[server] restrict allowed phone numbers

svenefftinge · svenefftinge · commit dd09f79f4630 · 2022-09-23T12:54:13.000Z
diff --git a/components/gitpod-db/src/typeorm/migration/1663784254956-IndexPhoneNumber.ts b/components/gitpod-db/src/typeorm/migration/1663784254956-IndexPhoneNumber.ts
@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { columnExists } from "./helper/helper";
+
+const D_B_USER = "d_b_user";
+const COL_PHONE_NUMBER = "verificationPhoneNumber";
+
+export class IndexPhoneNumber1663784254956 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        if (!(await columnExists(queryRunner, D_B_USER, COL_PHONE_NUMBER))) {
+            await queryRunner.query(
+                `ALTER TABLE ${D_B_USER} ADD INDEX (${COL_PHONE_NUMBER}), ALGORITHM=INPLACE, LOCK=NONE `,
+            );
+        }
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {}
+}
diff --git a/components/gitpod-db/src/typeorm/user-db-impl.ts b/components/gitpod-db/src/typeorm/user-db-impl.ts
@@ -570,6 +570,22 @@ export class TypeORMUserDBImpl implements UserDB {
     async getByRefreshToken(refreshTokenToken: string): Promise<OAuthToken> {
         throw new Error("Not implemented");
     }
+
+    async countUsagesOfPhoneNumber(phoneNumber: string): Promise<number> {
+        return (await this.getUserRepo())
+            .createQueryBuilder()
+            .where("verificationPhoneNumber = :phoneNumber", { phoneNumber })
+            .getCount();
+    }
+
+    async isBlockedPhoneNumber(phoneNumber: string): Promise<boolean> {
+        const blockedUsers = await (await this.getUserRepo())
+            .createQueryBuilder()
+            .where("verificationPhoneNumber = :phoneNumber", { phoneNumber })
+            .andWhere("blocked = true")
+            .getCount();
+        return blockedUsers > 0;
+    }
 }
 
 export class TransactionalUserDBImpl extends TypeORMUserDBImpl {
diff --git a/components/gitpod-db/src/user-db.ts b/components/gitpod-db/src/user-db.ts
@@ -146,6 +146,8 @@ export interface UserDB extends OAuthUserRepository, OAuthTokenRepository {
     storeGitpodToken(token: GitpodToken & { user: DBUser }): Promise<void>;
     deleteGitpodToken(tokenHash: string): Promise<void>;
     deleteGitpodTokensNamedLike(userId: string, namePattern: string): Promise<void>;
+    countUsagesOfPhoneNumber(phoneNumber: string): Promise<number>;
+    isBlockedPhoneNumber(phoneNumber: string): Promise<boolean>;
 }
 export type PartialUserUpdate = Partial<Omit<User, "identities">> & Pick<User, "id">;
 
diff --git a/components/gitpod-protocol/src/messaging/error.ts b/components/gitpod-protocol/src/messaging/error.ts
@@ -94,4 +94,7 @@ export namespace ErrorCodes {
 
     // 640 Headless logs are not available (yet)
     export const HEADLESS_LOG_NOT_YET_AVAILABLE = 640;
+
+    // 650 Invalid Value
+    export const INVALID_VALUE = 650;
 }
diff --git a/components/server/src/auth/verification-service.ts b/components/server/src/auth/verification-service.ts
@@ -10,13 +10,16 @@ import { inject, injectable, postConstruct } from "inversify";
 import { Config } from "../config";
 import { Twilio } from "twilio";
 import { ServiceContext } from "twilio/lib/rest/verify/v2/service";
-import { WorkspaceDB } from "@gitpod/gitpod-db/lib";
+import { UserDB, WorkspaceDB } from "@gitpod/gitpod-db/lib";
 import { ConfigCatClientFactory } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
+import { ResponseError } from "vscode-ws-jsonrpc";
 
 @injectable()
 export class VerificationService {
     @inject(Config) protected config: Config;
     @inject(WorkspaceDB) protected workspaceDB: WorkspaceDB;
+    @inject(UserDB) protected userDB: UserDB;
     @inject(ConfigCatClientFactory) protected readonly configCatClientFactory: ConfigCatClientFactory;
 
     protected verifyService: ServiceContext;
@@ -59,6 +62,17 @@ export class VerificationService {
         if (!this.verifyService) {
             throw new Error("No verification service configured.");
         }
+        const isBlockedNumber = this.userDB.isBlockedPhoneNumber(phoneNumber);
+        const usages = await this.userDB.countUsagesOfPhoneNumber(phoneNumber);
+        if (usages > 3) {
+            throw new ResponseError(
+                ErrorCodes.INVALID_VALUE,
+                "The given phone number has been used more than three times.",
+            );
+        }
+        if (await isBlockedNumber) {
+            throw new ResponseError(ErrorCodes.INVALID_VALUE, "The given phone number is blocked due to abuse.");
+        }
         const verification = await this.verifyService.verifications.create({ to: phoneNumber, channel: "sms" });
         log.info("Verification code sent", { phoneNumber, status: verification.status });
     }
diff --git a/components/server/src/user/phone-number.spec.ts b/components/server/src/user/phone-number.spec.ts
@@ -0,0 +1,27 @@
+/**
+ * Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import * as chai from "chai";
+import { suite, test } from "mocha-typescript";
+import { formatPhoneNumber } from "./phone-numbers";
+const expect = chai.expect;
+
+@suite
+export class PhoneNumberSpec {
+    @test public testFormatPhoneNumber() {
+        const tests = [
+            ["00123234254", "+123234254"],
+            ["+1 232 34 254", "+123234254"],
+            ["001 23234-254", "+123234254"],
+            ["0012swedfkwejfew32sdf3sdvsf sdv fsdv4254", "+123234254"],
+        ];
+
+        for (const test of tests) {
+            expect(formatPhoneNumber(test[0]), "Values : " + JSON.stringify(test)).to.eq(test[1]);
+        }
+    }
+}
+module.exports = new PhoneNumberSpec();
diff --git a/components/server/src/user/phone-numbers.ts b/components/server/src/user/phone-numbers.ts
@@ -0,0 +1,23 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+/**
+ * a simply cleaning method, that removes all non numbers and repaces a leading '00' with a leading '+' sign.
+ *
+ * @param phoneNumber
+ * @returns formatted phone number
+ */
+export function formatPhoneNumber(phoneNumber: string): string {
+    var cleanPhoneNumber = phoneNumber.trim();
+    if (cleanPhoneNumber.startsWith("+")) {
+        cleanPhoneNumber = "00" + cleanPhoneNumber.substring(1);
+    }
+    cleanPhoneNumber = cleanPhoneNumber.replace(/\D/g, "");
+    if (cleanPhoneNumber.startsWith("00")) {
+        cleanPhoneNumber = "+" + cleanPhoneNumber.substring(2);
+    }
+    return cleanPhoneNumber;
+}
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -178,6 +178,7 @@ import { VerificationService } from "../auth/verification-service";
 import { BillingMode } from "@gitpod/gitpod-protocol/lib/billing-mode";
 import { EntitlementService } from "../billing/entitlement-service";
 import { WorkspaceClasses } from "./workspace-classes";
+import { formatPhoneNumber } from "../user/phone-numbers";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -469,16 +470,17 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         return user;
     }
 
-    public async sendPhoneNumberVerificationToken(ctx: TraceContext, phoneNumber: string): Promise<void> {
+    public async sendPhoneNumberVerificationToken(ctx: TraceContext, rawPhoneNumber: string): Promise<void> {
         this.checkUser("sendPhoneNumberVerificationToken");
-        return this.verificationService.sendVerificationToken(phoneNumber);
+        return this.verificationService.sendVerificationToken(formatPhoneNumber(rawPhoneNumber));
     }
 
     public async verifyPhoneNumberVerificationToken(
         ctx: TraceContext,
-        phoneNumber: string,
+        rawPhoneNumber: string,
         token: string,
     ): Promise<boolean> {
+        const phoneNumber = formatPhoneNumber(rawPhoneNumber);
         const user = this.checkUser("verifyPhoneNumberVerificationToken");
         const checked = await this.verificationService.verifyVerificationToken(phoneNumber, token);
         if (!checked) {

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,8 @@ export interface UserDB extends OAuthUserRepository, OAuthTokenRepository {`
`146`	`146`	`storeGitpodToken(token: GitpodToken & { user: DBUser }): Promise<void>;`
`147`	`147`	`deleteGitpodToken(tokenHash: string): Promise<void>;`
`148`	`148`	`deleteGitpodTokensNamedLike(userId: string, namePattern: string): Promise<void>;`
	`149`	`+ countUsagesOfPhoneNumber(phoneNumber: string): Promise<number>;`
	`150`	`+ isBlockedPhoneNumber(phoneNumber: string): Promise<boolean>;`
`149`	`151`	`}`
`150`	`152`	`export type PartialUserUpdate = Partial<Omit<User, "identities">> & Pick<User, "id">;`
`151`	`153`
Original file line number	Diff line number	Diff line change
`@@ -94,4 +94,7 @@ export namespace ErrorCodes {`
`94`	`94`
`95`	`95`	`// 640 Headless logs are not available (yet)`
`96`	`96`	`export const HEADLESS_LOG_NOT_YET_AVAILABLE = 640;`
	`97`	`+`
	`98`	`+ // 650 Invalid Value`
	`99`	`+ export const INVALID_VALUE = 650;`
`97`	`100`	`}`