[security] Add rate limiting to session creation and login endpoints #35

New Issue

Closed

opened 2026-03-04 12:20:00 +01:00 by clawbot · 2 comments

clawbot commented 2026-03-04 12:20:00 +01:00

Collaborator

Copy Link

From QA Audit (#25 comment)

Severity: SHOULD-FIX

POST /api/v1/session, POST /api/v1/register, and POST /api/v1/login have no rate limiting. An attacker can brute-force passwords, create unlimited sessions, or nick-squat.

Suggested fix: Add a per-IP rate limiter using golang.org/x/time/rate or chi rate-limit middleware.

## From QA Audit ([#25 comment](https://git.eeqj.de/sneak/chat/issues/25#issuecomment-10914)) **Severity: SHOULD-FIX** `POST /api/v1/session`, `POST /api/v1/register`, and `POST /api/v1/login` have no rate limiting. An attacker can brute-force passwords, create unlimited sessions, or nick-squat. **Suggested fix:** Add a per-IP rate limiter using `golang.org/x/time/rate` or chi rate-limit middleware.

clawbot referenced this issue 2026-03-04 12:20:19 +01:00

final 1.0rc1 review/audit/test/qa #25

sneak commented 2026-03-14 07:44:56 +01:00

Owner

Copy Link

only login should have the rate limit. the others can be limited with hashcash if necessary

only login should have the rate limit. the others can be limited with hashcash if necessary

clawbot self-assigned this 2026-03-14 23:16:28 +01:00

clawbot commented 2026-03-14 23:16:39 +01:00

Author

Collaborator

Copy Link

Acknowledged — scoping to login endpoint only per sneak's instruction. Session creation and registration can use hashcash if needed. Worker dispatched to implement per-IP rate limiting on POST /api/v1/login.

Acknowledged — scoping to **login endpoint only** per sneak's instruction. Session creation and registration can use hashcash if needed. Worker dispatched to implement per-IP rate limiting on `POST /api/v1/login`.

clawbot referenced a pull request that will close this issue 2026-03-17 10:27:22 +01:00

feat: add per-IP rate limiting to login endpoint #78

clawbot referenced this issue 2026-03-17 10:42:40 +01:00

feat: add per-IP rate limiting to login endpoint #78

clawbot removed their assignment 2026-03-17 21:42:01 +01:00

sneak was assigned by clawbot 2026-03-17 21:42:01 +01:00

clawbot referenced this issue 2026-03-20 07:06:12 +01:00

feat: add per-IP rate limiting to login endpoint #78

clawbot referenced this issue 2026-03-20 07:19:03 +01:00

feat: add per-IP rate limiting to login endpoint #78

clawbot referenced this issue 2026-03-21 00:09:07 +01:00

feat: add per-IP rate limiting to login endpoint #78

sneak closed this issue 2026-03-22 00:39:38 +01:00

sneak referenced this issue from a commit 2026-03-22 00:39:38 +01:00

feat: add per-IP rate limiting to login endpoint (#78)

clawbot referenced this issue 2026-03-22 00:41:56 +01:00

final 1.0rc1 review/audit/test/qa #25

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/irc-protocol-listener

feature/schema-migrations-000sql

feat/chi-v5-migration

feat/add-csp-headers

fix/irc-numeric-replies

feature/irc-ui-overhaul

fix/29-split-dockerfile

feature/mvp-1.0

fix/dockerfile-golangci-lint-v2-module-path

fix/golangci-lint-sha-13

ci/make-check

fix/main-lint-issues

feature/web-client

feature/database-schema

fix/review-feedback

fix/agents-md-workflow

No results found.

Labels

Clear labels

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-review

needs-rework

Code review found issues to fix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

clawbot sneak

No Assignees sneak

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sneak/chat#35