diff --git a/go.mod b/go.mod index 84cdf7d..67bf615 100644 --- a/go.mod +++ b/go.mod @@ -29,6 +29,7 @@ require ( golang.org/x/crypto v0.32.0 golang.org/x/exp v0.0.0-20240707233637-46b078467d37 golang.org/x/oauth2 v0.21.0 + golang.org/x/time v0.10.0 ) require ( diff --git a/go.sum b/go.sum index 07aaafd..c45aca5 100644 --- a/go.sum +++ b/go.sum @@ -289,6 +289,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4= +golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 290463f..1892b0e 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -10,11 +10,14 @@ import ( "database/sql" "encoding/base64" "errors" + "net" "net/http" "os" "sync" "time" + "golang.org/x/time/rate" + "github.com/ClusterCockpit/cc-backend/internal/config" "github.com/ClusterCockpit/cc-backend/internal/repository" "github.com/ClusterCockpit/cc-backend/pkg/log" @@ -32,6 +35,29 @@ var ( authInstance *Authentication ) +var ( + ipLimiters sync.Map + usernameLimiters sync.Map +) + +func getIPLimiter(ip string) *rate.Limiter { + limiter, ok := ipLimiters.Load(ip) + if !ok { + limiter = rate.NewLimiter(rate.Every(time.Minute/5), 5) + ipLimiters.Store(ip, limiter) + } + return limiter.(*rate.Limiter) +} + +func getUserLimiter(username string) *rate.Limiter { + limiter, ok := usernameLimiters.Load(username) + if !ok { + limiter = rate.NewLimiter(rate.Every(time.Hour/10), 10) + usernameLimiters.Store(username, limiter) + } + return limiter.(*rate.Limiter) +} + type Authentication struct { sessionStore *sessions.CookieStore LdapAuth *LdapAuthenticator @@ -208,9 +234,29 @@ func (auth *Authentication) Login( onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error), ) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - username := r.FormValue("username") - var dbUser *schema.User + ip, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + ip = r.RemoteAddr + } + username := r.FormValue("username") + + ipLimiter := getIPLimiter(ip) + userLimiter := getUserLimiter(username) + + if !ipLimiter.Allow() { + log.Warnf("AUTH/RATE > Too many login attempts from IP %s", ip) + onfailure(rw, r, errors.New("too many login attempts, please try again later")) + return + } + + if !userLimiter.Allow() { + log.Warnf("AUTH/RATE > Too many failed login attempts for user %s", username) + onfailure(rw, r, errors.New("too many login attempts for this user, please try again later")) + return + } + + var dbUser *schema.User if username != "" { var err error dbUser, err = repository.GetUserRepository().GetUser(username)