feat: rate limit user login with exponential backoff#310
Open
allamiro wants to merge 1 commit into
Open
Conversation
In-memory throttle keyed by client ip + username: 5 free failures, then lockouts of 2s doubling up to 15 minutes. Successful login resets the counter; stale entries are pruned opportunistically. Blocked attempts return 429. The client ip is the tcp peer address by default; the new trust_proxy_headers config option (default false) opts into Forwarded/X-Forwarded-For for reverse proxy deployments, since those headers are spoofable when the server is directly exposed.
bf48810 to
d32b52c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #275.
Design
In-memory
RateLimiter(no new dependencies), keyed by<client ip>|<username lowercase>:429 Too Many Requestswithout hitting the auth backendrealip_remote_addr()(honors Forwarded/X-Forwarded-For behind a reverse proxy)Keying on ip+username means a distributed attack on one account or one IP spraying many accounts each still get throttled per pair; stronger global heuristics can build on this later.
Testing
cargo test13/13Summary by cubic
Adds in-memory login rate limiting with exponential backoff to slow brute-force attempts. Blocked attempts return 429, and a successful login resets the counter.
RateLimiterkeyed by "|": 5 free failures, then 2s backoff doubling up to 15m.realip_remote_addr()to honor Forwarded/X-Forwarded-For behind proxies.Written for commit bf48810. Summary will update on new commits.