nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity

fix(security): add per-IP rate limiting to all authentication endpoints

Browse source 
Implement sliding window rate limiter to prevent brute-force attacks:
- /auth and /login: 20 requests/minute per IP
- /change: 10 POST requests/minute per IP
- /lost: 5 POST requests/minute per IP (prevents email spam and user enumeration)
- /reset: 10 POST requests/minute per IP
- /api/v1/aliases: 30 requests/minute per IP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
nemunaire 2026-03-06 14:46:13 +07:00
commit 2a9eec233a
6 changed files with 101 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
change.go
View file

@ -15,6 +15,12 @@ func checkPasswdConstraint(password string) error {
}
func changePassword(w http.ResponseWriter, r *http.Request) {
if r.Method == "POST" && !changeLimiter.Allow(remoteIP(r)) {
csrfToken, _ := setCSRFToken(w)
displayTmplError(w, http.StatusTooManyRequests, "change.html", map[string]interface{}{"error": "Too many requests. Please try again later.", "csrf_token": csrfToken})
return
}
if r.Method != "POST" {
csrfToken, err := setCSRFToken(w)
if err != nil {