Periodical queries for nodebb sessions

cryptoethic

@baris Yep we have some custom plugins. Traffic is mostly from registered users (90%).

Now we have below 1 page view / sec.

Creating sessions isn't anything bad I believe. It's just what is reading all of them

I will try to get the stacktrace of connect-redis

cryptoethic

@cryptoethic

Ok so most queries comes from line 90:

<baris>

Hmm there are a few places that function is called, once is from authenticationController.onSuccessfulLogin maybe that is getting triggered a lot?

cryptoethic

@baris

Doing some more console logs:

Every second cleanExpiredSessions for user (uid: 17445495) is called:

uuid mappings = Object.keys(uuidMapping).length

<baris>

src/controllers/authentication.js:326 is the onSuccesfullLogin function I mentioned, could be a bug in the login system that is repeatedly calling this function. Are you using a sso/third party login system?

cryptoethic

@baris Yep. Custom local-login passport strategy.

<baris>

Yeah I would inspect the source for that and make sure it is not calling the login function unnecessarily.

cryptoethic

@baris It looks worse - We receive a request every 1 second. It looks like this particular user has a bot that tries to login every 1 sec.

After 1 hour he has 3600 active sessions that are tried to be cleared on login.

Maybe we could add a limit for maximum active sessions

cryptoethic

@cryptoethic I have banned the particular user and no more sessions are created.

I suggest adding method revokeSessionsAboveTreshold that removes oldest sessions above treshold.

	User.auth.addSession = async function (uid, sessionId) {
		if (!(parseInt(uid, 10) > 0)) {
			return;
		}
		await cleanExpiredSessions(uid);
                await revokeSessionsAboveTreshold(meta.config.maxUserSessions);
		await db.sortedSetAdd('uid:' + uid + ':sessions', Date.now(), sessionId);
	};

I can add such a function and add PR to core. What do you think?

<baris>

@cryptoethic please open an issue with the details on our github.