Merge pull request #18952 from mozilla/configure-remaining-ratelimit-rules

task(auth,gql): Configure default limiting rules

Author: dschom

.circleci/config.yml

@@ -177,7 +177,8 @@ executors:
       CUSTOMS_SERVER_URL: none
       HUSKY_SKIP_INSTALL: 1
       AUTH_CLOUDTASKS_USE_LOCAL_EMULATOR: true
-      RATE_LIMIT__RULES: ""
+      # Seeing if clear customs approach works! RATE_LIMIT__RULES: ""
+      RATE_LIMIT__IGNORE_EMAILS: .*@restmail.net$
 
   # Contains a pre-installed fxa stack and browsers for doing ui test
   # automation. Perfect for running smoke tests against remote targets.

libs/accounts/rate-limit/src/lib/config.ts

@@ -44,7 +44,9 @@ export function parseConfigRules(
   // Loop overrules and group by the rule's action value.
   const ruleMap: Record<string, Rule[]> = {};
   const keys: Array<string> = [];
+  let lineNumber = 0;
   for (let line of rules) {
+    lineNumber++;
     // Clean up whitespace first.
     line = line.trim();
 
@@ -62,7 +64,7 @@ export function parseConfigRules(
 
     if (parts.length !== 5) {
       throw new InvalidRule(
-        `Rules must have 5 parts separated delimited by :. But was ${line}`,
+        `Issue detected on line ${lineNumber}. Rules must have 5 parts separated delimited by :. `,
         line
       );
     }

packages/functional-tests/lib/ratelimit.ts

@@ -0,0 +1,45 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import Redis from 'ioredis';
+import type { Redis as RedisType } from 'ioredis';
+
+/**
+ * A client that is useful to clear or emulate rate limiting scenarios. Note that this only
+ * works when running in the test CI or locally. This WILL NOT work for smoke tests!
+ */
+export class RateLimitClient {
+  private readonly redis: RedisType;
+
+  constructor() {
+    // Only works for local host!
+    this.redis = new Redis();
+  }
+
+  /**
+   * Resets all rate limiting counts in the Redis database. Useful during tests to avoid rate limiting.
+   * @param action - Optional action to target. If nothing is provided, all counts are cleared.
+   * @returns Number of keys deleted.
+   */
+  async resetCounts(action?: string) {
+    // Determine what keys to target
+    const pattern = action ? `rate-limit:*:${action}:*` : 'rate-limit:*';
+
+    let cursor = '0';
+    do {
+      const [nextCursor, keys] = await this.redis.scan(
+        cursor,
+        'MATCH',
+        pattern,
+        'COUNT',
+        100
+      );
+      cursor = nextCursor;
+      if (keys.length > 0) {
+        const deletedCount = await this.redis.del(...keys);
+        console.log(`Deleted ${deletedCount} keys from redis.`);
+      }
+    } while (cursor !== '0');
+  }
+}

packages/functional-tests/lib/targets/base.ts

@@ -44,7 +44,10 @@ export abstract class BaseTarget {
     return this.contentServerUrl;
   }
 
-  constructor(readonly authServerUrl: string, emailUrl?: string) {
+  constructor(
+    readonly authServerUrl: string,
+    emailUrl?: string
+  ) {
     const keyStretchVersion = parseInt(
       process.env.AUTH_CLIENT_KEY_STRETCH_VERSION || '1'
     );
@@ -65,6 +68,8 @@ export abstract class BaseTarget {
     });
   }
 
+  abstract clearRateLimits(): Promise<void>;
+
   abstract createAccount(
     email: string,
     password: string,

packages/functional-tests/lib/targets/local.ts

@@ -5,6 +5,7 @@
 import { BoolString } from '../../../fxa-auth-client/lib/client';
 import { TargetName } from '.';
 import { BaseTarget, Credentials } from './base';
+import { RateLimitClient } from '../ratelimit';
 
 const RELIER_CLIENT_ID = 'dcdb5ae7add825d2';
 const SUB_PRODUCT = 'prod_GqM9ToKK62qjkK';
@@ -23,16 +24,24 @@ export class LocalTarget extends BaseTarget {
     name: SUB_PRODUCT_NAME,
     plan: SUB_PLAN,
   };
+  readonly rateLimitClient: RateLimitClient;
 
   constructor() {
     super('http://localhost:9000', 'http://localhost:9001');
+    this.rateLimitClient = new RateLimitClient();
+  }
+
+  async clearRateLimits() {
+    this.rateLimitClient.resetCounts();
   }
 
   async createAccount(
     email: string,
     password: string,
     options = { lang: 'en', preVerified: 'true' as BoolString }
   ) {
+    // Quick and dirty way to see if this works...
+    await this.rateLimitClient.resetCounts();
     const result = await this.authClient.signUp(email, password, options);
     await this.authClient.deviceRegister(
       result.sessionToken,

packages/functional-tests/lib/targets/remote.ts

@@ -5,6 +5,10 @@
 import { BaseTarget, Credentials } from './base';
 
 export abstract class RemoteTarget extends BaseTarget {
+  async clearRateLimits() {
+    // no-op: We can't clear customs for smoke tests.
+  }
+
   async createAccount(
     email: string,
     password: string,

packages/functional-tests/tests/key-stretching-v2/changePassword.spec.ts

@@ -43,6 +43,10 @@ test.describe('severity-2 #smoke', () => {
     { signupVersion: v2, changeVersion: v2 },
   ];
 
+  test.beforeEach(async ({ target }) => {
+    await target.clearRateLimits();
+  });
+
   for (const { signupVersion, changeVersion } of TestCases) {
     test(`signs up as v${signupVersion.version} changes password from settings as v${changeVersion.version} for backbone`, async ({
       page,

packages/functional-tests/tests/misc/authClientV2.spec.ts

@@ -32,8 +32,9 @@ test.describe('auth-client-tests', () => {
     return credentials;
   }
 
-  test.beforeEach(({}, { project }) => {
+  test.beforeEach(async ({ target }, { project }) => {
     test.skip(project.name === 'production');
+    await target.clearRateLimits();
   });
 
   test('it creates with v1 and signs in', async ({

packages/functional-tests/tests/settings/changePassword.spec.ts

@@ -10,6 +10,11 @@ import { SigninPage } from '../../pages/signin';
 
 test.describe('severity-1 #smoke', () => {
   test.describe('change password tests', () => {
+
+    test.beforeEach(async ({ target }) => {
+      await target.clearRateLimits();
+    });
+
     test('change password with an incorrect old password', async ({
       target,
       pages: { page, changePassword, settings, signin },

packages/functional-tests/tests/settings/recoveryPhone.spec.ts

@@ -75,6 +75,10 @@ test.describe('severity-1 #smoke', () => {
       }
     });
 
+    test.beforeEach(async ({ target }) => {
+      await target.clearRateLimits();
+    });
+
     test('setup fails with invalid number', async ({
       target,
       pages: { page, settings, signin, recoveryPhone, totp },