fix(auth): add account+IP brute-force rate limiting

SECURITY_PASSWORD_PLAN.md

@@ -0,0 +1,77 @@
+# Password Security Hardening Plan
+
+## Scope
+- Applies to auth and password flows in:
+  - `index.js`
+  - `auth/authEmail.js`
+  - `mongoDB.js`
+
+## 1. Replace insecure reset flow with single-use token login
+- Problem:
+  - Current flow resets by username and emails a plaintext temporary password.
+- Implementation:
+  - Keep `POST /resetPassword` as token request endpoint:
+    - Accept identifier (email/username).
+    - Always return generic success response.
+    - If account exists, create one-time login token with short TTL (15-30 min), store hashed token, email link.
+  - Add `POST /password/token-login`:
+    - Accept token.
+    - Validate token (exists, not expired, unused), mark used atomically, then create normal auth session cookies.
+  - Data model:
+    - New collection `password_login_tokens` with fields:
+      - `userId`, `tokenHash`, `expiresAt`, `usedAt`, `createdAt`, `requestMeta`.
+    - Add TTL index on `expiresAt`.
+
+## 2. Remove credential handling from GET/query
+- Problem:
+  - `/signup` and `/login` accept GET and query params for credentials.
+- Implementation:
+  - Change auth routes to `POST` only.
+  - Read credentials from JSON body only.
+  - Reject query-based credential inputs with `400`.
+  - Update Swagger docs and clients accordingly.
+
+## 3. Add account-aware brute-force protection
+- Problem:
+  - Only global IP limiter exists; auth endpoints are not sufficiently protected.
+- Implementation:
+  - Add dedicated limiter middleware for auth endpoints (`/login`, `/password/request-reset`, `/password/confirm-reset`):
+    - Combined key: normalized username/email + source IP.
+    - Lower thresholds and progressive backoff/lockout window.
+  - Add telemetry for blocked attempts.
+  - Optionally store counters in Redis if horizontally scaled.
+
+## 4. Prevent account enumeration
+- Problem:
+  - API exposes different responses for unknown user vs wrong password.
+- Implementation:
+  - Login: same response for invalid credentials regardless of user existence.
+  - Reset request: always same response regardless of account existence.
+  - Keep detailed reason only in internal logs/analytics.
+
+## 5. Keep strong password hashing policy (clarify bcrypt behavior)
+- Problem:
+  - Existing TODO comments incorrectly state bcrypt needs manual salt handling.
+- Implementation:
+  - Keep bcrypt (or migrate to Argon2id in a separate change set).
+  - Centralize hash policy:
+    - cost factor (benchmark-backed; start at 12 if acceptable latency).
+    - minimum password length and strength checks.
+  - On login, detect outdated hash params and rehash after successful auth.
+
+## Suggested rollout order
+1. Tokenized login flow (new endpoint + DB token store).
+2. POST-only auth route enforcement.
+3. Generic auth/reset responses.
+4. Dedicated auth rate limiting.
+5. Hash policy tuning + opportunistic rehash.
+
+## Validation checklist
+- Unit/integration tests:
+  - token creation, expiry, one-time use, invalid token paths.
+  - login generic error response behavior.
+  - auth rate limiter trigger and cooldown.
+  - query credential rejection.
+- Manual:
+  - verify no plaintext password emails are sent.
+  - verify token cannot be reused after first successful consumption.

auth/authEmail.js

@@ -9,15 +9,49 @@ const Notifications = require("../notifications");
 // Object Definitions
 const Post = require("../def/post.js")
 const Profile = require("../def/profile.js");
+const DUMMY_BCRYPT_HASH = '$2b$10$2zQfAaxK0cN13N7V2Q5hAOL3wxY5E9OQj1YxDCEV4VpWw2X2gYd6C';
+const PASSWORD_TOKEN_TTL_MINUTES = parseInt(process.env.PASSWORD_TOKEN_TTL_MINUTES || '20', 10);
+const PASSWORD_TOKEN_PATH = process.env.PASSWORD_TOKEN_PATH || '/token-login';
+const FRONTEND_URL = (process.env.FRONTEND_URL || 'https://social.emmint.com').replace(/\/+$/, '');
+
+const createPasswordTokenHash = (rawToken) =>
+    crypto.createHash('sha256').update(rawToken).digest('hex');
+
+const createSessionFromUser = async ({ DB, user, req, res }) => {
+    const sessionObj = await DB.newSession(user._id);
+    res.cookie('user_sid', user._id, cookiesOptions);
+    res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
+    const latestUpdatedProfile = await DB.latestProfile(user._id);
+    if (latestUpdatedProfile && latestUpdatedProfile._id) {
+        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
+    }
+    client_logger.identify({
+        distinctId: user._id,
+        properties: {
+            name: latestUpdatedProfile?.profile?.firstName || '',
+        }
+    });
+    client_logger.capture({
+        distinctId: user._id,
+        event: 'server@' + req.method + '@' + req.originalUrl,
+    });
+    return {
+        status: "ok",
+        user_sid: user._id,
+        session_id: sessionObj.insertedId,
+        profile_id: latestUpdatedProfile?._id
+    };
+};
 
 // Function to Singup new users. An user is a combination of a user obj and a profile.
 // When new users are subscribed, they have a single profile, which is the personal one.
 // Other profiles can be link to that user, like groups or courses.
 const signup = async function (req, res) {
-    const username = req.query.username || req.body.username;
+    // SECURITY FIX (#2): only accept credentials from request body.
-    const password = req.query.password || req.body.password;
+    const username = (req.body.username || "").trim().toLowerCase();
-    const email = req.query.email || req.body.email;
+    const password = req.body.password;
-    const profile = req.query.profile || req.body.profile;
+    const email = (req.body.email || "").trim().toLowerCase();
+    const profile = req.body.profile;
     if (!username || !password || !email) return res.json({ status: "Incomplete information!" });
     // Check if the new user has an invitation.
     const DB = await MongoDB.getDB;
@@ -34,12 +68,13 @@ const signup = async function (req, res) {
     }
     let isUserAlreadyRegistered = await DB.getUser(email);
     if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" });
-    // Hash password to be stored on the DB.
+    // SECURITY PLAN (point #5):
-    // TODO: I think this is missing a Salt factor to improve security
+    // bcrypt.hash already includes a per-password salt.
+    // Future hardening: centralize cost factor policy (and consider rehash-on-login).
     const hashedPassword = await bcrypt.hash(password, 10);
     const newUserObject = await DB.newUser({
-        username: username.toLowerCase(),
+        username,
-        email: email.toLowerCase(),
+        email,
         password: hashedPassword
     });
     // If newUserObject it's an error message, we check by looking toLowerCase function 
@@ -79,47 +114,28 @@ const login = async function (req, res) {
         const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
         if (userInfo) return res.redirect('/');
     }
-    const username = req.body.username || req.query.username;
+    const invalidCredentials = () => res.status(401).json({ status: "Invalid credentials" });
-    const password = req.body.password || req.query.password || "";
+    // SECURITY FIX (#2): only accept credentials from request body.
+    const username = (req.body.username || req.body.email || "").trim().toLowerCase();
+    const password = req.body.password || "";
+    if (!username || !password) return invalidCredentials();
     const user = await DB.getUser(username);
+
     if (!user) {
         client_logger.capture({
             distinctId: 'app_level',
-            event: 'server@' + req.method + '@' + req.originalUrl + '@userNotFound',
+            event: 'server@' + req.method + '@' + req.originalUrl + '@invalidCredentials',
-            properties: {
+            properties: { username },
-                username: username,
-            }
         });
-        return res.json({ status: "user not founded" });
     }
-    // TODO: Also add salt parameter here.
+    // SECURITY PLAN (point #5):
-    const isSamePassword = await bcrypt.compare(password, user.password);
+    // bcrypt.compare validates salted hashes directly; no manual salt parameter is needed.
-    if (!isSamePassword) return res.json({ status: "incorrect password" });
+    // SECURITY FIX (#4): compare against dummy hash when user doesn't exist to reduce timing side-channel.
+    const isSamePassword = await bcrypt.compare(password, user?.password || DUMMY_BCRYPT_HASH);
+    // SECURITY FIX (#4): same response for non-existing user and wrong password.
+    if (!user || !isSamePassword) return invalidCredentials();
     try {
-        // Store a new session loging on DB, and use ID as session ID
+        return res.json(await createSessionFromUser({ DB, user, req, res }));
-        const sessionObj = await DB.newSession(user._id);
-        // Create coockies with information for Auth
-        res.cookie('user_sid', user._id, cookiesOptions);
-        res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
-        // Chooses the most recent update profile as current active profile
-        const latestUpdatedProfile = await DB.latestProfile(user._id);
-        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
-        client_logger.identify({
-            distinctId: user._id,
-            properties: {
-                name: latestUpdatedProfile.profile.firstName,
-            }
-        });
-        client_logger.capture({
-            distinctId: user._id,
-            event: 'server@' + req.method + '@' + req.originalUrl,
-        });
-        return res.json({
-            status: "ok",
-            user_sid: user._id,
-            session_id: sessionObj.insertedId,
-            profile_id: latestUpdatedProfile._id
-        });
     } catch (error) {
         console.error(error);
         client_logger.capture({
@@ -151,51 +167,44 @@ const logout = async function (req, res) {
     }
 }
 
-// Util function for generating new random password for users.
-function generatePassword(length = 12) {
-    const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+";
-    return Array.from(crypto.randomFillSync(new Uint8Array(length)))
-        .map((x) => charset[x % charset.length])
-        .join("");
-}
-
 const resetPassword = async function (req, res) {
-    const session_id = getSessionId(req);
-    const user_sid = getUserId(req);
     const DB = await MongoDB.getDB;
-    if (session_id && user_sid) {
+
-        // Sadly reusing this endpoint to change password to legged in users.
+    // SECURITY FIX (#1): issue a single-use token instead of sending/changing passwords.
-        // TODO: Move change password logic to its own endpoint.
+    const genericResetResponse = {
-        const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
+        status: "ok",
-        if (userInfo) {
+        details: "If the account exists, check your email for next steps"
-            const password = req.body.password;
+    };
-            const hashedPassword = await bcrypt.hash(password, 10);
-            // TODO: Add salt to password here as well.
-            DB.resetUserPassword(userInfo.username, hashedPassword);
-            return res.json({
-                status: "ok",
-                details: 'password changed!' // This should be an enum that syncs with clients.
-            });
-        }
-    }
     // Logic for non-logged in users.
-    const username = req.body.username;
+    const username = (req.body.username || req.body.email || "").trim().toLowerCase();
+    if (!username) return res.json(genericResetResponse);
     const user = await DB.getUser(username);
-    if (!user) return res.json({ status: "user not founded" });
+    if (!user) {
-    const password = generatePassword();
+        client_logger.capture({
-    const hashedPassword = await bcrypt.hash(password, 10);
+            distinctId: 'app_level',
-    // TODO: Add salt to password here as well.
+            event: 'server@' + req.method + '@' + req.originalUrl + '@resetRequestedUnknownUser',
-    // TODO: We need to limit this to every 2 hours or something like this.
+            properties: { username }
-    // TODO: Move this template to the Notif file.
+        });
-    DB.resetUserPassword(username, hashedPassword);
+        return res.json(genericResetResponse);
-    Notifications.sendEmail(username, "Your new credentials",
+    }
+    const rawToken = crypto.randomBytes(32).toString('hex');
+    const tokenHash = createPasswordTokenHash(rawToken);
+    const expiresAt = new Date(Date.now() + PASSWORD_TOKEN_TTL_MINUTES * 60 * 1000);
+    const tokenStored = await DB.createPasswordLoginToken(user._id, tokenHash, expiresAt);
+    if (!tokenStored) {
+        return res.json(genericResetResponse);
+    }
+    const loginUrl = `${FRONTEND_URL}${PASSWORD_TOKEN_PATH}?token=${rawToken}`;
+    Notifications.sendEmail(username, "Your secure sign-in link",
         `
-<p> Hello,</p>
+<p>Hello,</p>
-<p> This is your new password: ${password}</p>
+<p>Use this one-time sign-in link to access your account:</p>
-<p><a href="https://social.emmint.com/">Log in</a></p>
+<p><a href="${loginUrl}">${loginUrl}</a></p>
+<p>This link expires in ${PASSWORD_TOKEN_TTL_MINUTES} minutes and can only be used once.</p>
+<p>If you did not request this, you can ignore this email.</p>
 <p>Blessings</p>
 <p>Emmanuel International Ministries</p>
-`)
+`);
     client_logger.capture({
         distinctId: user._id,
         event: 'server@' + req.method + '@' + req.originalUrl,
@@ -203,10 +212,30 @@ const resetPassword = async function (req, res) {
             username: username,
         }
     });
-    return res.json({
+    return res.json(genericResetResponse);
-        status: "ok",
+}
-        details: 'Check your email for new password' // Enum of details?
+
-    });
+const loginWithPasswordToken = async function (req, res) {
+    const DB = await MongoDB.getDB;
+    const token = (req.body.token || "").trim();
+    if (!token || token.length < 32) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    const tokenHash = createPasswordTokenHash(token);
+    const tokenDoc = await DB.consumePasswordLoginToken(tokenHash);
+    if (!tokenDoc || !tokenDoc.userId) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    const user = await DB.getUserById(tokenDoc.userId);
+    if (!user || !user._id) {
+        return res.status(401).json({ status: "Invalid or expired token" });
+    }
+    try {
+        return res.json(await createSessionFromUser({ DB, user, req, res }));
+    } catch (error) {
+        console.error("Token login error", error);
+        return res.status(500).json({ status: "Internal server error" });
+    }
 }
 
 
@@ -215,4 +244,5 @@ module.exports = {
     login,
     logout,
     resetPassword,
-}
+    loginWithPasswordToken,
+}

index.js

@@ -9,6 +9,7 @@ require('dotenv').config();
 const express = require('express');
 const app = express();
 const port = process.env.PORT || 3000;
+app.set('trust proxy', true);
 // -- Accept request from other origins
 const cors = require('cors');
 const { corsOptions } = require('./config/corsOptions');
@@ -34,11 +35,11 @@ const limiter = rateLimit({
         return ip.includes(":") ? ip.split(":")[0] : ip; // Remove port if present
     }
 });
-app.set('trust proxy', true);
 app.use(limiter);
 
 // Authentication
-const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
+const { signup, login, logout, resetPassword, loginWithPasswordToken } = require('./auth/authEmail.js');
+const { authRateLimiter } = require('./middleware/authRateLimiter');
 /**
  * @swagger
  * /signup:
@@ -71,7 +72,8 @@ const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
  *       400:
  *         description: Bad request.
  */
-app.route('/signup').get(signup).post(signup);
+// SECURITY FIX (#2): POST-only signup to avoid query-string credential leakage.
+app.post('/signup', signup);
 /**
  * @swagger
  * /login:
@@ -104,7 +106,8 @@ app.route('/signup').get(signup).post(signup);
  *       401:
  *         description: Invalid credentials.
  */
-app.route('/login').get(login).post(login);
+// SECURITY FIX (#2): POST-only login to avoid query-string credential leakage.
+app.post('/login', authRateLimiter('login'), login);
 /**
  * @swagger
  * /logout:
@@ -127,7 +130,7 @@ app.get('/logout', logout);
  * @swagger
  * /resetPassword:
  *   post:
- *     summary: Resets a user's password
+ *     summary: Sends a one-time sign-in link if the account exists
  *     tags: [Auth]
  *     requestBody:
  *       required: true
@@ -152,7 +155,31 @@ app.get('/logout', logout);
  *       400:
  *         description: Bad request.
  */
-app.route('/resetPassword').post(resetPassword);
+app.route('/resetPassword').post(authRateLimiter('reset'), resetPassword);
+// SECURITY FIX (#1):
+// Single-use token login endpoint for password recovery flow.
+/**
+ * @swagger
+ * /password/token-login:
+ *   post:
+ *     summary: Consumes a one-time password token and starts a session
+ *     tags: [Auth]
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               token:
+ *                 type: string
+ *     responses:
+ *       200:
+ *         description: Logged in with one-time token
+ *       401:
+ *         description: Invalid or expired token
+ */
+app.post('/password/token-login', authRateLimiter('token'), loginWithPasswordToken);
 
 // Routes
 const profileRoute = require('./routes/profile.js');
@@ -486,4 +513,4 @@ DB.getDB.then((DB) => {
 });
 
 // Export the app for testing purposes
-module.exports = { app, mongoDB: DB };
+module.exports = { app, mongoDB: DB };

middleware/authRateLimiter.js

@@ -0,0 +1,116 @@
+const crypto = require('crypto');
+const { client_logger } = require('../utils/analyticsLogger');
+
+const AUTH_ATTEMPT_WINDOW_MS = Math.max(60 * 1000, parseInt(process.env.AUTH_ATTEMPT_WINDOW_MS || `${15 * 60 * 1000}`, 10));
+const AUTH_ATTEMPT_MAX = Math.max(1, parseInt(process.env.AUTH_ATTEMPT_MAX || '5', 10));
+const AUTH_BLOCK_BASE_MS = Math.max(30 * 1000, parseInt(process.env.AUTH_BLOCK_BASE_MS || `${5 * 60 * 1000}`, 10));
+const AUTH_BLOCK_MAX_MS = Math.max(AUTH_BLOCK_BASE_MS, parseInt(process.env.AUTH_BLOCK_MAX_MS || `${60 * 60 * 1000}`, 10));
+
+const limiterStore = new Map();
+let lastPruneAt = 0;
+
+const getClientIp = (req) => {
+    const forwarded = req.headers['x-forwarded-for']?.split(',')[0]?.trim();
+    const rawIp = forwarded || req.ip || req.connection?.remoteAddress || 'unknown';
+    return rawIp.replace('::ffff:', '');
+};
+
+const hashValue = (value) =>
+    crypto.createHash('sha256').update(String(value)).digest('hex').slice(0, 16);
+
+const getIdentity = (req, mode) => {
+    if (mode === 'token') {
+        const token = (req.body?.token || '').trim();
+        return token ? `token:${hashValue(token)}` : 'token:anonymous';
+    }
+    const username = (req.body?.username || req.body?.email || '').trim().toLowerCase();
+    return username ? `acct:${hashValue(username)}` : 'acct:anonymous';
+};
+
+const getLimiterKey = (req, mode) => `${mode}:${getIdentity(req, mode)}:ip:${getClientIp(req)}`;
+
+const getOrInitRecord = (key, now) => {
+    const existing = limiterStore.get(key);
+    if (existing) {
+        return existing;
+    }
+    const record = {
+        count: 0,
+        windowStartedAt: now,
+        blockedUntil: 0,
+        blockLevel: 0,
+    };
+    limiterStore.set(key, record);
+    return record;
+};
+
+const computeBlockMs = (blockLevel) =>
+    Math.min(AUTH_BLOCK_BASE_MS * (2 ** Math.max(0, blockLevel - 1)), AUTH_BLOCK_MAX_MS);
+
+const authRateLimiter = (mode) => (req, res, next) => {
+    const now = Date.now();
+    if (now - lastPruneAt > 5 * 60 * 1000) {
+        for (const [storeKey, storeValue] of limiterStore.entries()) {
+            const isWindowExpired = now - storeValue.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS;
+            const isNotBlocked = storeValue.blockedUntil <= now;
+            if (isWindowExpired && isNotBlocked) {
+                limiterStore.delete(storeKey);
+            }
+        }
+        lastPruneAt = now;
+    }
+    const key = getLimiterKey(req, mode);
+    const record = getOrInitRecord(key, now);
+
+    if (now - record.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS) {
+        record.count = 0;
+        record.windowStartedAt = now;
+    }
+
+    if (record.blockedUntil > now) {
+        const retryAfterSec = Math.ceil((record.blockedUntil - now) / 1000);
+        res.set('Retry-After', retryAfterSec.toString());
+        client_logger.capture({
+            distinctId: 'app_level',
+            event: 'security@auth@rate_limited',
+            properties: {
+                route: req.originalUrl,
+                method: req.method,
+                mode,
+                keyHash: hashValue(key),
+                retryAfterSec,
+                blockLevel: record.blockLevel,
+            }
+        });
+        return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
+    }
+
+    record.count += 1;
+    if (record.count > AUTH_ATTEMPT_MAX) {
+        record.blockLevel += 1;
+        const blockMs = computeBlockMs(record.blockLevel);
+        record.blockedUntil = now + blockMs;
+        record.count = 0;
+        record.windowStartedAt = now;
+        res.set('Retry-After', Math.ceil(blockMs / 1000).toString());
+        client_logger.capture({
+            distinctId: 'app_level',
+            event: 'security@auth@rate_limited',
+            properties: {
+                route: req.originalUrl,
+                method: req.method,
+                mode,
+                keyHash: hashValue(key),
+                retryAfterSec: Math.ceil(blockMs / 1000),
+                blockLevel: record.blockLevel,
+            }
+        });
+        return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
+    }
+
+    return next();
+};
+
+module.exports = {
+    authRateLimiter,
+};

mongoDB.js

@@ -41,6 +41,9 @@ const getDB = new Promise((resolve, reject) => {
         DB.usersCol = db.db(DBName).collection("users");
         DB.tokensCol = db.db(DBName).collection("tokens");
         DB.invitationCol = db.db(DBName).collection("invitation");
+        DB.passwordLoginTokensCol = db.db(DBName).collection("password_login_tokens");
+        DB.passwordLoginTokensCol.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 }).catch(console.error);
+        DB.passwordLoginTokensCol.createIndex({ tokenHash: 1 }, { unique: true }).catch(console.error);
     
         DB.checkSessionOnDB = async (session_id, user_sid)=>{
             const temp_id = new mongo.ObjectID(session_id);
@@ -78,6 +81,42 @@ const getDB = new Promise((resolve, reject) => {
             return DB.usersCol.findOne({ _id });
         }
 
+        DB.createPasswordLoginToken = async (userId, tokenHash, expiresAt) => {
+            const userObjectId = mongo.ObjectID.isValid(userId) ? new mongo.ObjectID(userId) : userId;
+            const tokenDoc = {
+                userId: userObjectId,
+                tokenHash,
+                createdAt: new Date(),
+                expiresAt,
+                usedAt: null,
+            };
+            return DB.passwordLoginTokensCol.insertOne(tokenDoc).catch((err) => {
+                console.log(err);
+                return false;
+            });
+        };
+
+        DB.consumePasswordLoginToken = async (tokenHash) => {
+            const now = new Date();
+            const result = await DB.passwordLoginTokensCol.findOneAndUpdate(
+                {
+                    tokenHash,
+                    usedAt: null,
+                    expiresAt: { $gt: now }
+                },
+                {
+                    $set: { usedAt: now }
+                },
+                {
+                    returnOriginal: false
+                }
+            ).catch((err) => {
+                console.log(err);
+                return false;
+            });
+            return result?.value || null;
+        };
+
         let usernamesCache = {}
         DB.getUsernameByIdCache = async (userid)=>{
             if(!userid) return {};