Rate limiting; validate jwt audience in backend auth middleware

TimCsaky · TimCsaky · commit fb031ad474f8 · 2024-05-21T12:17:31.000-07:00
diff --git a/app/app.ts b/app/app.ts
@@ -7,6 +7,7 @@ import { join } from 'path';
 // @ts-expect-error 7016 api-problem lacks a defined interface; code still works fine
 import Problem from 'api-problem';
 import querystring from 'querystring';
+import { rateLimit } from 'express-rate-limit';
 
 import { name as appName, version as appVersion } from './package.json';
 import { DEFAULTCORS } from './src/components/constants';
@@ -45,6 +46,14 @@ app.use(
   })
 );
 
+// rate limiting applied to all routes.
+// Current limit: 1000 requests/minute
+const limiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 1000,
+});
+app.use(limiter);
+
 // Skip if running tests
 if (process.env.NODE_ENV !== 'test') {
   app.use(httpLogger);
diff --git a/app/package-lock.json b/app/package-lock.json
diff --git a/app/package.json b/app/package.json
@@ -40,6 +40,7 @@
     "config": "^3.3.11",
     "cors": "^2.8.5",
     "express": "^4.18.3",
+    "express-rate-limit": "^7.2.0",
     "express-winston": "^4.2.0",
     "helmet": "^7.1.0",
     "joi": "^17.13.1",
diff --git a/app/src/middleware/authentication.ts b/app/src/middleware/authentication.ts
@@ -38,7 +38,10 @@ export const currentUser = async (req: Request, res: Response, next: NextFunctio
       if (config.has('server.oidc.authority') && config.has('server.oidc.publicKey')) {
         const publicKey: string = config.get('server.oidc.publicKey');
         const pemKey = publicKey.startsWith('-----BEGIN') ? publicKey : _spkiWrapper(publicKey);
-        isValid = jwt.verify(bearerToken, pemKey, { issuer: config.get('server.oidc.authority') });
+        isValid = jwt.verify(bearerToken, pemKey, {
+          issuer: config.get('server.oidc.authority'),
+          audience: config.get('frontend.oidc.clientId')
+        });
       } else {
         throw new Error(
           'OIDC environment variables `SERVER_OIDC_AUTHORITY` and `SERVER_OIDC_PUBLICKEY` must be defined'
diff --git a/frontend/src/services/interceptors.ts b/frontend/src/services/interceptors.ts
@@ -12,8 +12,6 @@ import type { AxiosInstance, AxiosRequestConfig, InternalAxiosRequestConfig } fr
  */
 export function appAxios(options: AxiosRequestConfig = {}): AxiosInstance {
 
-  console.log(new ConfigService().getConfig().apiPath);
-
   const instance = axios.create({
     baseURL: '/' + new ConfigService().getConfig().apiPath,
     timeout: 10000,
