kai/ColaFlow
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(backend): Implement 3 CRITICAL Day 8 Gap Fixes from Architecture Analysis

Browse Source 
Implemented all 3 critical fixes identified in Day 6 Architecture Gap Analysis:

**Fix 1: UpdateUserRole Feature (RESTful PUT endpoint)**
- Created UpdateUserRoleCommand and UpdateUserRoleCommandHandler
- Added PUT /api/tenants/{tenantId}/users/{userId}/role endpoint
- Implements self-demotion prevention (cannot demote self from TenantOwner)
- Implements last owner protection (cannot remove last TenantOwner)
- Returns UserWithRoleDto with updated role information
- Follows RESTful best practices (PUT for updates)

**Fix 2: Last TenantOwner Deletion Prevention (Security)**
- Verified CountByTenantAndRoleAsync repository method exists
- Verified IsLastTenantOwnerAsync validation in RemoveUserFromTenantCommandHandler
- UpdateUserRoleCommandHandler now prevents:
  * Self-demotion from TenantOwner role
  * Removing the last TenantOwner from tenant
- SECURITY: Prevents tenant from becoming ownerless (critical vulnerability fix)

**Fix 3: Database-Backed Rate Limiting (Security & Reliability)**
- Created EmailRateLimit entity with proper domain logic
- Added EmailRateLimitConfiguration for EF Core
- Implemented DatabaseEmailRateLimiter service (replaces MemoryRateLimitService)
- Updated DependencyInjection to use database-backed implementation
- Created database migration: AddEmailRateLimitsTable
- Added composite unique index on (email, tenant_id, operation_type)
- SECURITY: Rate limit state persists across server restarts (prevents email bombing)
- Implements cleanup logic for expired rate limit records

**Testing:**
- Added 9 comprehensive integration tests in Day8GapFixesTests.cs
- Fix 1: 3 tests (valid update, self-demote prevention, idempotency)
- Fix 2: 3 tests (remove last owner fails, update last owner fails, remove 2nd-to-last succeeds)
- Fix 3: 3 tests (persists across requests, expiry after window, prevents bulk emails)
- 6 tests passing, 3 skipped (long-running/environment-specific tests)

**Files Changed:**
- 6 new files created
- 6 existing files modified
- 1 database migration added
- All existing tests still pass (no regressions)

**Verification:**
- Build succeeds with no errors
- All critical business logic tests pass
- Database migration generated successfully
- Security vulnerabilities addressed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Yaojia Wang
2025-11-03 23:17:41 +01:00
parent 312df4b70e
commit 9ed2bc36bd
12 changed files with 1482 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Application/Commands/UpdateUserRole/UpdateUserRoleCommand.cs Normal file
View File

@@ -0,0 +1,10 @@
using ColaFlow.Modules.Identity.Application.Dtos;
using MediatR;
namespace ColaFlow.Modules.Identity.Application.Commands.UpdateUserRole;
public record UpdateUserRoleCommand(
Guid TenantId,
Guid UserId,
string NewRole,
Guid OperatorUserId) : IRequest<UserWithRoleDto>;

76
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Application/Commands/UpdateUserRole/UpdateUserRoleCommandHandler.cs Normal file
View File

@@ -0,0 +1,76 @@
using ColaFlow.Modules.Identity.Application.Dtos;
using ColaFlow.Modules.Identity.Domain.Aggregates.Users;
using ColaFlow.Modules.Identity.Domain.Aggregates.Tenants;
using ColaFlow.Modules.Identity.Domain.Repositories;
using MediatR;
namespace ColaFlow.Modules.Identity.Application.Commands.UpdateUserRole;
public class UpdateUserRoleCommandHandler(
IUserTenantRoleRepository userTenantRoleRepository,
IUserRepository userRepository)
: IRequestHandler<UpdateUserRoleCommand, UserWithRoleDto>
{
public async Task<UserWithRoleDto> Handle(UpdateUserRoleCommand request, CancellationToken cancellationToken)
{
// Validate user exists
var user = await userRepository.GetByIdAsync(request.UserId, cancellationToken);
if (user == null)
throw new InvalidOperationException("User not found");
// Parse and validate new role
if (!Enum.TryParse<TenantRole>(request.NewRole, out var newRole))
throw new ArgumentException($"Invalid role: {request.NewRole}");
// Prevent manual assignment of AIAgent role
if (newRole == TenantRole.AIAgent)
throw new InvalidOperationException("AIAgent role cannot be assigned manually");
// Get existing role
var existingRole = await userTenantRoleRepository.GetByUserAndTenantAsync(
request.UserId,
request.TenantId,
cancellationToken);
if (existingRole == null)
throw new InvalidOperationException("User is not a member of this tenant");
// Rule 1: Cannot self-demote from TenantOwner
if (request.OperatorUserId == request.UserId &&
existingRole.Role == TenantRole.TenantOwner &&
newRole != TenantRole.TenantOwner)
{
throw new InvalidOperationException(
"Cannot self-demote from TenantOwner role. Another owner must perform this action.");
}
// Rule 2: Cannot remove last TenantOwner
if (existingRole.Role == TenantRole.TenantOwner && newRole != TenantRole.TenantOwner)
{
var ownerCount = await userTenantRoleRepository.CountByTenantAndRoleAsync(
request.TenantId,
TenantRole.TenantOwner,
cancellationToken);
if (ownerCount <= 1)
{
throw new InvalidOperationException(
"Cannot remove the last TenantOwner. Assign another owner first.");
}
}
// Update role
existingRole.UpdateRole(newRole, request.OperatorUserId);
await userTenantRoleRepository.UpdateAsync(existingRole, cancellationToken);
// Return updated user with role DTO
return new UserWithRoleDto(
UserId: user.Id,
Email: user.Email.Value,
FullName: user.FullName.Value,
Role: newRole.ToString(),
AssignedAt: existingRole.AssignedAt,
EmailVerified: user.IsEmailVerified
);
}
}

90
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Domain/Entities/EmailRateLimit.cs Normal file
View File

@@ -0,0 +1,90 @@
using ColaFlow.Shared.Kernel.Common;
namespace ColaFlow.Modules.Identity.Domain.Entities;
/// <summary>
/// Represents rate limiting tracking for email operations (verification, password reset, invitations)
/// Persists in database to survive server restarts and prevent email bombing attacks
/// </summary>
public sealed class EmailRateLimit : Entity
{
/// <summary>
/// Email address (normalized to lowercase)
/// </summary>
public string Email { get; private set; } = null!;
/// <summary>
/// Tenant ID associated with this email operation
/// </summary>
public Guid TenantId { get; private set; }
/// <summary>
/// Type of email operation: 'verification', 'password_reset', 'invitation'
/// </summary>
public string OperationType { get; private set; } = null!;
/// <summary>
/// Timestamp of the last email sent
/// </summary>
public DateTime LastSentAt { get; private set; }
/// <summary>
/// Number of attempts within the current time window
/// </summary>
public int AttemptsCount { get; private set; }
/// <summary>
/// Private constructor for EF Core
/// </summary>
private EmailRateLimit() : base()
{
}
/// <summary>
/// Factory method to create a new rate limit record
/// </summary>
public static EmailRateLimit Create(string email, Guid tenantId, string operationType)
{
if (string.IsNullOrWhiteSpace(email))
throw new ArgumentException("Email cannot be empty", nameof(email));
if (string.IsNullOrWhiteSpace(operationType))
throw new ArgumentException("Operation type cannot be empty", nameof(operationType));
return new EmailRateLimit
{
Id = Guid.NewGuid(),
Email = email.ToLower(),
TenantId = tenantId,
OperationType = operationType,
LastSentAt = DateTime.UtcNow,
AttemptsCount = 1
};
}
/// <summary>
/// Record a new attempt (increment counter)
/// </summary>
public void RecordAttempt()
{
AttemptsCount++;
LastSentAt = DateTime.UtcNow;
}
/// <summary>
/// Reset attempts counter (when time window expires)
/// </summary>
public void ResetAttempts()
{
LastSentAt = DateTime.UtcNow;
AttemptsCount = 1;
}
/// <summary>
/// Check if the time window has expired
/// </summary>
public bool IsWindowExpired(TimeSpan window)
{
return DateTime.UtcNow - LastSentAt > window;
}
}

6
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/DependencyInjection.cs
View File

@@ -47,9 +47,9 @@ public static class DependencyInjection
services.AddScoped<IRefreshTokenService, RefreshTokenService>();
services.AddScoped<ISecurityTokenService, SecurityTokenService>();
// Memory cache for rate limiting
services.AddMemoryCache();
services.AddSingleton<IRateLimitService, MemoryRateLimitService>();
// Database-backed rate limiting (replaces in-memory implementation)
// Persists rate limit state to survive server restarts and prevent email bombing attacks
services.AddScoped<IRateLimitService, DatabaseEmailRateLimiter>();
// Email Services
var emailProvider = configuration["Email:Provider"] ?? "Mock";

45
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Persistence/Configurations/EmailRateLimitConfiguration.cs Normal file
View File

@@ -0,0 +1,45 @@
using ColaFlow.Modules.Identity.Domain.Entities;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
namespace ColaFlow.Modules.Identity.Infrastructure.Persistence.Configurations;
public class EmailRateLimitConfiguration : IEntityTypeConfiguration<EmailRateLimit>
{
public void Configure(EntityTypeBuilder<EmailRateLimit> builder)
{
builder.ToTable("email_rate_limits", "identity");
builder.HasKey(erl => erl.Id);
builder.Property(erl => erl.Email)
.HasColumnName("email")
.HasMaxLength(255)
.IsRequired();
builder.Property(erl => erl.TenantId)
.HasColumnName("tenant_id")
.IsRequired();
builder.Property(erl => erl.OperationType)
.HasColumnName("operation_type")
.HasMaxLength(50)
.IsRequired();
builder.Property(erl => erl.LastSentAt)
.HasColumnName("last_sent_at")
.IsRequired();
builder.Property(erl => erl.AttemptsCount)
.HasColumnName("attempts_count")
.IsRequired();
// Indexes for performance
builder.HasIndex(erl => new { erl.Email, erl.TenantId, erl.OperationType })
.HasDatabaseName("ix_email_rate_limits_email_tenant_operation")
.IsUnique(); // Unique constraint: one record per email+tenant+operation combination
builder.HasIndex(erl => erl.LastSentAt)
.HasDatabaseName("ix_email_rate_limits_last_sent_at"); // For cleanup queries
}
}

1
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Persistence/IdentityDbContext.cs
View File

@@ -22,6 +22,7 @@ public class IdentityDbContext(
public DbSet<EmailVerificationToken> EmailVerificationTokens => Set<EmailVerificationToken>();
public DbSet<PasswordResetToken> PasswordResetTokens => Set<PasswordResetToken>();
public DbSet<Invitation> Invitations => Set<Invitation>();
public DbSet<EmailRateLimit> EmailRateLimits => Set<EmailRateLimit>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{

528
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Persistence/Migrations/20251103221054_AddEmailRateLimitsTable.Designer.cs generated Normal file
View File

@@ -0,0 +1,528 @@
// <auto-generated />
using System;
using ColaFlow.Modules.Identity.Infrastructure.Persistence;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Migrations;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
#nullable disable
namespace ColaFlow.Modules.Identity.Infrastructure.Persistence.Migrations
{
[DbContext(typeof(IdentityDbContext))]
[Migration("20251103221054_AddEmailRateLimitsTable")]
partial class AddEmailRateLimitsTable
{
/// <inheritdoc />
protected override void BuildTargetModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasAnnotation("ProductVersion", "9.0.10")
.HasAnnotation("Relational:MaxIdentifierLength", 63);
NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Aggregates.Invitations.Invitation", b =>
{
b.Property<Guid>("Id")
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<DateTime?>("AcceptedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("accepted_at");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("email");
b.Property<DateTime>("ExpiresAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("expires_at");
b.Property<Guid>("InvitedBy")
.HasColumnType("uuid")
.HasColumnName("invited_by");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("role");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.Property<string>("TokenHash")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("token_hash");
b.Property<DateTime>("UpdatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("updated_at");
b.HasKey("Id");
b.HasIndex("TokenHash")
.IsUnique()
.HasDatabaseName("ix_invitations_token_hash");
b.HasIndex("TenantId", "Email")
.HasDatabaseName("ix_invitations_tenant_id_email");
b.HasIndex("TenantId", "AcceptedAt", "ExpiresAt")
.HasDatabaseName("ix_invitations_tenant_id_status");
b.ToTable("invitations", (string)null);
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Aggregates.Tenants.Tenant", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<int>("MaxProjects")
.HasColumnType("integer")
.HasColumnName("max_projects");
b.Property<int>("MaxStorageGB")
.HasColumnType("integer")
.HasColumnName("max_storage_gb");
b.Property<int>("MaxUsers")
.HasColumnType("integer")
.HasColumnName("max_users");
b.Property<string>("Name")
.IsRequired()
.HasMaxLength(100)
.HasColumnType("character varying(100)")
.HasColumnName("name");
b.Property<string>("Plan")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("plan");
b.Property<string>("Slug")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("slug");
b.Property<string>("SsoConfig")
.HasColumnType("jsonb")
.HasColumnName("sso_config");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("status");
b.Property<DateTime?>("SuspendedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("suspended_at");
b.Property<string>("SuspensionReason")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("suspension_reason");
b.Property<DateTime?>("UpdatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("updated_at");
b.HasKey("Id");
b.HasIndex("Slug")
.IsUnique()
.HasDatabaseName("ix_tenants_slug");
b.ToTable("tenants", (string)null);
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Aggregates.Users.RefreshToken", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<string>("DeviceInfo")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("device_info");
b.Property<DateTime>("ExpiresAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("expires_at");
b.Property<string>("IpAddress")
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("ip_address");
b.Property<string>("ReplacedByToken")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("replaced_by_token");
b.Property<DateTime?>("RevokedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("revoked_at");
b.Property<string>("RevokedReason")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("revoked_reason");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.Property<string>("TokenHash")
.IsRequired()
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("token_hash");
b.Property<string>("UserAgent")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("user_agent");
b.Property<Guid>("UserId")
.HasColumnType("uuid")
.HasColumnName("user_id");
b.HasKey("Id");
b.HasIndex("ExpiresAt")
.HasDatabaseName("ix_refresh_tokens_expires_at");
b.HasIndex("TenantId")
.HasDatabaseName("ix_refresh_tokens_tenant_id");
b.HasIndex("TokenHash")
.IsUnique()
.HasDatabaseName("ix_refresh_tokens_token_hash");
b.HasIndex("UserId")
.HasDatabaseName("ix_refresh_tokens_user_id");
b.ToTable("refresh_tokens", "identity");
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Aggregates.Users.User", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<string>("AuthProvider")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("auth_provider");
b.Property<string>("AvatarUrl")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("avatar_url");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("email");
b.Property<string>("EmailVerificationToken")
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("email_verification_token");
b.Property<DateTime?>("EmailVerifiedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("email_verified_at");
b.Property<string>("ExternalEmail")
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("external_email");
b.Property<string>("ExternalUserId")
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("external_user_id");
b.Property<string>("FullName")
.IsRequired()
.HasMaxLength(100)
.HasColumnType("character varying(100)")
.HasColumnName("full_name");
b.Property<string>("JobTitle")
.HasMaxLength(100)
.HasColumnType("character varying(100)")
.HasColumnName("job_title");
b.Property<DateTime?>("LastLoginAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("last_login_at");
b.Property<string>("PasswordHash")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("password_hash");
b.Property<string>("PasswordResetToken")
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("password_reset_token");
b.Property<DateTime?>("PasswordResetTokenExpiresAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("password_reset_token_expires_at");
b.Property<string>("PhoneNumber")
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("phone_number");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("status");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.Property<DateTime?>("UpdatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("updated_at");
b.HasKey("Id");
b.HasIndex("TenantId", "Email")
.IsUnique()
.HasDatabaseName("ix_users_tenant_id_email");
b.ToTable("users", (string)null);
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Aggregates.Users.UserTenantRole", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<DateTime>("AssignedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("assigned_at");
b.Property<Guid?>("AssignedByUserId")
.HasColumnType("uuid")
.HasColumnName("assigned_by_user_id");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("role");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.Property<Guid>("UserId")
.HasColumnType("uuid")
.HasColumnName("user_id");
b.HasKey("Id");
b.HasIndex("Role")
.HasDatabaseName("ix_user_tenant_roles_role");
b.HasIndex("TenantId")
.HasDatabaseName("ix_user_tenant_roles_tenant_id");
b.HasIndex("UserId")
.HasDatabaseName("ix_user_tenant_roles_user_id");
b.HasIndex("UserId", "TenantId")
.IsUnique()
.HasDatabaseName("uq_user_tenant_roles_user_tenant");
b.ToTable("user_tenant_roles", "identity");
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Entities.EmailRateLimit", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<int>("AttemptsCount")
.HasColumnType("integer")
.HasColumnName("attempts_count");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("email");
b.Property<DateTime>("LastSentAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("last_sent_at");
b.Property<string>("OperationType")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("operation_type");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.HasKey("Id");
b.HasIndex("LastSentAt")
.HasDatabaseName("ix_email_rate_limits_last_sent_at");
b.HasIndex("Email", "TenantId", "OperationType")
.IsUnique()
.HasDatabaseName("ix_email_rate_limits_email_tenant_operation");
b.ToTable("email_rate_limits", "identity");
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Entities.EmailVerificationToken", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<DateTime>("ExpiresAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("expires_at");
b.Property<string>("TokenHash")
.IsRequired()
.HasMaxLength(64)
.HasColumnType("character varying(64)")
.HasColumnName("token_hash");
b.Property<Guid>("UserId")
.HasColumnType("uuid")
.HasColumnName("user_id");
b.Property<DateTime?>("VerifiedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("verified_at");
b.HasKey("Id");
b.HasIndex("TokenHash")
.HasDatabaseName("ix_email_verification_tokens_token_hash");
b.HasIndex("UserId")
.HasDatabaseName("ix_email_verification_tokens_user_id");
b.ToTable("email_verification_tokens", (string)null);
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Entities.PasswordResetToken", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid")
.HasColumnName("id");
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("created_at");
b.Property<DateTime>("ExpiresAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("expires_at");
b.Property<string>("IpAddress")
.HasMaxLength(45)
.HasColumnType("character varying(45)")
.HasColumnName("ip_address");
b.Property<string>("TokenHash")
.IsRequired()
.HasMaxLength(64)
.HasColumnType("character varying(64)")
.HasColumnName("token_hash");
b.Property<DateTime?>("UsedAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("used_at");
b.Property<string>("UserAgent")
.HasMaxLength(500)
.HasColumnType("character varying(500)")
.HasColumnName("user_agent");
b.Property<Guid>("UserId")
.HasColumnType("uuid")
.HasColumnName("user_id");
b.HasKey("Id");
b.HasIndex("TokenHash")
.HasDatabaseName("ix_password_reset_tokens_token_hash");
b.HasIndex("UserId")
.HasDatabaseName("ix_password_reset_tokens_user_id");
b.HasIndex("UserId", "ExpiresAt", "UsedAt")
.HasDatabaseName("ix_password_reset_tokens_user_active");
b.ToTable("password_reset_tokens", (string)null);
});
#pragma warning restore 612, 618
}
}
}

53
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Persistence/Migrations/20251103221054_AddEmailRateLimitsTable.cs Normal file
View File

@@ -0,0 +1,53 @@
using System;
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace ColaFlow.Modules.Identity.Infrastructure.Persistence.Migrations
{
/// <inheritdoc />
public partial class AddEmailRateLimitsTable : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.CreateTable(
name: "email_rate_limits",
schema: "identity",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
email = table.Column<string>(type: "character varying(255)", maxLength: 255, nullable: false),
tenant_id = table.Column<Guid>(type: "uuid", nullable: false),
operation_type = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: false),
last_sent_at = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
attempts_count = table.Column<int>(type: "integer", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_email_rate_limits", x => x.Id);
});
migrationBuilder.CreateIndex(
name: "ix_email_rate_limits_email_tenant_operation",
schema: "identity",
table: "email_rate_limits",
columns: new[] { "email", "tenant_id", "operation_type" },
unique: true);
migrationBuilder.CreateIndex(
name: "ix_email_rate_limits_last_sent_at",
schema: "identity",
table: "email_rate_limits",
column: "last_sent_at");
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropTable(
name: "email_rate_limits",
schema: "identity");
}
}
}

42
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Persistence/Migrations/IdentityDbContextModelSnapshot.cs
View File

@@ -385,6 +385,48 @@ namespace ColaFlow.Modules.Identity.Infrastructure.Persistence.Migrations
b.ToTable("user_tenant_roles", "identity");
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Entities.EmailRateLimit", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<int>("AttemptsCount")
.HasColumnType("integer")
.HasColumnName("attempts_count");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("character varying(255)")
.HasColumnName("email");
b.Property<DateTime>("LastSentAt")
.HasColumnType("timestamp with time zone")
.HasColumnName("last_sent_at");
b.Property<string>("OperationType")
.IsRequired()
.HasMaxLength(50)
.HasColumnType("character varying(50)")
.HasColumnName("operation_type");
b.Property<Guid>("TenantId")
.HasColumnType("uuid")
.HasColumnName("tenant_id");
b.HasKey("Id");
b.HasIndex("LastSentAt")
.HasDatabaseName("ix_email_rate_limits_last_sent_at");
b.HasIndex("Email", "TenantId", "OperationType")
.IsUnique()
.HasDatabaseName("ix_email_rate_limits_email_tenant_operation");
b.ToTable("email_rate_limits", "identity");
});
modelBuilder.Entity("ColaFlow.Modules.Identity.Domain.Entities.EmailVerificationToken", b =>
{
b.Property<Guid>("Id")

167
colaflow-api/src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Services/DatabaseEmailRateLimiter.cs Normal file
View File

@@ -0,0 +1,167 @@
using ColaFlow.Modules.Identity.Application.Services;
using ColaFlow.Modules.Identity.Domain.Entities;
using ColaFlow.Modules.Identity.Infrastructure.Persistence;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
namespace ColaFlow.Modules.Identity.Infrastructure.Services;
/// <summary>
/// Database-backed rate limiting service implementation.
/// Persists rate limit state in PostgreSQL to survive server restarts.
/// Prevents email bombing attacks even after application restart.
/// </summary>
public class DatabaseEmailRateLimiter : IRateLimitService
{
private readonly IdentityDbContext _context;
private readonly ILogger<DatabaseEmailRateLimiter> _logger;
public DatabaseEmailRateLimiter(
IdentityDbContext context,
ILogger<DatabaseEmailRateLimiter> logger)
{
_context = context;
_logger = logger;
}
public async Task<bool> IsAllowedAsync(
string key,
int maxAttempts,
TimeSpan window,
CancellationToken cancellationToken = default)
{
// Parse key format: "operation:email:tenantId"
// Examples:
// - "forgot-password:user@example.com:tenant-guid"
// - "verification:user@example.com:tenant-guid"
// - "invitation:user@example.com:tenant-guid"
var parts = key.Split(':');
if (parts.Length != 3)
{
_logger.LogWarning("Invalid rate limit key format: {Key}. Expected format: 'operation:email:tenantId'", key);
return true; // Fail open (allow request) if key format is invalid
}
var operationType = parts[0];
var email = parts[1].ToLower();
var tenantIdStr = parts[2];
if (!Guid.TryParse(tenantIdStr, out var tenantId))
{
_logger.LogWarning("Invalid tenant ID in rate limit key: {Key}", key);
return true; // Fail open
}
// Find existing rate limit record
var rateLimit = await _context.EmailRateLimits
.FirstOrDefaultAsync(
r => r.Email == email &&
r.TenantId == tenantId &&
r.OperationType == operationType,
cancellationToken);
// No existing record - create new one and allow
if (rateLimit == null)
{
var newRateLimit = EmailRateLimit.Create(email, tenantId, operationType);
_context.EmailRateLimits.Add(newRateLimit);
try
{
await _context.SaveChangesAsync(cancellationToken);
_logger.LogInformation(
"Rate limit record created for {Email} - {Operation} (Attempt 1/{MaxAttempts})",
email, operationType, maxAttempts);
}
catch (DbUpdateException ex)
{
// Handle race condition: another request created the record simultaneously
_logger.LogWarning(ex,
"Race condition detected while creating rate limit record for {Key}. Retrying...", key);
// Re-fetch the record created by the concurrent request
rateLimit = await _context.EmailRateLimits
.FirstOrDefaultAsync(
r => r.Email == email &&
r.TenantId == tenantId &&
r.OperationType == operationType,
cancellationToken);
if (rateLimit == null)
{
_logger.LogError("Failed to fetch rate limit record after race condition for {Key}", key);
return true; // Fail open
}
// Fall through to existing record logic below
}
if (rateLimit == null)
return true; // Record was successfully created, allow the request
}
// Check if time window has expired
if (rateLimit.IsWindowExpired(window))
{
// Window expired - reset counter and allow
rateLimit.ResetAttempts();
_context.EmailRateLimits.Update(rateLimit);
await _context.SaveChangesAsync(cancellationToken);
_logger.LogInformation(
"Rate limit window expired for {Email} - {Operation}. Counter reset (Attempt 1/{MaxAttempts})",
email, operationType, maxAttempts);
return true;
}
// Window still active - check attempt count
if (rateLimit.AttemptsCount >= maxAttempts)
{
// Rate limit exceeded
var remainingTime = window - (DateTime.UtcNow - rateLimit.LastSentAt);
_logger.LogWarning(
"Rate limit EXCEEDED for {Email} - {Operation}: {Attempts}/{MaxAttempts} attempts. " +
"Retry after {RemainingSeconds} seconds",
email, operationType, rateLimit.AttemptsCount, maxAttempts,
(int)remainingTime.TotalSeconds);
return false;
}
// Still within limit - increment counter and allow
rateLimit.RecordAttempt();
_context.EmailRateLimits.Update(rateLimit);
await _context.SaveChangesAsync(cancellationToken);
_logger.LogInformation(
"Rate limit check passed for {Email} - {Operation} (Attempt {Attempts}/{MaxAttempts})",
email, operationType, rateLimit.AttemptsCount, maxAttempts);
return true;
}
/// <summary>
/// Cleanup expired rate limit records (call this from a background job)
/// </summary>
public async Task CleanupExpiredRecordsAsync(TimeSpan retentionPeriod, CancellationToken cancellationToken = default)
{
var cutoffDate = DateTime.UtcNow - retentionPeriod;
var expiredRecords = await _context.EmailRateLimits
.Where(r => r.LastSentAt < cutoffDate)
.ToListAsync(cancellationToken);
if (expiredRecords.Any())
{
_context.EmailRateLimits.RemoveRange(expiredRecords);
await _context.SaveChangesAsync(cancellationToken);
_logger.LogInformation(
"Cleaned up {Count} expired rate limit records older than {CutoffDate}",
expiredRecords.Count, cutoffDate);
}
}
}