nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity

fix(security): add per-IP rate limiting to all authentication endpoints

Browse source 
Implement sliding window rate limiter to prevent brute-force attacks:
- /auth and /login: 20 requests/minute per IP
- /change: 10 POST requests/minute per IP
- /lost: 5 POST requests/minute per IP (prevents email spam and user enumeration)
- /reset: 10 POST requests/minute per IP
- /api/v1/aliases: 30 requests/minute per IP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
nemunaire 2026-03-06 14:46:13 +07:00
commit 2a9eec233a
6 changed files with 101 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
reset.go
View file

@ -6,6 +6,11 @@ import (
)
func resetPassword(w http.ResponseWriter, r *http.Request) {
if r.Method == "POST" && !resetLimiter.Allow(remoteIP(r)) {
http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
return
}
if len(r.URL.Query().Get("l")) == 0 || len(r.URL.Query().Get("t")) == 0 {
http.Redirect(w, r, "lost", http.StatusFound)
return