fix(security): add per-IP rate limiting to all authentication endpoints
Implement sliding window rate limiter to prevent brute-force attacks: - /auth and /login: 20 requests/minute per IP - /change: 10 POST requests/minute per IP - /lost: 5 POST requests/minute per IP (prevents email spam and user enumeration) - /reset: 10 POST requests/minute per IP - /api/v1/aliases: 30 requests/minute per IP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
93673510d8
commit
2a9eec233a
6 changed files with 101 additions and 0 deletions
5
lost.go
5
lost.go
|
|
@ -87,6 +87,11 @@ func lostPasswordToken(conn *LDAPConn, login string) (string, string, error) {
|
|||
}
|
||||
|
||||
func lostPassword(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method == "POST" && !lostLimiter.Allow(remoteIP(r)) {
|
||||
displayTmplError(w, http.StatusTooManyRequests, "lost.html", map[string]interface{}{"error": "Too many requests. Please try again later."})
|
||||
return
|
||||
}
|
||||
|
||||
if r.Method != "POST" {
|
||||
csrfToken, err := setCSRFToken(w)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue