Implement rate limiting on the mfa validation endpoint

Author: ericallam

apps/webapp/app/routes/login.mfa/route.tsx

@@ -19,6 +19,7 @@ import { commitSession, getUserSession, sessionStorage } from "~/services/sessio
 import { MultiFactorAuthenticationService } from "~/services/mfa/multiFactorAuthentication.server";
 import { redirectWithErrorMessage } from "~/models/message.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
+import { checkMfaRateLimit, MfaRateLimitError } from "~/services/mfa/mfaRateLimiter.server";
 
 export const meta: MetaFunction = ({ matches }) => {
   const parentMeta = matches
@@ -104,6 +105,9 @@ export async function action({ request }: ActionFunctionArgs) {
         });
       }
 
+      // Rate limit MFA verification attempts
+      await checkMfaRateLimit(pendingUserId);
+
       const result = await mfaService.verifyRecoveryCodeForLogin(pendingUserId, recoveryCode);
 
       if (!result.success) {
@@ -125,6 +129,9 @@ export async function action({ request }: ActionFunctionArgs) {
         });
       }
 
+      // Rate limit MFA verification attempts
+      await checkMfaRateLimit(pendingUserId);
+
       const result = await mfaService.verifyTotpForLogin(pendingUserId, mfaCode);
 
       if (!result.success) {
@@ -144,6 +151,15 @@ export async function action({ request }: ActionFunctionArgs) {
     if (error instanceof ServiceValidationError) {
       return redirectWithErrorMessage("/login", request, error.message);
     }
+    
+    if (error instanceof MfaRateLimitError) {
+      const session = await getUserSession(request);
+      session.set("auth:error", { message: error.message });
+      return redirect("/login/mfa", {
+        headers: { "Set-Cookie": await commitSession(session) },
+      });
+    }
+    
     throw error;
   }
 }

apps/webapp/app/services/mfa/mfaRateLimiter.server.ts

@@ -0,0 +1,48 @@
+import { Ratelimit } from "@upstash/ratelimit";
+import { env } from "~/env.server";
+import { createRedisRateLimitClient, RateLimiter } from "~/services/rateLimiter.server";
+import { singleton } from "~/utils/singleton";
+
+export const mfaRateLimiter = singleton("mfaRateLimiter", initializeMfaRateLimiter);
+
+function initializeMfaRateLimiter() {
+  const redisClient = createRedisRateLimitClient({
+    port: env.RATE_LIMIT_REDIS_PORT,
+    host: env.RATE_LIMIT_REDIS_HOST,
+    username: env.RATE_LIMIT_REDIS_USERNAME,
+    password: env.RATE_LIMIT_REDIS_PASSWORD,
+    tlsDisabled: env.RATE_LIMIT_REDIS_TLS_DISABLED === "true",
+    clusterMode: env.RATE_LIMIT_REDIS_CLUSTER_MODE_ENABLED === "1",
+  });
+
+  return new RateLimiter({
+    redisClient,
+    keyPrefix: "mfa:validation",
+    limiter: Ratelimit.slidingWindow(10, "1 m"), // 10 attempts per minute
+    logSuccess: false, // Don't log successful attempts for privacy
+    logFailure: true, // Log rate limit violations for security monitoring
+  });
+}
+
+export class MfaRateLimitError extends Error {
+  public readonly retryAfter: number;
+
+  constructor(retryAfter: number) {
+    super(`MFA validation rate limit exceeded.`);
+    this.retryAfter = retryAfter;
+  }
+}
+
+/**
+ * Check if the user can attempt MFA validation
+ * @param userId - The user ID to rate limit
+ * @throws {MfaRateLimitError} If rate limit is exceeded
+ */
+export async function checkMfaRateLimit(userId: string): Promise<void> {
+  const result = await mfaRateLimiter.limit(userId);
+
+  if (!result.success) {
+    const retryAfter = new Date(result.reset).getTime() - Date.now();
+    throw new MfaRateLimitError(retryAfter);
+  }
+}

apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts

@@ -263,16 +263,11 @@ export class MultiFactorAuthenticationService {
 
     const secret = secretResult.secret;
 
-    console.log("secret", secret);
-    console.log("totpCode", totpCode);
-
     const isValid = await createOTP(secret, {
       digits: 6,
       period: 30,
     }).verify(totpCode);
 
-    console.log("isValid", isValid);
-
     return isValid;
   }