Add Rate Limiting based on IP and username

go.mod

@@ -29,6 +29,7 @@ require (
 	golang.org/x/crypto v0.32.0
 	golang.org/x/exp v0.0.0-20240707233637-46b078467d37
 	golang.org/x/oauth2 v0.21.0
+	golang.org/x/time v0.10.0
 )
 
 require (

go.sum

@@ -289,6 +289,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/auth/auth.go

@@ -10,11 +10,14 @@ import (
 	"database/sql"
 	"encoding/base64"
 	"errors"
+	"net"
 	"net/http"
 	"os"
 	"sync"
 	"time"
 
+	"golang.org/x/time/rate"
+
 	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
@@ -32,6 +35,29 @@ var (
 	authInstance *Authentication
 )
 
+var (
+	ipLimiters       sync.Map
+	usernameLimiters sync.Map
+)
+
+func getIPLimiter(ip string) *rate.Limiter {
+	limiter, ok := ipLimiters.Load(ip)
+	if !ok {
+		limiter = rate.NewLimiter(rate.Every(time.Minute/5), 5)
+		ipLimiters.Store(ip, limiter)
+	}
+	return limiter.(*rate.Limiter)
+}
+
+func getUserLimiter(username string) *rate.Limiter {
+	limiter, ok := usernameLimiters.Load(username)
+	if !ok {
+		limiter = rate.NewLimiter(rate.Every(time.Hour/10), 10)
+		usernameLimiters.Store(username, limiter)
+	}
+	return limiter.(*rate.Limiter)
+}
+
 type Authentication struct {
 	sessionStore   *sessions.CookieStore
 	LdapAuth       *LdapAuthenticator
@@ -208,9 +234,29 @@ func (auth *Authentication) Login(
 	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error),
 ) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		username := r.FormValue("username")
+		ip, _, err := net.SplitHostPort(r.RemoteAddr)
-		var dbUser *schema.User
+		if err != nil {
+			ip = r.RemoteAddr
+		}
 
+		username := r.FormValue("username")
+
+		ipLimiter := getIPLimiter(ip)
+		userLimiter := getUserLimiter(username)
+
+		if !ipLimiter.Allow() {
+			log.Warnf("AUTH/RATE > Too many login attempts from IP %s", ip)
+			onfailure(rw, r, errors.New("too many login attempts, please try again later"))
+			return
+		}
+
+		if !userLimiter.Allow() {
+			log.Warnf("AUTH/RATE > Too many failed login attempts for user %s", username)
+			onfailure(rw, r, errors.New("too many login attempts for this user, please try again later"))
+			return
+		}
+
+		var dbUser *schema.User
 		if username != "" {
 			var err error
 			dbUser, err = repository.GetUserRepository().GetUser(username)