Lock users out temporarily after too many OTPs

[zachmargolis]

Why:
Use the database rather than rack-attack

[monfresh]

Call this method inside handle_valid_otp_delivery_preference since it only applies to OTP, and not TOTP? A global before action means this logic will get exercised when it doesn't need to. It only needs to be exercised when handle_valid_otp_delivery_preference is called.

[zachmargolis]

That's a great point! Thanks

[monfresh]

I'm not sure we want to treat this as a MULTI_FACTOR_AUTH_MAX_ATTEMPTS event. I think we need a separate event. Also, we were discussing not locking the user out, and displaying a message such as "Didn't receive your OTP? Please wait a minute before requesting a new one."

[zachmargolis]

Yeah you're right, it woudl be confusing with the same lockout event, I'll make another.

I don't recall the discussion about not locking the user out, but happy to change that behavior if we want

[monfresh]

Thanks for taking a first stab at this. Some notes:

• We want the rate limit to be applied at the phone number level to prevent someone from creating multiple accounts that use the same phone number, and logging into each account, thereby triggering an OTP to the phone number from each account.

• The logic doesn't seem quite right. The rate limit is meant to be timeboxed. If the rate limit is 3 tries within a findtimeof 5 minutes, if I make an OTP request at 12:01, and then wait until 12:06 to make the second request, my count should be reset back to 1. Instead, my count is set to 2, and my otp_first_sent_at is still set to 12:01.

[monfresh]

Given the complexity of the logic, I propose that we move it to a separate class.

[zachmargolis]

Good idea! Will move it to an OtpLimiter class

[monfresh]

This reset_attempt_count_if_user_no_longer_locked_out method only gets called after a user submits an OTP. It's a separate event than the one we are dealing with here. We need a new method in the OtpLimiter class that resets otp_send_count and otp_first_sent_at when the findtime has expired. Every time a user is about to be sent an OTP, the questions we need to ask are:

• Has it been more than findtime minutes since the user last received an OTP?
  • YES: set otp_send_count to 1 and otp_first_sent_at to Time.now. Incidentally, this should probably be called otp_last_sent_at.
  • NO: Is otp_send_count >= maxretry?
    • YES: Prevent the user from receiving OTPs for bantime minutes
    • NO: Increment otp_send_count

[zachmargolis]

Ah, yes. Thanks for pointing this out!

[zachmargolis]

I will rename the column and try to implement this, thanks for the details 😁

[zachmargolis]

Ok I gave this a shot & rebased

[monfresh]

I pushed a new commit with specs that define the desired behavior. Our goal is to make the tests pass. I can work on this.

[monfresh]

I pushed a commit to make one of the tests pass. One more to go.

[monfresh]

I added a new commit that should make all tests pass now. Let me know what you think of this approach. I know there are CC issues. I'll fix them later. There's also an issue that I'll need to write a test for because it's not tested: once a user gets locked out due to sending too many OTPs, when they log back in, the countdown timer is based on the max attempts lockout, which is 5 minutes, which might not necessarily be the same as the bantime for sending too many OTPs. We'll probably need to start tracking the cause of the lock out and display the appropriate content.

[zachmargolis]

New changes make sense to me!

[zachmargolis]

Can we add t.timestamps and an index on updated_at? That will let us have a periodic job to delete old records so the table doesn't grow too much

[monfresh]

Good idea.

[zachmargolis]

nit: double it

[monfresh]

@zachmargolis I addressed your feedback and made the changes to use a single lockout period for both max OTP attempts and requests. I think this PR is in good enough shape for now. Wanna take one last look, please?

[zachmargolis]

LGTM! I have some small cleanup suggestions but nothing big

[zachmargolis]

This is identitcal to lockout_time_remaining so I think we can remove it now

[monfresh]

Nice catch!

[zachmargolis]

So I think (like you mentioned) there is a small opportunity for a race condition here.

I think that if possible we should take advantage of Rail's first_or_create (as well as a top-level retry), so something like:

def find_or_create_with_phone(phone)
  return if phone.blank? # maybe just raise an error here?
  begin
    OtpRequestsTracker.where(phone_fingerprint: Pii::Fingerprinter.fingerprint(phone)).
      first_or_create(otp_send_count: 0, otp_last_sent_at: Time.zone.now)
  rescue ActiveRecord::RecordNotUnique
    retry # possibly use with_retries gem or add additional logic to only retry once
  end
end

[monfresh]

Good idea. Thanks for the suggestion!

[monfresh]

Weird. I pushed a 6th commit several minutes ago, but I don't see it on GitHub yet.

[zachmargolis]

We need to raise when we're not retrying otherwise this will just return nil and we'll get a NoMethodError rather than a duplicate key error

so like

rescue ActiveRecord::RecordNotUnique
  retry unless ...
  raise
end

[monfresh]

Fixed!

[zachmargolis]

Sweet! Thanks!!

[zachmargolis]

LGTM!

[monfresh]

What do you think about the Code Climate similar code issues? Are they worth fixing now, or can we ignore them?

[zachmargolis]

This PR has dragged out so long I think it would be worth ignoring the duplicate code, I can follow up with a PR to generate an encrypted setter for one-way hashes the way we do for others

[monfresh]

LGTM

[monfresh]

Sounds good. I told CC to approve this PR. Wanna squash and merge?

[zachmargolis]

ok! I'll rebase this PR into two commits (one for my changes, one for yours) and then merge this