Mirrors/fxa
1
0
Fork 0
mirror of https://github.com/mozilla/fxa.git synced 2025-12-27 22:54:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
fxa/packages/fxa-customs-server
History
dependabot[bot] f81721146a
chore(deps): bump pm2 from 5.4.3 to 6.0.9 
Bumps [pm2](https://github.com/Unitech/pm2) from 5.4.3 to 6.0.9.
- [Release notes](https://github.com/Unitech/pm2/releases)
- [Changelog](https://github.com/Unitech/pm2/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Unitech/pm2/commits/v6.0.9)

---
updated-dependencies:
- dependency-name: pm2
  dependency-version: 6.0.9
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-18 06:11:05 +00:00
..
.vscode
bin task(all): Add support for sentry performance monitoring 2023-12-19 16:05:05 -08:00
config
docs/swagger feat(keys): Add column to save recovery key hint in db 2023-05-08 10:15:50 -07:00
grunttasks
lib feat(recovery phone): add backend routes for sms code in password reset 2025-05-09 14:25:51 -05:00
scripts fix(cache): Remove memcache service and references to it 2024-04-30 15:08:47 -04:00
test bug(customs): Fix broken integration tests 2025-03-12 12:29:12 -07:00
.eslintrc chore(build): initial nx implementation 2023-05-23 08:37:47 -07:00
.nsprc
.prettierignore
.taprc task(CI): build, unit test, and integration test jobs 2023-01-10 12:52:01 -08:00
backstage.yaml fix(backstage): use api ref now that its allowed 2024-01-25 08:53:42 -08:00
Gruntfile.js
package.json chore(deps): bump pm2 from 5.4.3 to 6.0.9 2025-11-18 06:11:05 +00:00
pm2.config.js fix(fxa-settings): Show retryAfter value in error when resetPassword is throttled 2023-04-11 15:23:50 -07:00
README.md fix(cache): Remove memcache service and references to it 2024-04-30 15:08:47 -04:00

README.md

Firefox Accounts Customs Server

This project is used by the Firefox Accounts Auth Server to detect and deter fraud and abuse.

Development

To start the server, run:

npm start

It will listen on http://localhost:7000 by default.

Docker Based Development

To run the customs server via Docker:

$ docker-compose up mozilla/fxa_customs_server

Testing

Run tests with:

npm test

To run tests via Docker:

docker-compose run mozilla/fxa_customs_server npm test

Code

Here are the main components of this project:

  • ./bin/customs_server.js: process listening on the network and responding to HTTP API calls
  • ./lib/bans/: code implementing temporary bans of specific email or IP addresses and listening on the SQS API for requests
  • ./lib/config/config.js: where all of the configuration options are defined
  • ./lib/email_record.js, ./lib/ip_email_record.js and ./lib/ip_record.js: code implementing the various blocking and rate-limiting policies
  • ./scripts: helper scripts only used for development/testing
  • ./test/local: unit tests
  • ./test/remote: tests exercising the HTTP API

API

See our detailed API spec.

Policies

There are two types of policies:

  • rate-limiting: slows down attackers by temporarily blocking requests for 15 minutes (see config.limits.rateLimitIntervalSeconds)
  • block / ban: stops attacks by temporarily blocking requests for 24 hours (see config.limits.blockIntervalSeconds)

We currently have the following policies in place:

  • rate-limiting when too many emails (config.limits.maxEmails defaults to 3) have been sent to the same email address in a given time period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • rate-limiting when too many requests to look up account status by email address (config.limits.maxAccountStatusCheck) have been sent from the same ip address during
  • rate-limiting when too many sms (config.limits.smsRateLimit.maxSms) have been sent from the same ip address during period (config.limits.smsRateLimit.limitIntervalSeconds defaults to 60 minutes)
  • rate-limiting when too many sms (config.limits.smsRateLimit.maxSms) have been sent from the same email address during period (config.limits.smsRateLimit.limitIntervalSeconds defaults to 60 minutes)
  • rate-limiting when too many sms (config.limits.smsRateLimit.maxSms) have been sent to the same phone number during period (config.limits.smsRateLimit.limitIntervalSeconds defaults to 60 minutes)
  • rate-limiting when too many failed login attempts (config.limits.maxBadLogins defaults to 2) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • rate-limiting too many attempts to verify randomly-generated codes (config.limits.maxVerifyCodes defaults to 10) have occurred for a given account and IP address, in a given time period (config.limits.rateLimitIntervalSeconds defaults to 15 minutes)
  • manual blocking of an account (see /blockEmail API call)
  • manual blocking of an IP address (see /blockIp API call)

The data that these policies are based on is stored in a redis cache instance (keyed by email, ip or ip + email depending on the policy) and the code that implements them is split across these three files:

  • email_record.js handles blocking and rate-limiting based only on the email address
  • ip_email_record.js handles rate-limiting based on both the email and IP address of the request
  • ip_record.js handles blocking based only on the IP address

The rate-limiting and blocking policies are conveyed to the auth server via the block property in the response to /check.