizeClientIp(clientIp?: string | null): string | null {
+    if (!clientIp || typeof clientIp !== 'string') return null;
+    let value = clientIp.trim();
+    if (!value) return null;
+    if (value.startsWith('::ffff:')) value = value.slice(7);
+    const zoneIdx = value.indexOf('%');
+    if (zoneIdx > -1) value = value.slice(0, zoneIdx);
+    if (value === '::1') return '127.0.0.1';
+    return value;
+  }
+
+  protected hashKeyPart(value: string): string {
+    return crypto.createHash('sha256').update(value).digest('hex').slice(0, 32);
+  }
+
+  protected getChangePasswordBruteforceFailKey(params: { uid: string; ip: string | null }): string {
+    const ipPart = this.hashKeyPart(params.ip || 'n/a');
+    const uidPart = this.hashKeyPart(`${params.uid || ''}`.trim().toLowerCase());
+    return [this.BRUTEFORCE_FAIL_PREFIX, ipPart, uidPart].join(':');
+  }
+
+  protected getChangePasswordBruteforceBlockKey(params: { uid: string; ip: string | null }): string {
+    const ipPart = this.hashKeyPart(params.ip || 'n/a');
+    const uidPart = this.hashKeyPart(`${params.uid || ''}`.trim().toLowerCase());
+    return [this.BRUTEFORCE_BLOCK_PREFIX, ipPart, uidPart].join(':');
+  }
+
+  public async getChangePasswordBruteforceBlock(params: {
+    uid: string;
+    ip: string | null;
+  }): Promise<{ blocked: boolean; retryAfterSeconds: number }> {
+    const blockKey = this.getChangePasswordBruteforceBlockKey(params);
+    const ttl = await this.redis.ttl(blockKey);
+    const retryAfterSeconds = Number.isFinite(ttl) && ttl > 0 ? ttl : 0;
+    return { blocked: retryAfterSeconds > 0, retryAfterSeconds };
+  }
+
+  public async registerChangePasswordBruteforceFailure(params: {
+    uid: string;
+    ip: string | null;
+  }): Promise<{ count: number; blocked: boolean; retryAfterSeconds: number }> {
+    const failKey = this.getChangePasswordBruteforceFailKey(params);
+    const count = await this.redis.incr(failKey);
+    if (count === 1) {
+      await this.redis.expire(failKey, this.BRUTEFORCE_FAIL_WINDOW_SECONDS);
+    }
+
+    if (count < this.BRUTEFORCE_THRESHOLD) {
+      return { count, blocked: false, retryAfterSeconds: 0 };
+    }
+
+    const stepIndex = Math.min(
+      this.BRUTEFORCE_COOLDOWN_STEPS_SECONDS.length - 1,
+      Math.max(count - this.BRUTEFORCE_THRESHOLD, 0),
+    );
+    const cooldownSeconds =
+      this.BRUTEFORCE_COOLDOWN_STEPS_SECONDS[stepIndex] ?? this.BRUTEFORCE_COOLDOWN_STEPS_SECONDS.at(-1) ?? 60;
+
+    const blockKey = this.getChangePasswordBruteforceBlockKey(params);
+    await this.redis.set(blockKey, `${count}`, 'EX', cooldownSeconds);
+    return { count, blocked: true, retryAfterSeconds: cooldownSeconds };
+  }
+
+  public async clearChangePasswordBruteforceState(params: { uid: string; ip: string | null }): Promise<void> {
+    await this.redis.del(this.getChangePasswordBruteforceFailKey(params));
+    await this.redis.del(this.getChangePasswordBruteforceBlockKey(params));
+  }
+
   // Genere un token pour les autres methodes
   public async askToken(askToken: AskTokenDto, k, ttl: number): Promise<string> {
     try {