Add delay when accessing unauthorized ReST endpoints

This is an initial temporary fix for kahmali#81 The system should delay responses when unauthorized requests are made. Hackers should have some impediment. This is not a great fix, since hackers could parallelize their requests.
jazeee · Jun 11, 2015 · e1b5e69 · e1b5e69
1 parent d562a93
commit e1b5e69
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@
 #### Fixed
 - Issue #79:
   - Update to match standard Meteor login and Account token storage
+- Issue #81:
+  - When I login with bad credentials, I should get a randomly delayed response
 
 #### Changed
 - Return "Unauthorized" for failed authentication

diff --git a/lib/route.coffee b/lib/route.coffee
@@ -208,8 +208,15 @@ class @Route
     # Send response
     endpointContext.response.writeHead statusCode, headers
     endpointContext.response.write body
-    endpointContext.response.end()
-
+    switch statusCode
+        when 401, 403
+            # This is a simple, but not really adequate way to slow down unauthorized scans of the server.
+            # It is not sufficient because hackers can DDOS across multiple threads and systems.
+            timeoutInMilliseconds = 500
+            timeoutInMilliseconds *= (1 + Math.random())
+            Meteor.setTimeout endpointContext.response.end, timeoutInMilliseconds
+        else
+            endpointContext.response.end()
 
   ###
     Return the object with all of the keys converted to lowercase

diff --git a/test/authentication_tests.coffee b/test/authentication_tests.coffee
@@ -50,7 +50,9 @@ Meteor.startup ->
 
         next()
 
-    it 'should not allow a user with wrong password to login', (test, next) ->
+    it 'should not allow a user with wrong password to login and respond after 500 msec', (test, next) ->
+      #This test should take 500 msec or more. To speed up testing, I have added it here.
+      startTime = new Date()
       HTTP.post Meteor.absoluteUrl('/api/v1/login'), {
         data:
           user: username
@@ -59,6 +61,8 @@ Meteor.startup ->
         response = JSON.parse result.content
         test.equal result.statusCode, 403
         test.equal response.status, 'error'
+        durationInMilliseconds = new Date() - startTime
+        test.isTrue durationInMilliseconds >= 500
 
         next()
 
@@ -73,10 +77,11 @@ Meteor.startup ->
         test.equal response.status, 'success'
         next()
 
-    it 'should remove the logout token after logging out', (test, next) ->
+    it 'should remove the logout token after logging out and respond after 500 msec', (test, next) ->
       Restivus.addRoute 'prevent-access-after-logout', {authRequired: true},
         get: -> true
-
+      #This test should take 500 msec or more. To speed up testing, I have added it here.
+      startTime = new Date()
       HTTP.get Meteor.absoluteUrl('/api/v1/prevent-access-after-logout'), {
         headers:
           'X-User-Id': userId
@@ -86,6 +91,8 @@ Meteor.startup ->
         test.isTrue error
         test.equal result.statusCode, 401
         test.equal response.status, 'error'
+        durationInMilliseconds = new Date() - startTime
+        test.isTrue durationInMilliseconds >= 500
         next()
 
     it 'should allow a second logged in user to logout', (test, next) ->