mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
01639fff957e204177cab4b79ef0645640566a99
stack/apps/api/src/federation/federation.module.ts
Jason Woltje 3bba2f1c33 feat(#284): Reduce timestamp validation window to 60s with replay attack prevention 
Security improvements:
- Reduce timestamp tolerance from 5 minutes to 60 seconds
- Add nonce-based replay attack prevention using Redis
- Store signature nonce with 60s TTL matching tolerance window
- Reject replayed messages with same signature

Changes:
- Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s
- Add Redis client injection to SignatureService
- Make verifyConnectionRequest async for nonce checking
- Create RedisProvider for shared Redis client
- Update ConnectionService to await signature verification
- Add comprehensive test coverage for replay prevention

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #284

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 21:43:01 -06:00

78 lines
2.4 KiB
TypeScript
Raw Blame History

/**
* Federation Module
*
* Provides instance identity and federation management with DoS protection via rate limiting.
* Issue #272: Rate limiting added to prevent DoS attacks on federation endpoints
*/
import { Module } from "@nestjs/common";
import { ConfigModule } from "@nestjs/config";
import { HttpModule } from "@nestjs/axios";
import { ThrottlerModule } from "@nestjs/throttler";
import { FederationController } from "./federation.controller";
import { FederationAuthController } from "./federation-auth.controller";
import { FederationService } from "./federation.service";
import { CryptoService } from "./crypto.service";
import { FederationAuditService } from "./audit.service";
import { SignatureService } from "./signature.service";
import { ConnectionService } from "./connection.service";
import { OIDCService } from "./oidc.service";
import { CommandService } from "./command.service";
import { FederationAgentService } from "./federation-agent.service";
import { PrismaModule } from "../prisma/prisma.module";
import { RedisProvider } from "../common/providers/redis.provider";
@Module({
imports: [
ConfigModule,
PrismaModule,
HttpModule.register({
timeout: 10000,
maxRedirects: 5,
}),
// Rate limiting for DoS protection (Issue #272)
// Uses in-memory storage by default (suitable for single-instance deployments)
// For multi-instance deployments, configure Redis storage via ThrottlerStorageRedisService
ThrottlerModule.forRoot([
{
name: "short",
ttl: 1000, // 1 second
limit: 3, // 3 requests per second (very strict for public endpoints)
},
{
name: "medium",
ttl: 60000, // 1 minute
limit: 20, // 20 requests per minute (for authenticated endpoints)
},
{
name: "long",
ttl: 3600000, // 1 hour
limit: 200, // 200 requests per hour (for read operations)
},
]),
],
controllers: [FederationController, FederationAuthController],
providers: [
RedisProvider,
FederationService,
CryptoService,
FederationAuditService,
SignatureService,
ConnectionService,
OIDCService,
CommandService,
FederationAgentService,
],
exports: [
FederationService,
CryptoService,
FederationAuditService,
SignatureService,
ConnectionService,
OIDCService,
CommandService,
FederationAgentService,
],
})
export class FederationModule {}
Reference in New Issue View Git Blame Copy Permalink