Fraud spam logging
setup in-application rate limiting using redis and fail2ban
context: tpo/web/donate-static#115
this MR is blocked, waiting on fail2ban to be configured on crm-ext-01 (patch waiting for review in tpo/web/donate-static#115) fail2ban is now configured on crm-ext-01 via puppet, just waiting for this MR to be reviewed
when the frontend hits the /process-stripe
endpoint, the backend runs the checkRatelimit
method. this method uses fixed-window limiting using redis, taken from redis docs. when a user makes more than 5 charges (failed or succeeded) in 10 seconds, the application logs to a ratelimit log, which would be processed by fail2ban. user identifiers are stored as an HMAC with a secret key instead of being stored in cleartext.
Edited by Kez