stencil icon indicating copy to clipboard operation
stencil copied to clipboard
verified publisher icon SamagraX-Stencil

[C4GT Community]: Checks in stencil to prevent exploitation of user-service

Open tushar5526 opened this issue 1 year ago • 10 comments

Ticket Contents

Description

Sanity check on application ids being used in requests. Rate-limiting based on fingerprints to prevent DDoS or exploitation of sendOTP APIs

Goals

Goals

  • [ ] Tests and Docs for rate limiting methods used and updated docs for user service.

Expected Outcome

No response

Acceptance Criteria

No response

Implementation Details

Rate limiting can be done using a fingerprint library as we can't rate-limit based on the public IPs.

Mockups/Wireframes

No response

Product Name

Stencil

Organisation Name

SamagraX

Domain

No response

Tech Skills Needed

NestJS

Mentor(s)

@ChakshuGautam @tushar5526

Complexity

Medium

Category

Other

tushar5526 avatar Jan 29 '24 04:01 tushar5526

Hi! Important Details - These following details are helpful for contributors to effectively identify and contribute to tickets.

  • Sub-Category - Please mention the sub-category if any for the ticket

Please update the ticket

c4gt-community-support[bot] avatar Jan 29 '24 04:01 c4gt-community-support[bot]

Hello @tushar5526 @ChakshuGautam , can you please assign this issue and mentor me regarding the same?

Praneetha29 avatar Feb 07 '24 04:02 Praneetha29

@tushar5526 @ChakshuGautam Are we avoiding IP addresses because in most of the cases it does not only identifies it as a person, but rather a router which possibly may contain every individual connected with the router to be rate-limited.

Do we need to just add a fingerprint layer (like a auth) over api-requests? Ref: https://dev.fingerprint.com/docs/fingerprintjs-pro-server-api-nodejs-sdk

Savio629 avatar Mar 24 '24 09:03 Savio629

@tushar5526 @techsavvyash

Savio629 avatar Apr 07 '24 05:04 Savio629

@techsavvyash @Savio629 Can we take this ahead?

VedantKhairnar avatar Aug 19 '24 09:08 VedantKhairnar

@tushar5526

Basically, the task involves implementing rate-limiting based on user fingerprints, which is an alternative to using IP addresses for tracking and limiting API requests.

My approach would be , since rate-limiting based on IP addresses is not reliable (due to shared IP addresses, such as those on routers), we can use a fingerprinting technique to uniquely identify users or devices. A fingerprint can be generated using various client-side factors (e.g., browser characteristics, device information, etc.), which will serve as a better identifier for rate-limiting.

Lastly for integration factors, we can use FingerprintJS to generate a unique fingerprint for each request to generate a unique hash that can identify each users.

Is this implementation correct?

ritankarsaha avatar Nov 16 '24 09:11 ritankarsaha

I was also thinking in the same way. Tushar isn't active at the moment. Maybe @techsavvyash could help you out...

Savio629 avatar Nov 16 '24 14:11 Savio629

I was also thinking in the same way. Tushar isn't active at the moment. Maybe @techsavvyash could help you out...

Ohh , if the approach is all right, I would like to take up on the issue. Also is there anything else I should have taken into consideration @Savio629 @techsavvyash

ritankarsaha avatar Nov 16 '24 19:11 ritankarsaha

i want to contribute in it , in which direction I have to anybody can help me @tushar5526 @Savio629

HasanZaigam avatar Dec 04 '24 19:12 HasanZaigam

hi @tushar5526 @ChakshuGautam i want to work on this issue. Please assign me this one..

kesharibhai84 avatar Jan 17 '25 17:01 kesharibhai84