Activity Throttle Log

[tmichalski]

Create a Service that can monitor activities within the code and prevent them from occurring too many times within a period of time. For example, if a user tries to reset their password more than 1x per minute or 30 times in an hour, then throw an exception blocking that action from happening until the time duration threshold is met. This will reduce the efficacy of brute force attacks (BFA) on activities that are sensitive in nature.

Areas of Voyage that need this feature are:

• Password reset request /password/forgot
  • do not allow an email to be requested for reset more than ____ in ___ minutes
• Password reset submit /password/submit
  • do not allow an email to be requested for reset more than ____ in ___ minutes

Tech Notes

• Create a base abstract class in security.bfa package called something like "ActivityThrottleLog"
  • This would be a hibernate domain object
  • fields:
    • TYPE - a unique type code
    • VALUE - the user provided value to monitor
    • MAX COUNT - the maximum number of instances allowed for the TYPE + VALUE
    • MAX MINUTES - the maximum number of minutes for the MAX COUNT to occur (ie 30 minutes for 100 password reset requests for email test@test.com)
    • CREATED - date the record was inserted
    • CREATED BY - user Id that created the record
    • Method to validate if the limits have been met based on MAX COUNT & MAX MINUTES
  • Any app area that needs this functionality would extend this class and implement:
    • TYPE: unique name of the subclass activity
    • VALUE: constructor property when creating new instances of this type
    • MAX COUNT: a static value for the maximum occurrences
    • MAX MINUTES: a static value for the maximum allowed time
• Create a ActivityThrottleLogService that would insert new records and validate the limits